feat: add Authentik config for vaultwarden OAuth
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 3s

This commit is contained in:
Xavier Morel
2026-05-28 20:40:47 +02:00
parent 0ec109e39f
commit 7844849b1b
3 changed files with 102 additions and 0 deletions
+13
View File
@@ -9,6 +9,8 @@ let
hostname = tools.build_hostname container;
db_host = tools.build_ip "db";
db_password = config.my-lxc.vault.db.password;
oidc = import ./_vw_secrets.nix;
auth_host = tools.build_hostname "auth";
in
{
services.vaultwarden = {
@@ -23,6 +25,17 @@ in
WEB_VAULT_ENABLED = true;
INVITATIONS_ENABLED = true;
ORG_CREATION_USERS = config.globals.master.email;
SSO_ENABLED = true;
SSO_AUTH_ONLY_NOT_SESSION = true;
SSO_AUTHORITY = "https://${auth_host}/application/o/vaultwarden/";
SSO_CLIENT_ID = oidc.oidc_client_id;
SSO_CLIENT_SECRET = oidc.oidc_secret_id;
SSO_SCOPES = "openid profile email offline_access";
SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION = false;
SSO_CLIENT_CACHE_EXPIRATION = 0;
SSO_ONLY = false; # Set to true to disable email and master password login and require SSO
SSO_SIGNUPS_MATCH_EMAIL = true; # Match first SSO login to an existing account by email
};
dbBackend = "postgresql";
};