112 lines
3.6 KiB
Nix
112 lines
3.6 KiB
Nix
{
|
|
config,
|
|
tools,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.my-lxc;
|
|
matrix = import ../config/_matrix_secrets.nix;
|
|
hass = import ../config/_ha_secrets.nix;
|
|
in
|
|
{
|
|
authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) (
|
|
lib.mapAttrs (
|
|
containerName: def:
|
|
lib.optionalAttrs (def.auth) {
|
|
name = containerName;
|
|
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
|
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
|
external_host = "https://${tools.build_hostname containerName}/";
|
|
mode = "forward_single";
|
|
}
|
|
) cfg
|
|
);
|
|
authentik_application =
|
|
lib.filterAttrs (_: v: v != { }) (
|
|
lib.mapAttrs (
|
|
containerName: def:
|
|
lib.optionalAttrs (def.auth) {
|
|
name = containerName;
|
|
slug = containerName;
|
|
protocol_provider = "\${resource.authentik_provider_proxy.${containerName}.id}";
|
|
}
|
|
) cfg
|
|
)
|
|
// {
|
|
home_assistant = {
|
|
name = "home_assistant";
|
|
slug = "home_assistant";
|
|
protocol_provider = "\${resource.authentik_provider_oauth2.home_assistant.id}";
|
|
};
|
|
matrix = {
|
|
name = "matrix";
|
|
slug = "matrix";
|
|
protocol_provider = "\${resource.authentik_provider_oauth2.matrix.id}";
|
|
};
|
|
};
|
|
authentik_outpost_provider_attachment =
|
|
lib.filterAttrs (_: v: v != { }) (
|
|
lib.mapAttrs (
|
|
containerName: def:
|
|
lib.optionalAttrs (def.auth) {
|
|
outpost = "\${data.authentik_outpost.embedded.id}";
|
|
protocol_provider = "\${authentik_provider_proxy.${containerName}.id}";
|
|
}
|
|
) cfg
|
|
)
|
|
// {
|
|
home_assistant = {
|
|
outpost = "\${data.authentik_outpost.embedded.id}";
|
|
protocol_provider = "\${authentik_provider_oauth2.home_assistant.id}";
|
|
};
|
|
matrix = {
|
|
outpost = "\${data.authentik_outpost.embedded.id}";
|
|
protocol_provider = "\${authentik_provider_oauth2.matrix.id}";
|
|
};
|
|
};
|
|
|
|
authentik_provider_oauth2 = {
|
|
home_assistant = {
|
|
name = "home_assistant";
|
|
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
|
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
|
client_id = hass.oidc_client_id;
|
|
client_secret = hass.oidc_client_secret;
|
|
|
|
property_mappings = [
|
|
"\${data.authentik_property_mapping_provider_scope.proxy_outpost.id}"
|
|
"\${data.authentik_property_mapping_provider_scope.openid_openid.id}"
|
|
"\${data.authentik_property_mapping_provider_scope.openid_email.id}"
|
|
"\${data.authentik_property_mapping_provider_scope.openid_profile.id}"
|
|
"\${data.authentik_property_mapping_provider_scope.app_entitlement.id}"
|
|
"\${data.authentik_property_mapping_provider_scope.openid_offline_access.id}"
|
|
"\${data.authentik_property_mapping_provider_scope.authentik_api.id}"
|
|
];
|
|
|
|
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
|
|
|
|
allowed_redirect_uris = [
|
|
{
|
|
matching_mode = "strict";
|
|
url = "https://homeassistant.plg.m0rel.eu/auth/oidc/callback";
|
|
}
|
|
];
|
|
};
|
|
matrix = {
|
|
name = "matrix";
|
|
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
|
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
|
client_id = matrix.oidc_client_id;
|
|
client_secret = matrix.oidc_client_secret;
|
|
|
|
allowed_redirect_uris = [
|
|
{
|
|
matching_mode = "strict";
|
|
url = "https://matrix.plg.m0rel.eu/_synapse/client/oidc/callback";
|
|
}
|
|
];
|
|
};
|
|
};
|
|
}
|