feat: add authentik config for gitea
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 3s
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 3s
This commit is contained in:
Symlink
+1
@@ -0,0 +1 @@
|
||||
/home/xmorel/homelab-private/_git_secrets.nix
|
||||
@@ -9,6 +9,7 @@ let
|
||||
matrix = import ../config/_matrix_secrets.nix;
|
||||
hass = import ../config/_ha_secrets.nix;
|
||||
vw = import ../config/_vw_secrets.nix;
|
||||
git = import ../config/_git_secrets.nix;
|
||||
in
|
||||
{
|
||||
authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) (
|
||||
@@ -50,6 +51,34 @@ in
|
||||
slug = "vaultwarden";
|
||||
protocol_provider = "\${resource.authentik_provider_oauth2.vaultwarden.id}";
|
||||
};
|
||||
gitea = {
|
||||
name = "gitea";
|
||||
slug = "gitea";
|
||||
protocol_provider = "\${resource.authentik_provider_oauth2.gitea.id}";
|
||||
};
|
||||
};
|
||||
authentik_application_entitlement = {
|
||||
|
||||
gitadmin = {
|
||||
name = "gitadmin";
|
||||
application = "\${authentik_application.gitea.uuid}";
|
||||
};
|
||||
gituser = {
|
||||
name = "gituser";
|
||||
application = "\${authentik_application.gitea.uuid}";
|
||||
};
|
||||
gitrestricted = {
|
||||
name = "gitrestricted";
|
||||
application = "\${authentik_application.gitea.uuid}";
|
||||
};
|
||||
};
|
||||
|
||||
authentik_policy_binding = {
|
||||
gitadmin_admin = {
|
||||
target = "\${authentik_application_entitlement.gitadmin.id}";
|
||||
group = "\${authentik_group.admins.id}";
|
||||
order = 0;
|
||||
};
|
||||
};
|
||||
|
||||
authentik_outpost_provider_attachment =
|
||||
@@ -75,6 +104,10 @@ in
|
||||
outpost = "\${data.authentik_outpost.embedded.id}";
|
||||
protocol_provider = "\${authentik_provider_oauth2.vaultwarden.id}";
|
||||
};
|
||||
gitea = {
|
||||
outpost = "\${data.authentik_outpost.embedded.id}";
|
||||
protocol_provider = "\${authentik_provider_oauth2.gitea.id}";
|
||||
};
|
||||
};
|
||||
|
||||
authentik_property_mapping_provider_scope = {
|
||||
@@ -88,6 +121,26 @@ in
|
||||
}
|
||||
'';
|
||||
};
|
||||
gitea_entitlements = {
|
||||
name = "gitea_entitlements";
|
||||
scope_name = "gitea";
|
||||
expression = ''
|
||||
entitlement_names = {
|
||||
entitlement.name
|
||||
for entitlement in request.user.app_entitlements(provider.application)
|
||||
}
|
||||
gitea_claims = {}
|
||||
|
||||
if "gituser" in entitlement_names:
|
||||
gitea_claims["gitea"] = "user"
|
||||
if "gitadmin" in entitlement_names:
|
||||
gitea_claims["gitea"] = "admin"
|
||||
if "gitrestricted" in entitlement_names:
|
||||
gitea_claims["gitea"] = "restricted"
|
||||
|
||||
return gitea_claims
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
authentik_provider_oauth2 = {
|
||||
@@ -154,6 +207,29 @@ in
|
||||
}
|
||||
];
|
||||
};
|
||||
gitea = {
|
||||
name = "gitea";
|
||||
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
||||
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
||||
client_id = git.oidc_client_id;
|
||||
client_secret = git.oidc_client_secret;
|
||||
|
||||
property_mappings = [
|
||||
"\${data.authentik_property_mapping_provider_scope.openid_openid.id}"
|
||||
"\${data.authentik_property_mapping_provider_scope.openid_profile.id}"
|
||||
"\${data.authentik_property_mapping_provider_scope.openid_offline_access.id}"
|
||||
"\${authentik_property_mapping_provider_scope.gitea_entitlements.id}"
|
||||
];
|
||||
|
||||
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
|
||||
|
||||
allowed_redirect_uris = [
|
||||
{
|
||||
matching_mode = "strict";
|
||||
url = "https://git.plg.m0rel.eu/user/oauth2/authentik/callback";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
authentik_group = {
|
||||
|
||||
Reference in New Issue
Block a user