feat: add Authentik config for vaultwarden OAuth
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 3s
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 3s
This commit is contained in:
Symlink
+1
@@ -0,0 +1 @@
|
|||||||
|
/home/xmorel/homelab-private/_vw_secrets.nix
|
||||||
@@ -9,6 +9,8 @@ let
|
|||||||
hostname = tools.build_hostname container;
|
hostname = tools.build_hostname container;
|
||||||
db_host = tools.build_ip "db";
|
db_host = tools.build_ip "db";
|
||||||
db_password = config.my-lxc.vault.db.password;
|
db_password = config.my-lxc.vault.db.password;
|
||||||
|
oidc = import ./_vw_secrets.nix;
|
||||||
|
auth_host = tools.build_hostname "auth";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services.vaultwarden = {
|
services.vaultwarden = {
|
||||||
@@ -23,6 +25,17 @@ in
|
|||||||
WEB_VAULT_ENABLED = true;
|
WEB_VAULT_ENABLED = true;
|
||||||
INVITATIONS_ENABLED = true;
|
INVITATIONS_ENABLED = true;
|
||||||
ORG_CREATION_USERS = config.globals.master.email;
|
ORG_CREATION_USERS = config.globals.master.email;
|
||||||
|
|
||||||
|
SSO_ENABLED = true;
|
||||||
|
SSO_AUTH_ONLY_NOT_SESSION = true;
|
||||||
|
SSO_AUTHORITY = "https://${auth_host}/application/o/vaultwarden/";
|
||||||
|
SSO_CLIENT_ID = oidc.oidc_client_id;
|
||||||
|
SSO_CLIENT_SECRET = oidc.oidc_secret_id;
|
||||||
|
SSO_SCOPES = "openid profile email offline_access";
|
||||||
|
SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION = false;
|
||||||
|
SSO_CLIENT_CACHE_EXPIRATION = 0;
|
||||||
|
SSO_ONLY = false; # Set to true to disable email and master password login and require SSO
|
||||||
|
SSO_SIGNUPS_MATCH_EMAIL = true; # Match first SSO login to an existing account by email
|
||||||
};
|
};
|
||||||
dbBackend = "postgresql";
|
dbBackend = "postgresql";
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -8,6 +8,7 @@ let
|
|||||||
cfg = config.my-lxc;
|
cfg = config.my-lxc;
|
||||||
matrix = import ../config/_matrix_secrets.nix;
|
matrix = import ../config/_matrix_secrets.nix;
|
||||||
hass = import ../config/_ha_secrets.nix;
|
hass = import ../config/_ha_secrets.nix;
|
||||||
|
vw = import ../config/_vw_secrets.nix;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) (
|
authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) (
|
||||||
@@ -44,7 +45,13 @@ in
|
|||||||
slug = "matrix";
|
slug = "matrix";
|
||||||
protocol_provider = "\${resource.authentik_provider_oauth2.matrix.id}";
|
protocol_provider = "\${resource.authentik_provider_oauth2.matrix.id}";
|
||||||
};
|
};
|
||||||
|
vaultwarden = {
|
||||||
|
name = "vaultwarden";
|
||||||
|
slug = "vaultwarden";
|
||||||
|
protocol_provider = "\${resource.authentik_provider_oauth2.vaultwarden.id}";
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
|
||||||
authentik_outpost_provider_attachment =
|
authentik_outpost_provider_attachment =
|
||||||
lib.filterAttrs (_: v: v != { }) (
|
lib.filterAttrs (_: v: v != { }) (
|
||||||
lib.mapAttrs (
|
lib.mapAttrs (
|
||||||
@@ -64,6 +71,23 @@ in
|
|||||||
outpost = "\${data.authentik_outpost.embedded.id}";
|
outpost = "\${data.authentik_outpost.embedded.id}";
|
||||||
protocol_provider = "\${authentik_provider_oauth2.matrix.id}";
|
protocol_provider = "\${authentik_provider_oauth2.matrix.id}";
|
||||||
};
|
};
|
||||||
|
vaultwarden = {
|
||||||
|
outpost = "\${data.authentik_outpost.embedded.id}";
|
||||||
|
protocol_provider = "\${authentik_provider_oauth2.vaultwarden.id}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
authentik_property_mapping_provider_scope = {
|
||||||
|
vaultwarden_email = {
|
||||||
|
name = "vaultwarden_email";
|
||||||
|
scope_name = "email";
|
||||||
|
expression = ''
|
||||||
|
return {
|
||||||
|
"email": request.user.email,
|
||||||
|
"email_verified": True
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
authentik_provider_oauth2 = {
|
authentik_provider_oauth2 = {
|
||||||
@@ -107,5 +131,69 @@ in
|
|||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
vaultwarden = {
|
||||||
|
name = "vaultwarden";
|
||||||
|
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
||||||
|
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
||||||
|
client_id = vw.oidc_client_id;
|
||||||
|
client_secret = vw.oidc_secret_id;
|
||||||
|
|
||||||
|
property_mappings = [
|
||||||
|
"\${data.authentik_property_mapping_provider_scope.openid_openid.id}"
|
||||||
|
"\${data.authentik_property_mapping_provider_scope.openid_profile.id}"
|
||||||
|
"\${data.authentik_property_mapping_provider_scope.openid_offline_access.id}"
|
||||||
|
"\${authentik_property_mapping_provider_scope.vaultwarden_email.id}"
|
||||||
|
];
|
||||||
|
|
||||||
|
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
|
||||||
|
|
||||||
|
allowed_redirect_uris = [
|
||||||
|
{
|
||||||
|
matching_mode = "strict";
|
||||||
|
url = "https://vault.plg.m0rel.eu/identity/connect/oidc-signin";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
authentik_group = {
|
||||||
|
admins = {
|
||||||
|
name = "Admin";
|
||||||
|
is_superuser = true;
|
||||||
|
};
|
||||||
|
users = {
|
||||||
|
name = "Utilisateur";
|
||||||
|
};
|
||||||
|
visitors = {
|
||||||
|
name = "Visiteur";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
authentik_user = {
|
||||||
|
yoru = {
|
||||||
|
username = "yoru";
|
||||||
|
name = "Xavier";
|
||||||
|
email = "morelx42@protonmail.com";
|
||||||
|
groups = [
|
||||||
|
"\${authentik_group.admins.id}"
|
||||||
|
"\${authentik_group.users.id}"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
shauni = {
|
||||||
|
username = "shauni";
|
||||||
|
name = "Laetitia";
|
||||||
|
email = "laetitia.laversin@gmail.com";
|
||||||
|
groups = [
|
||||||
|
"\${authentik_group.admins.id}"
|
||||||
|
"\${authentik_group.users.id}"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
lily = {
|
||||||
|
username = "lily";
|
||||||
|
name = "Lily";
|
||||||
|
groups = [
|
||||||
|
"\${authentik_group.users.id}"
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user