From 9ae79092fbfdee4e5f5236c99d0d4531ddac7138 Mon Sep 17 00:00:00 2001 From: Xavier Morel Date: Mon, 1 Jun 2026 14:13:30 +0200 Subject: [PATCH] feat: add authentik config for nas --- config/_nas_secrets.nix | 1 + modules/containers-terraform-authentik.nix | 33 ++++++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 120000 config/_nas_secrets.nix diff --git a/config/_nas_secrets.nix b/config/_nas_secrets.nix new file mode 120000 index 0000000..b2dee16 --- /dev/null +++ b/config/_nas_secrets.nix @@ -0,0 +1 @@ +/home/xmorel/homelab-private/_nas_secrets.nix \ No newline at end of file diff --git a/modules/containers-terraform-authentik.nix b/modules/containers-terraform-authentik.nix index 0b5989c..823845e 100644 --- a/modules/containers-terraform-authentik.nix +++ b/modules/containers-terraform-authentik.nix @@ -10,6 +10,7 @@ let hass = import ../config/_ha_secrets.nix; vw = import ../config/_vw_secrets.nix; git = import ../config/_git_secrets.nix; + nas = import ../config/_nas_secrets.nix; in { authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) ( @@ -56,6 +57,11 @@ in slug = "gitea"; protocol_provider = "\${resource.authentik_provider_oauth2.gitea.id}"; }; + nas = { + name = "nas"; + slug = "nas"; + protocol_provider = "\${resource.authentik_provider_oauth2.nas.id}"; + }; }; authentik_application_entitlement = { @@ -108,6 +114,10 @@ in outpost = "\${data.authentik_outpost.embedded.id}"; protocol_provider = "\${authentik_provider_oauth2.gitea.id}"; }; + nas = { + outpost = "\${data.authentik_outpost.embedded.id}"; + protocol_provider = "\${authentik_provider_oauth2.nas.id}"; + }; }; authentik_property_mapping_provider_scope = { @@ -183,6 +193,7 @@ in url = "https://matrix.plg.m0rel.eu/_synapse/client/oidc/callback"; } ]; + signing_key = "\${data.authentik_certificate_key_pair.generated.id}"; }; vaultwarden = { name = "vaultwarden"; @@ -230,6 +241,28 @@ in } ]; }; + nas = { + name = "nas"; + authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}"; + invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}"; + client_id = nas.oidc_client_id; + client_secret = nas.oidc_client_secret; + + property_mappings = [ + "\${data.authentik_property_mapping_provider_scope.openid_openid.id}" + "\${data.authentik_property_mapping_provider_scope.openid_profile.id}" + "\${data.authentik_property_mapping_provider_scope.openid_email.id}" + ]; + + signing_key = "\${data.authentik_certificate_key_pair.generated.id}"; + + allowed_redirect_uris = [ + { + matching_mode = "strict"; + url = "https://nas.plg.m0rel.eu/"; + } + ]; + }; }; authentik_group = {