feat: add Authentik config for vaultwarden OAuth
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 3s

This commit is contained in:
Xavier Morel
2026-05-28 20:40:47 +02:00
parent 0ec109e39f
commit 7844849b1b
3 changed files with 102 additions and 0 deletions
+1
View File
@@ -0,0 +1 @@
/home/xmorel/homelab-private/_vw_secrets.nix
+13
View File
@@ -9,6 +9,8 @@ let
hostname = tools.build_hostname container; hostname = tools.build_hostname container;
db_host = tools.build_ip "db"; db_host = tools.build_ip "db";
db_password = config.my-lxc.vault.db.password; db_password = config.my-lxc.vault.db.password;
oidc = import ./_vw_secrets.nix;
auth_host = tools.build_hostname "auth";
in in
{ {
services.vaultwarden = { services.vaultwarden = {
@@ -23,6 +25,17 @@ in
WEB_VAULT_ENABLED = true; WEB_VAULT_ENABLED = true;
INVITATIONS_ENABLED = true; INVITATIONS_ENABLED = true;
ORG_CREATION_USERS = config.globals.master.email; ORG_CREATION_USERS = config.globals.master.email;
SSO_ENABLED = true;
SSO_AUTH_ONLY_NOT_SESSION = true;
SSO_AUTHORITY = "https://${auth_host}/application/o/vaultwarden/";
SSO_CLIENT_ID = oidc.oidc_client_id;
SSO_CLIENT_SECRET = oidc.oidc_secret_id;
SSO_SCOPES = "openid profile email offline_access";
SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION = false;
SSO_CLIENT_CACHE_EXPIRATION = 0;
SSO_ONLY = false; # Set to true to disable email and master password login and require SSO
SSO_SIGNUPS_MATCH_EMAIL = true; # Match first SSO login to an existing account by email
}; };
dbBackend = "postgresql"; dbBackend = "postgresql";
}; };
@@ -8,6 +8,7 @@ let
cfg = config.my-lxc; cfg = config.my-lxc;
matrix = import ../config/_matrix_secrets.nix; matrix = import ../config/_matrix_secrets.nix;
hass = import ../config/_ha_secrets.nix; hass = import ../config/_ha_secrets.nix;
vw = import ../config/_vw_secrets.nix;
in in
{ {
authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) ( authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) (
@@ -44,7 +45,13 @@ in
slug = "matrix"; slug = "matrix";
protocol_provider = "\${resource.authentik_provider_oauth2.matrix.id}"; protocol_provider = "\${resource.authentik_provider_oauth2.matrix.id}";
}; };
vaultwarden = {
name = "vaultwarden";
slug = "vaultwarden";
protocol_provider = "\${resource.authentik_provider_oauth2.vaultwarden.id}";
}; };
};
authentik_outpost_provider_attachment = authentik_outpost_provider_attachment =
lib.filterAttrs (_: v: v != { }) ( lib.filterAttrs (_: v: v != { }) (
lib.mapAttrs ( lib.mapAttrs (
@@ -64,6 +71,23 @@ in
outpost = "\${data.authentik_outpost.embedded.id}"; outpost = "\${data.authentik_outpost.embedded.id}";
protocol_provider = "\${authentik_provider_oauth2.matrix.id}"; protocol_provider = "\${authentik_provider_oauth2.matrix.id}";
}; };
vaultwarden = {
outpost = "\${data.authentik_outpost.embedded.id}";
protocol_provider = "\${authentik_provider_oauth2.vaultwarden.id}";
};
};
authentik_property_mapping_provider_scope = {
vaultwarden_email = {
name = "vaultwarden_email";
scope_name = "email";
expression = ''
return {
"email": request.user.email,
"email_verified": True
}
'';
};
}; };
authentik_provider_oauth2 = { authentik_provider_oauth2 = {
@@ -107,5 +131,69 @@ in
} }
]; ];
}; };
vaultwarden = {
name = "vaultwarden";
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
client_id = vw.oidc_client_id;
client_secret = vw.oidc_secret_id;
property_mappings = [
"\${data.authentik_property_mapping_provider_scope.openid_openid.id}"
"\${data.authentik_property_mapping_provider_scope.openid_profile.id}"
"\${data.authentik_property_mapping_provider_scope.openid_offline_access.id}"
"\${authentik_property_mapping_provider_scope.vaultwarden_email.id}"
];
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
allowed_redirect_uris = [
{
matching_mode = "strict";
url = "https://vault.plg.m0rel.eu/identity/connect/oidc-signin";
}
];
};
};
authentik_group = {
admins = {
name = "Admin";
is_superuser = true;
};
users = {
name = "Utilisateur";
};
visitors = {
name = "Visiteur";
};
};
authentik_user = {
yoru = {
username = "yoru";
name = "Xavier";
email = "morelx42@protonmail.com";
groups = [
"\${authentik_group.admins.id}"
"\${authentik_group.users.id}"
];
};
shauni = {
username = "shauni";
name = "Laetitia";
email = "laetitia.laversin@gmail.com";
groups = [
"\${authentik_group.admins.id}"
"\${authentik_group.users.id}"
];
};
lily = {
username = "lily";
name = "Lily";
groups = [
"\${authentik_group.users.id}"
];
};
}; };
} }