feat: add authentik config for gitea
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 3s
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 3s
This commit is contained in:
Symlink
+1
@@ -0,0 +1 @@
|
|||||||
|
/home/xmorel/homelab-private/_git_secrets.nix
|
||||||
@@ -9,6 +9,7 @@ let
|
|||||||
matrix = import ../config/_matrix_secrets.nix;
|
matrix = import ../config/_matrix_secrets.nix;
|
||||||
hass = import ../config/_ha_secrets.nix;
|
hass = import ../config/_ha_secrets.nix;
|
||||||
vw = import ../config/_vw_secrets.nix;
|
vw = import ../config/_vw_secrets.nix;
|
||||||
|
git = import ../config/_git_secrets.nix;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) (
|
authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) (
|
||||||
@@ -50,7 +51,35 @@ in
|
|||||||
slug = "vaultwarden";
|
slug = "vaultwarden";
|
||||||
protocol_provider = "\${resource.authentik_provider_oauth2.vaultwarden.id}";
|
protocol_provider = "\${resource.authentik_provider_oauth2.vaultwarden.id}";
|
||||||
};
|
};
|
||||||
|
gitea = {
|
||||||
|
name = "gitea";
|
||||||
|
slug = "gitea";
|
||||||
|
protocol_provider = "\${resource.authentik_provider_oauth2.gitea.id}";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
authentik_application_entitlement = {
|
||||||
|
|
||||||
|
gitadmin = {
|
||||||
|
name = "gitadmin";
|
||||||
|
application = "\${authentik_application.gitea.uuid}";
|
||||||
|
};
|
||||||
|
gituser = {
|
||||||
|
name = "gituser";
|
||||||
|
application = "\${authentik_application.gitea.uuid}";
|
||||||
|
};
|
||||||
|
gitrestricted = {
|
||||||
|
name = "gitrestricted";
|
||||||
|
application = "\${authentik_application.gitea.uuid}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
authentik_policy_binding = {
|
||||||
|
gitadmin_admin = {
|
||||||
|
target = "\${authentik_application_entitlement.gitadmin.id}";
|
||||||
|
group = "\${authentik_group.admins.id}";
|
||||||
|
order = 0;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
authentik_outpost_provider_attachment =
|
authentik_outpost_provider_attachment =
|
||||||
lib.filterAttrs (_: v: v != { }) (
|
lib.filterAttrs (_: v: v != { }) (
|
||||||
@@ -75,6 +104,10 @@ in
|
|||||||
outpost = "\${data.authentik_outpost.embedded.id}";
|
outpost = "\${data.authentik_outpost.embedded.id}";
|
||||||
protocol_provider = "\${authentik_provider_oauth2.vaultwarden.id}";
|
protocol_provider = "\${authentik_provider_oauth2.vaultwarden.id}";
|
||||||
};
|
};
|
||||||
|
gitea = {
|
||||||
|
outpost = "\${data.authentik_outpost.embedded.id}";
|
||||||
|
protocol_provider = "\${authentik_provider_oauth2.gitea.id}";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
authentik_property_mapping_provider_scope = {
|
authentik_property_mapping_provider_scope = {
|
||||||
@@ -88,6 +121,26 @@ in
|
|||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
gitea_entitlements = {
|
||||||
|
name = "gitea_entitlements";
|
||||||
|
scope_name = "gitea";
|
||||||
|
expression = ''
|
||||||
|
entitlement_names = {
|
||||||
|
entitlement.name
|
||||||
|
for entitlement in request.user.app_entitlements(provider.application)
|
||||||
|
}
|
||||||
|
gitea_claims = {}
|
||||||
|
|
||||||
|
if "gituser" in entitlement_names:
|
||||||
|
gitea_claims["gitea"] = "user"
|
||||||
|
if "gitadmin" in entitlement_names:
|
||||||
|
gitea_claims["gitea"] = "admin"
|
||||||
|
if "gitrestricted" in entitlement_names:
|
||||||
|
gitea_claims["gitea"] = "restricted"
|
||||||
|
|
||||||
|
return gitea_claims
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
authentik_provider_oauth2 = {
|
authentik_provider_oauth2 = {
|
||||||
@@ -154,6 +207,29 @@ in
|
|||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
gitea = {
|
||||||
|
name = "gitea";
|
||||||
|
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
||||||
|
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
||||||
|
client_id = git.oidc_client_id;
|
||||||
|
client_secret = git.oidc_client_secret;
|
||||||
|
|
||||||
|
property_mappings = [
|
||||||
|
"\${data.authentik_property_mapping_provider_scope.openid_openid.id}"
|
||||||
|
"\${data.authentik_property_mapping_provider_scope.openid_profile.id}"
|
||||||
|
"\${data.authentik_property_mapping_provider_scope.openid_offline_access.id}"
|
||||||
|
"\${authentik_property_mapping_provider_scope.gitea_entitlements.id}"
|
||||||
|
];
|
||||||
|
|
||||||
|
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
|
||||||
|
|
||||||
|
allowed_redirect_uris = [
|
||||||
|
{
|
||||||
|
matching_mode = "strict";
|
||||||
|
url = "https://git.plg.m0rel.eu/user/oauth2/authentik/callback";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
authentik_group = {
|
authentik_group = {
|
||||||
|
|||||||
Reference in New Issue
Block a user