Compare commits
4 Commits
d4018d9df0
...
e186ce10fd
| Author | SHA1 | Date | |
|---|---|---|---|
| e186ce10fd | |||
| 1cd503ee97 | |||
| 96570afcb5 | |||
| 9ae79092fb |
Symlink
+1
@@ -0,0 +1 @@
|
|||||||
|
/home/xmorel/homelab-private/_nas_secrets.nix
|
||||||
@@ -90,8 +90,8 @@ in
|
|||||||
# };
|
# };
|
||||||
jwt_config = {
|
jwt_config = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
secret = sec.jwt_secret;
|
secret = sec.oidc_client_secret; # jwt_secret;
|
||||||
algorithm = sec.jwt_algo;
|
algorithm = "RS256"; # sec.jwt_algo;
|
||||||
};
|
};
|
||||||
oidc_providers = [
|
oidc_providers = [
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -72,6 +72,24 @@ in
|
|||||||
http_port = 3000;
|
http_port = 3000;
|
||||||
protocol = "http";
|
protocol = "http";
|
||||||
};
|
};
|
||||||
|
auth = {
|
||||||
|
signout_redirect_url = "https://auth.plg.m0rel.eu/application/o/grafana/end-session/";
|
||||||
|
};
|
||||||
|
"auth.generic_oauth" = {
|
||||||
|
enabled = true;
|
||||||
|
allow_sign_up = true;
|
||||||
|
auto_login = true;
|
||||||
|
name = "authentik";
|
||||||
|
client_id = "wK5v2ELbuMtaCk0G5X1mSiBXTzMdkEmKmWH410vY";
|
||||||
|
client_secret = "5cKyZDoQPpZcGJdUCkF8kxtAxpJ2fEDX5mOoRGxACCddhuptM6RnDU9EqRxtaMwEKFaBMuIwQwfVfhGCjSj5SVFIOUAFLugPjzyLrwUF52WVzouz3BY8xFyOMXzF6YV";
|
||||||
|
scopes = "openid profile email entitlements";
|
||||||
|
auth_url = "https://auth.plg.m0rel.eu/application/o/authorize/";
|
||||||
|
token_url = "https://auth.plg.m0rel.eu/application/o/token/";
|
||||||
|
api_url = "https://auth.plg.m0rel.eu/application/o/userinfo/";
|
||||||
|
role_attribute_path = "contains(entitlements[*], 'Grafana Admins') && 'Admin' || contains(entitlements[*], 'Grafana Editors') && 'Editor' || 'Viewer'";
|
||||||
|
tls_skip_verify_insecure = true;
|
||||||
|
use_pkce = true;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -23,7 +23,7 @@
|
|||||||
frigate = "";
|
frigate = "";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
private = false;
|
private = true;
|
||||||
auth = true;
|
auth = false;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -10,6 +10,7 @@ let
|
|||||||
hass = import ../config/_ha_secrets.nix;
|
hass = import ../config/_ha_secrets.nix;
|
||||||
vw = import ../config/_vw_secrets.nix;
|
vw = import ../config/_vw_secrets.nix;
|
||||||
git = import ../config/_git_secrets.nix;
|
git = import ../config/_git_secrets.nix;
|
||||||
|
nas = import ../config/_nas_secrets.nix;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) (
|
authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) (
|
||||||
@@ -56,6 +57,11 @@ in
|
|||||||
slug = "gitea";
|
slug = "gitea";
|
||||||
protocol_provider = "\${resource.authentik_provider_oauth2.gitea.id}";
|
protocol_provider = "\${resource.authentik_provider_oauth2.gitea.id}";
|
||||||
};
|
};
|
||||||
|
nas = {
|
||||||
|
name = "nas";
|
||||||
|
slug = "nas";
|
||||||
|
protocol_provider = "\${resource.authentik_provider_oauth2.nas.id}";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
authentik_application_entitlement = {
|
authentik_application_entitlement = {
|
||||||
|
|
||||||
@@ -108,6 +114,10 @@ in
|
|||||||
outpost = "\${data.authentik_outpost.embedded.id}";
|
outpost = "\${data.authentik_outpost.embedded.id}";
|
||||||
protocol_provider = "\${authentik_provider_oauth2.gitea.id}";
|
protocol_provider = "\${authentik_provider_oauth2.gitea.id}";
|
||||||
};
|
};
|
||||||
|
nas = {
|
||||||
|
outpost = "\${data.authentik_outpost.embedded.id}";
|
||||||
|
protocol_provider = "\${authentik_provider_oauth2.nas.id}";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
authentik_property_mapping_provider_scope = {
|
authentik_property_mapping_provider_scope = {
|
||||||
@@ -183,6 +193,7 @@ in
|
|||||||
url = "https://matrix.plg.m0rel.eu/_synapse/client/oidc/callback";
|
url = "https://matrix.plg.m0rel.eu/_synapse/client/oidc/callback";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
|
||||||
};
|
};
|
||||||
vaultwarden = {
|
vaultwarden = {
|
||||||
name = "vaultwarden";
|
name = "vaultwarden";
|
||||||
@@ -230,6 +241,28 @@ in
|
|||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
nas = {
|
||||||
|
name = "nas";
|
||||||
|
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
||||||
|
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
||||||
|
client_id = nas.oidc_client_id;
|
||||||
|
client_secret = nas.oidc_client_secret;
|
||||||
|
|
||||||
|
property_mappings = [
|
||||||
|
"\${data.authentik_property_mapping_provider_scope.openid_openid.id}"
|
||||||
|
"\${data.authentik_property_mapping_provider_scope.openid_profile.id}"
|
||||||
|
"\${data.authentik_property_mapping_provider_scope.openid_email.id}"
|
||||||
|
];
|
||||||
|
|
||||||
|
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
|
||||||
|
|
||||||
|
allowed_redirect_uris = [
|
||||||
|
{
|
||||||
|
matching_mode = "strict";
|
||||||
|
url = "https://nas.plg.m0rel.eu/";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
authentik_group = {
|
authentik_group = {
|
||||||
|
|||||||
Reference in New Issue
Block a user