Files
homelab/modules/containers-terraform-authentik.nix
T
Xavier Morel 0ec109e39f
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 3s
feat: add Authentik config for HA OAuth
2026-05-28 18:26:41 +02:00

112 lines
3.6 KiB
Nix

{
config,
tools,
lib,
...
}:
let
cfg = config.my-lxc;
matrix = import ../config/_matrix_secrets.nix;
hass = import ../config/_ha_secrets.nix;
in
{
authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) (
lib.mapAttrs (
containerName: def:
lib.optionalAttrs (def.auth) {
name = containerName;
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
external_host = "https://${tools.build_hostname containerName}/";
mode = "forward_single";
}
) cfg
);
authentik_application =
lib.filterAttrs (_: v: v != { }) (
lib.mapAttrs (
containerName: def:
lib.optionalAttrs (def.auth) {
name = containerName;
slug = containerName;
protocol_provider = "\${resource.authentik_provider_proxy.${containerName}.id}";
}
) cfg
)
// {
home_assistant = {
name = "home_assistant";
slug = "home_assistant";
protocol_provider = "\${resource.authentik_provider_oauth2.home_assistant.id}";
};
matrix = {
name = "matrix";
slug = "matrix";
protocol_provider = "\${resource.authentik_provider_oauth2.matrix.id}";
};
};
authentik_outpost_provider_attachment =
lib.filterAttrs (_: v: v != { }) (
lib.mapAttrs (
containerName: def:
lib.optionalAttrs (def.auth) {
outpost = "\${data.authentik_outpost.embedded.id}";
protocol_provider = "\${authentik_provider_proxy.${containerName}.id}";
}
) cfg
)
// {
home_assistant = {
outpost = "\${data.authentik_outpost.embedded.id}";
protocol_provider = "\${authentik_provider_oauth2.home_assistant.id}";
};
matrix = {
outpost = "\${data.authentik_outpost.embedded.id}";
protocol_provider = "\${authentik_provider_oauth2.matrix.id}";
};
};
authentik_provider_oauth2 = {
home_assistant = {
name = "home_assistant";
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
client_id = hass.oidc_client_id;
client_secret = hass.oidc_client_secret;
property_mappings = [
"\${data.authentik_property_mapping_provider_scope.proxy_outpost.id}"
"\${data.authentik_property_mapping_provider_scope.openid_openid.id}"
"\${data.authentik_property_mapping_provider_scope.openid_email.id}"
"\${data.authentik_property_mapping_provider_scope.openid_profile.id}"
"\${data.authentik_property_mapping_provider_scope.app_entitlement.id}"
"\${data.authentik_property_mapping_provider_scope.openid_offline_access.id}"
"\${data.authentik_property_mapping_provider_scope.authentik_api.id}"
];
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
allowed_redirect_uris = [
{
matching_mode = "strict";
url = "https://homeassistant.plg.m0rel.eu/auth/oidc/callback";
}
];
};
matrix = {
name = "matrix";
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
client_id = matrix.oidc_client_id;
client_secret = matrix.oidc_client_secret;
allowed_redirect_uris = [
{
matching_mode = "strict";
url = "https://matrix.plg.m0rel.eu/_synapse/client/oidc/callback";
}
];
};
};
}