feat: add Authentik config for vaultwarden OAuth
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 3s

This commit is contained in:
Xavier Morel
2026-05-28 20:40:47 +02:00
parent 0ec109e39f
commit 7844849b1b
3 changed files with 102 additions and 0 deletions
@@ -8,6 +8,7 @@ let
cfg = config.my-lxc;
matrix = import ../config/_matrix_secrets.nix;
hass = import ../config/_ha_secrets.nix;
vw = import ../config/_vw_secrets.nix;
in
{
authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) (
@@ -44,7 +45,13 @@ in
slug = "matrix";
protocol_provider = "\${resource.authentik_provider_oauth2.matrix.id}";
};
vaultwarden = {
name = "vaultwarden";
slug = "vaultwarden";
protocol_provider = "\${resource.authentik_provider_oauth2.vaultwarden.id}";
};
};
authentik_outpost_provider_attachment =
lib.filterAttrs (_: v: v != { }) (
lib.mapAttrs (
@@ -64,8 +71,25 @@ in
outpost = "\${data.authentik_outpost.embedded.id}";
protocol_provider = "\${authentik_provider_oauth2.matrix.id}";
};
vaultwarden = {
outpost = "\${data.authentik_outpost.embedded.id}";
protocol_provider = "\${authentik_provider_oauth2.vaultwarden.id}";
};
};
authentik_property_mapping_provider_scope = {
vaultwarden_email = {
name = "vaultwarden_email";
scope_name = "email";
expression = ''
return {
"email": request.user.email,
"email_verified": True
}
'';
};
};
authentik_provider_oauth2 = {
home_assistant = {
name = "home_assistant";
@@ -107,5 +131,69 @@ in
}
];
};
vaultwarden = {
name = "vaultwarden";
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
client_id = vw.oidc_client_id;
client_secret = vw.oidc_secret_id;
property_mappings = [
"\${data.authentik_property_mapping_provider_scope.openid_openid.id}"
"\${data.authentik_property_mapping_provider_scope.openid_profile.id}"
"\${data.authentik_property_mapping_provider_scope.openid_offline_access.id}"
"\${authentik_property_mapping_provider_scope.vaultwarden_email.id}"
];
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
allowed_redirect_uris = [
{
matching_mode = "strict";
url = "https://vault.plg.m0rel.eu/identity/connect/oidc-signin";
}
];
};
};
authentik_group = {
admins = {
name = "Admin";
is_superuser = true;
};
users = {
name = "Utilisateur";
};
visitors = {
name = "Visiteur";
};
};
authentik_user = {
yoru = {
username = "yoru";
name = "Xavier";
email = "morelx42@protonmail.com";
groups = [
"\${authentik_group.admins.id}"
"\${authentik_group.users.id}"
];
};
shauni = {
username = "shauni";
name = "Laetitia";
email = "laetitia.laversin@gmail.com";
groups = [
"\${authentik_group.admins.id}"
"\${authentik_group.users.id}"
];
};
lily = {
username = "lily";
name = "Lily";
groups = [
"\${authentik_group.users.id}"
];
};
};
}