From d4018d9df07b9c92dcf8c1e04600bde80b80f379 Mon Sep 17 00:00:00 2001 From: Xavier Morel Date: Thu, 28 May 2026 21:31:17 +0200 Subject: [PATCH] feat: add authentik config for gitea --- config/_git_secrets.nix | 1 + modules/containers-terraform-authentik.nix | 76 ++++++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 120000 config/_git_secrets.nix diff --git a/config/_git_secrets.nix b/config/_git_secrets.nix new file mode 120000 index 0000000..e5f2df3 --- /dev/null +++ b/config/_git_secrets.nix @@ -0,0 +1 @@ +/home/xmorel/homelab-private/_git_secrets.nix \ No newline at end of file diff --git a/modules/containers-terraform-authentik.nix b/modules/containers-terraform-authentik.nix index 80adaae..0b5989c 100644 --- a/modules/containers-terraform-authentik.nix +++ b/modules/containers-terraform-authentik.nix @@ -9,6 +9,7 @@ let matrix = import ../config/_matrix_secrets.nix; hass = import ../config/_ha_secrets.nix; vw = import ../config/_vw_secrets.nix; + git = import ../config/_git_secrets.nix; in { authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) ( @@ -50,7 +51,35 @@ in slug = "vaultwarden"; protocol_provider = "\${resource.authentik_provider_oauth2.vaultwarden.id}"; }; + gitea = { + name = "gitea"; + slug = "gitea"; + protocol_provider = "\${resource.authentik_provider_oauth2.gitea.id}"; + }; }; + authentik_application_entitlement = { + + gitadmin = { + name = "gitadmin"; + application = "\${authentik_application.gitea.uuid}"; + }; + gituser = { + name = "gituser"; + application = "\${authentik_application.gitea.uuid}"; + }; + gitrestricted = { + name = "gitrestricted"; + application = "\${authentik_application.gitea.uuid}"; + }; + }; + + authentik_policy_binding = { + gitadmin_admin = { + target = "\${authentik_application_entitlement.gitadmin.id}"; + group = "\${authentik_group.admins.id}"; + order = 0; + }; + }; authentik_outpost_provider_attachment = lib.filterAttrs (_: v: v != { }) ( @@ -75,6 +104,10 @@ in outpost = "\${data.authentik_outpost.embedded.id}"; protocol_provider = "\${authentik_provider_oauth2.vaultwarden.id}"; }; + gitea = { + outpost = "\${data.authentik_outpost.embedded.id}"; + protocol_provider = "\${authentik_provider_oauth2.gitea.id}"; + }; }; authentik_property_mapping_provider_scope = { @@ -88,6 +121,26 @@ in } ''; }; + gitea_entitlements = { + name = "gitea_entitlements"; + scope_name = "gitea"; + expression = '' + entitlement_names = { + entitlement.name + for entitlement in request.user.app_entitlements(provider.application) + } + gitea_claims = {} + + if "gituser" in entitlement_names: + gitea_claims["gitea"] = "user" + if "gitadmin" in entitlement_names: + gitea_claims["gitea"] = "admin" + if "gitrestricted" in entitlement_names: + gitea_claims["gitea"] = "restricted" + + return gitea_claims + ''; + }; }; authentik_provider_oauth2 = { @@ -154,6 +207,29 @@ in } ]; }; + gitea = { + name = "gitea"; + authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}"; + invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}"; + client_id = git.oidc_client_id; + client_secret = git.oidc_client_secret; + + property_mappings = [ + "\${data.authentik_property_mapping_provider_scope.openid_openid.id}" + "\${data.authentik_property_mapping_provider_scope.openid_profile.id}" + "\${data.authentik_property_mapping_provider_scope.openid_offline_access.id}" + "\${authentik_property_mapping_provider_scope.gitea_entitlements.id}" + ]; + + signing_key = "\${data.authentik_certificate_key_pair.generated.id}"; + + allowed_redirect_uris = [ + { + matching_mode = "strict"; + url = "https://git.plg.m0rel.eu/user/oauth2/authentik/callback"; + } + ]; + }; }; authentik_group = {