{ config, tools, lib, ... }: let cfg = config.my-lxc; matrix = import ../config/_matrix_secrets.nix; hass = import ../config/_ha_secrets.nix; vw = import ../config/_vw_secrets.nix; git = import ../config/_git_secrets.nix; nas = import ../config/_nas_secrets.nix; in { authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) ( lib.mapAttrs ( containerName: def: lib.optionalAttrs (def.auth) { name = containerName; authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}"; invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}"; external_host = "https://${tools.build_hostname containerName}/"; mode = "forward_single"; } ) cfg ); authentik_application = lib.filterAttrs (_: v: v != { }) ( lib.mapAttrs ( containerName: def: lib.optionalAttrs (def.auth) { name = containerName; slug = containerName; protocol_provider = "\${resource.authentik_provider_proxy.${containerName}.id}"; meta_description = def.description; meta_icon = def.icon; } ) cfg ) // { home_assistant = { name = "home_assistant"; slug = "home_assistant"; protocol_provider = "\${resource.authentik_provider_oauth2.home_assistant.id}"; }; matrix = { name = "matrix"; slug = "matrix"; protocol_provider = "\${resource.authentik_provider_oauth2.matrix.id}"; }; vaultwarden = { name = "vaultwarden"; slug = "vaultwarden"; protocol_provider = "\${resource.authentik_provider_oauth2.vaultwarden.id}"; }; gitea = { name = "gitea"; slug = "gitea"; protocol_provider = "\${resource.authentik_provider_oauth2.gitea.id}"; }; nas = { name = "nas"; slug = "nas"; protocol_provider = "\${resource.authentik_provider_oauth2.nas.id}"; }; }; authentik_application_entitlement = { gitadmin = { name = "gitadmin"; application = "\${authentik_application.gitea.uuid}"; }; gituser = { name = "gituser"; application = "\${authentik_application.gitea.uuid}"; }; gitrestricted = { name = "gitrestricted"; application = "\${authentik_application.gitea.uuid}"; }; }; authentik_policy_binding = { gitadmin_admin = { target = "\${authentik_application_entitlement.gitadmin.id}"; group = "\${authentik_group.admins.id}"; order = 0; }; }; authentik_outpost_provider_attachment = lib.filterAttrs (_: v: v != { }) ( lib.mapAttrs ( containerName: def: lib.optionalAttrs (def.auth) { outpost = "\${data.authentik_outpost.embedded.id}"; protocol_provider = "\${authentik_provider_proxy.${containerName}.id}"; } ) cfg ) // { home_assistant = { outpost = "\${data.authentik_outpost.embedded.id}"; protocol_provider = "\${authentik_provider_oauth2.home_assistant.id}"; }; matrix = { outpost = "\${data.authentik_outpost.embedded.id}"; protocol_provider = "\${authentik_provider_oauth2.matrix.id}"; }; vaultwarden = { outpost = "\${data.authentik_outpost.embedded.id}"; protocol_provider = "\${authentik_provider_oauth2.vaultwarden.id}"; }; gitea = { outpost = "\${data.authentik_outpost.embedded.id}"; protocol_provider = "\${authentik_provider_oauth2.gitea.id}"; }; nas = { outpost = "\${data.authentik_outpost.embedded.id}"; protocol_provider = "\${authentik_provider_oauth2.nas.id}"; }; }; authentik_property_mapping_provider_scope = { vaultwarden_email = { name = "vaultwarden_email"; scope_name = "email"; expression = '' return { "email": request.user.email, "email_verified": True } ''; }; gitea_entitlements = { name = "gitea_entitlements"; scope_name = "gitea"; expression = '' entitlement_names = { entitlement.name for entitlement in request.user.app_entitlements(provider.application) } gitea_claims = {} if "gituser" in entitlement_names: gitea_claims["gitea"] = "user" if "gitadmin" in entitlement_names: gitea_claims["gitea"] = "admin" if "gitrestricted" in entitlement_names: gitea_claims["gitea"] = "restricted" return gitea_claims ''; }; }; authentik_provider_oauth2 = { home_assistant = { name = "home_assistant"; authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}"; invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}"; client_id = hass.oidc_client_id; client_secret = hass.oidc_client_secret; property_mappings = [ "\${data.authentik_property_mapping_provider_scope.proxy_outpost.id}" "\${data.authentik_property_mapping_provider_scope.openid_openid.id}" "\${data.authentik_property_mapping_provider_scope.openid_email.id}" "\${data.authentik_property_mapping_provider_scope.openid_profile.id}" "\${data.authentik_property_mapping_provider_scope.app_entitlement.id}" "\${data.authentik_property_mapping_provider_scope.openid_offline_access.id}" "\${data.authentik_property_mapping_provider_scope.authentik_api.id}" ]; signing_key = "\${data.authentik_certificate_key_pair.generated.id}"; allowed_redirect_uris = [ { matching_mode = "strict"; url = "https://homeassistant.plg.m0rel.eu/auth/oidc/callback"; } ]; }; matrix = { name = "matrix"; authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}"; invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}"; client_id = matrix.oidc_client_id; client_secret = matrix.oidc_client_secret; allowed_redirect_uris = [ { matching_mode = "strict"; url = "https://matrix.plg.m0rel.eu/_synapse/client/oidc/callback"; } ]; signing_key = "\${data.authentik_certificate_key_pair.generated.id}"; }; vaultwarden = { name = "vaultwarden"; authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}"; invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}"; client_id = vw.oidc_client_id; client_secret = vw.oidc_secret_id; property_mappings = [ "\${data.authentik_property_mapping_provider_scope.openid_openid.id}" "\${data.authentik_property_mapping_provider_scope.openid_profile.id}" "\${data.authentik_property_mapping_provider_scope.openid_offline_access.id}" "\${authentik_property_mapping_provider_scope.vaultwarden_email.id}" ]; signing_key = "\${data.authentik_certificate_key_pair.generated.id}"; allowed_redirect_uris = [ { matching_mode = "strict"; url = "https://vault.plg.m0rel.eu/identity/connect/oidc-signin"; } ]; }; gitea = { name = "gitea"; authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}"; invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}"; client_id = git.oidc_client_id; client_secret = git.oidc_client_secret; property_mappings = [ "\${data.authentik_property_mapping_provider_scope.openid_openid.id}" "\${data.authentik_property_mapping_provider_scope.openid_profile.id}" "\${data.authentik_property_mapping_provider_scope.openid_offline_access.id}" "\${authentik_property_mapping_provider_scope.gitea_entitlements.id}" ]; signing_key = "\${data.authentik_certificate_key_pair.generated.id}"; allowed_redirect_uris = [ { matching_mode = "strict"; url = "https://git.plg.m0rel.eu/user/oauth2/authentik/callback"; } ]; }; nas = { name = "nas"; authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}"; invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}"; client_id = nas.oidc_client_id; client_secret = nas.oidc_client_secret; property_mappings = [ "\${data.authentik_property_mapping_provider_scope.openid_openid.id}" "\${data.authentik_property_mapping_provider_scope.openid_profile.id}" "\${data.authentik_property_mapping_provider_scope.openid_email.id}" ]; signing_key = "\${data.authentik_certificate_key_pair.generated.id}"; allowed_redirect_uris = [ { matching_mode = "strict"; url = "https://nas.plg.m0rel.eu/"; } ]; }; }; authentik_group = { admins = { name = "Admin"; is_superuser = true; }; users = { name = "Utilisateur"; }; visitors = { name = "Visiteur"; }; }; authentik_user = { yoru = { username = "yoru"; name = "Xavier"; email = "morelx42@protonmail.com"; groups = [ "\${authentik_group.admins.id}" "\${authentik_group.users.id}" ]; }; shauni = { username = "shauni"; name = "Laetitia"; email = "laetitia.laversin@gmail.com"; groups = [ "\${authentik_group.admins.id}" "\${authentik_group.users.id}" ]; }; lily = { username = "lily"; name = "Lily"; groups = [ "\${authentik_group.users.id}" ]; }; }; }