feat: add authentik config for gitea
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 3s

This commit is contained in:
Xavier Morel
2026-05-28 21:31:17 +02:00
parent ad3fd3d0f9
commit d4018d9df0
2 changed files with 77 additions and 0 deletions
+1
View File
@@ -0,0 +1 @@
/home/xmorel/homelab-private/_git_secrets.nix
@@ -9,6 +9,7 @@ let
matrix = import ../config/_matrix_secrets.nix;
hass = import ../config/_ha_secrets.nix;
vw = import ../config/_vw_secrets.nix;
git = import ../config/_git_secrets.nix;
in
{
authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) (
@@ -50,7 +51,35 @@ in
slug = "vaultwarden";
protocol_provider = "\${resource.authentik_provider_oauth2.vaultwarden.id}";
};
gitea = {
name = "gitea";
slug = "gitea";
protocol_provider = "\${resource.authentik_provider_oauth2.gitea.id}";
};
};
authentik_application_entitlement = {
gitadmin = {
name = "gitadmin";
application = "\${authentik_application.gitea.uuid}";
};
gituser = {
name = "gituser";
application = "\${authentik_application.gitea.uuid}";
};
gitrestricted = {
name = "gitrestricted";
application = "\${authentik_application.gitea.uuid}";
};
};
authentik_policy_binding = {
gitadmin_admin = {
target = "\${authentik_application_entitlement.gitadmin.id}";
group = "\${authentik_group.admins.id}";
order = 0;
};
};
authentik_outpost_provider_attachment =
lib.filterAttrs (_: v: v != { }) (
@@ -75,6 +104,10 @@ in
outpost = "\${data.authentik_outpost.embedded.id}";
protocol_provider = "\${authentik_provider_oauth2.vaultwarden.id}";
};
gitea = {
outpost = "\${data.authentik_outpost.embedded.id}";
protocol_provider = "\${authentik_provider_oauth2.gitea.id}";
};
};
authentik_property_mapping_provider_scope = {
@@ -88,6 +121,26 @@ in
}
'';
};
gitea_entitlements = {
name = "gitea_entitlements";
scope_name = "gitea";
expression = ''
entitlement_names = {
entitlement.name
for entitlement in request.user.app_entitlements(provider.application)
}
gitea_claims = {}
if "gituser" in entitlement_names:
gitea_claims["gitea"] = "user"
if "gitadmin" in entitlement_names:
gitea_claims["gitea"] = "admin"
if "gitrestricted" in entitlement_names:
gitea_claims["gitea"] = "restricted"
return gitea_claims
'';
};
};
authentik_provider_oauth2 = {
@@ -154,6 +207,29 @@ in
}
];
};
gitea = {
name = "gitea";
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
client_id = git.oidc_client_id;
client_secret = git.oidc_client_secret;
property_mappings = [
"\${data.authentik_property_mapping_provider_scope.openid_openid.id}"
"\${data.authentik_property_mapping_provider_scope.openid_profile.id}"
"\${data.authentik_property_mapping_provider_scope.openid_offline_access.id}"
"\${authentik_property_mapping_provider_scope.gitea_entitlements.id}"
];
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
allowed_redirect_uris = [
{
matching_mode = "strict";
url = "https://git.plg.m0rel.eu/user/oauth2/authentik/callback";
}
];
};
};
authentik_group = {