Compare commits

..

4 Commits

Author SHA1 Message Date
Xavier Morel e186ce10fd feat: disable public frigate access
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 5s
2026-06-01 14:15:11 +02:00
Xavier Morel 1cd503ee97 feat: try to change config for matrix to work with sso 2026-06-01 14:14:55 +02:00
Xavier Morel 96570afcb5 feat: add grafana config for oauth 2026-06-01 14:14:31 +02:00
Xavier Morel 9ae79092fb feat: add authentik config for nas 2026-06-01 14:13:30 +02:00
5 changed files with 56 additions and 4 deletions
+1
View File
@@ -0,0 +1 @@
/home/xmorel/homelab-private/_nas_secrets.nix
+2 -2
View File
@@ -90,8 +90,8 @@ in
# }; # };
jwt_config = { jwt_config = {
enabled = true; enabled = true;
secret = sec.jwt_secret; secret = sec.oidc_client_secret; # jwt_secret;
algorithm = sec.jwt_algo; algorithm = "RS256"; # sec.jwt_algo;
}; };
oidc_providers = [ oidc_providers = [
{ {
+18
View File
@@ -72,6 +72,24 @@ in
http_port = 3000; http_port = 3000;
protocol = "http"; protocol = "http";
}; };
auth = {
signout_redirect_url = "https://auth.plg.m0rel.eu/application/o/grafana/end-session/";
};
"auth.generic_oauth" = {
enabled = true;
allow_sign_up = true;
auto_login = true;
name = "authentik";
client_id = "wK5v2ELbuMtaCk0G5X1mSiBXTzMdkEmKmWH410vY";
client_secret = "5cKyZDoQPpZcGJdUCkF8kxtAxpJ2fEDX5mOoRGxACCddhuptM6RnDU9EqRxtaMwEKFaBMuIwQwfVfhGCjSj5SVFIOUAFLugPjzyLrwUF52WVzouz3BY8xFyOMXzF6YV";
scopes = "openid profile email entitlements";
auth_url = "https://auth.plg.m0rel.eu/application/o/authorize/";
token_url = "https://auth.plg.m0rel.eu/application/o/token/";
api_url = "https://auth.plg.m0rel.eu/application/o/userinfo/";
role_attribute_path = "contains(entitlements[*], 'Grafana Admins') && 'Admin' || contains(entitlements[*], 'Grafana Editors') && 'Editor' || 'Viewer'";
tls_skip_verify_insecure = true;
use_pkce = true;
};
}; };
}; };
} }
+2 -2
View File
@@ -23,7 +23,7 @@
frigate = ""; frigate = "";
}; };
}; };
private = false; private = true;
auth = true; auth = false;
}; };
} }
@@ -10,6 +10,7 @@ let
hass = import ../config/_ha_secrets.nix; hass = import ../config/_ha_secrets.nix;
vw = import ../config/_vw_secrets.nix; vw = import ../config/_vw_secrets.nix;
git = import ../config/_git_secrets.nix; git = import ../config/_git_secrets.nix;
nas = import ../config/_nas_secrets.nix;
in in
{ {
authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) ( authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) (
@@ -56,6 +57,11 @@ in
slug = "gitea"; slug = "gitea";
protocol_provider = "\${resource.authentik_provider_oauth2.gitea.id}"; protocol_provider = "\${resource.authentik_provider_oauth2.gitea.id}";
}; };
nas = {
name = "nas";
slug = "nas";
protocol_provider = "\${resource.authentik_provider_oauth2.nas.id}";
};
}; };
authentik_application_entitlement = { authentik_application_entitlement = {
@@ -108,6 +114,10 @@ in
outpost = "\${data.authentik_outpost.embedded.id}"; outpost = "\${data.authentik_outpost.embedded.id}";
protocol_provider = "\${authentik_provider_oauth2.gitea.id}"; protocol_provider = "\${authentik_provider_oauth2.gitea.id}";
}; };
nas = {
outpost = "\${data.authentik_outpost.embedded.id}";
protocol_provider = "\${authentik_provider_oauth2.nas.id}";
};
}; };
authentik_property_mapping_provider_scope = { authentik_property_mapping_provider_scope = {
@@ -183,6 +193,7 @@ in
url = "https://matrix.plg.m0rel.eu/_synapse/client/oidc/callback"; url = "https://matrix.plg.m0rel.eu/_synapse/client/oidc/callback";
} }
]; ];
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
}; };
vaultwarden = { vaultwarden = {
name = "vaultwarden"; name = "vaultwarden";
@@ -230,6 +241,28 @@ in
} }
]; ];
}; };
nas = {
name = "nas";
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
client_id = nas.oidc_client_id;
client_secret = nas.oidc_client_secret;
property_mappings = [
"\${data.authentik_property_mapping_provider_scope.openid_openid.id}"
"\${data.authentik_property_mapping_provider_scope.openid_profile.id}"
"\${data.authentik_property_mapping_provider_scope.openid_email.id}"
];
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
allowed_redirect_uris = [
{
matching_mode = "strict";
url = "https://nas.plg.m0rel.eu/";
}
];
};
}; };
authentik_group = { authentik_group = {