345 lines
11 KiB
Nix
345 lines
11 KiB
Nix
{
|
|
config,
|
|
tools,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.my-lxc;
|
|
matrix = import ../config/_matrix_secrets.nix;
|
|
hass = import ../config/_ha_secrets.nix;
|
|
vw = import ../config/_vw_secrets.nix;
|
|
git = import ../config/_git_secrets.nix;
|
|
nas = import ../config/_nas_secrets.nix;
|
|
in
|
|
{
|
|
authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) (
|
|
lib.mapAttrs (
|
|
containerName: def:
|
|
lib.optionalAttrs (def.auth) {
|
|
name = containerName;
|
|
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
|
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
|
external_host = "https://${tools.build_hostname containerName}/";
|
|
mode = "forward_single";
|
|
}
|
|
) cfg
|
|
);
|
|
authentik_application =
|
|
lib.filterAttrs (_: v: v != { }) (
|
|
lib.mapAttrs (
|
|
containerName: def:
|
|
lib.optionalAttrs (def.auth) {
|
|
name = containerName;
|
|
slug = containerName;
|
|
protocol_provider = "\${resource.authentik_provider_proxy.${containerName}.id}";
|
|
meta_description = def.description;
|
|
meta_icon = def.icon;
|
|
}
|
|
) cfg
|
|
)
|
|
// {
|
|
home_assistant = {
|
|
name = "Home Assistant";
|
|
slug = "home_assistant";
|
|
protocol_provider = "\${resource.authentik_provider_oauth2.home_assistant.id}";
|
|
meta_icon = "https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/png/home-assistant.png";
|
|
};
|
|
matrix = {
|
|
name = "matrix";
|
|
slug = "matrix";
|
|
protocol_provider = "\${resource.authentik_provider_oauth2.matrix.id}";
|
|
meta_icon = "https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/png/matrix-light.png";
|
|
};
|
|
vaultwarden = {
|
|
name = "vaultwarden";
|
|
slug = "vaultwarden";
|
|
protocol_provider = "\${resource.authentik_provider_oauth2.vaultwarden.id}";
|
|
meta_icon = "https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/png/vaultwarden-light.png";
|
|
};
|
|
gitea = {
|
|
name = "gitea";
|
|
slug = "gitea";
|
|
protocol_provider = "\${resource.authentik_provider_oauth2.gitea.id}";
|
|
meta_icon = "https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/png/gitea.png";
|
|
};
|
|
nas = {
|
|
name = "nas";
|
|
slug = "nas";
|
|
protocol_provider = "\${resource.authentik_provider_oauth2.nas.id}";
|
|
meta_icon = "https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/png/synology-light.png";
|
|
};
|
|
jellyfin = {
|
|
name = "jellyfin";
|
|
slug = "jellyfin";
|
|
protocol_provider = "\${resource.authentik_provider_oauth2.jellyfin.id}";
|
|
meta_icon = "https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/png/jellyfin.png";
|
|
};
|
|
};
|
|
authentik_application_entitlement = {
|
|
|
|
gitadmin = {
|
|
name = "gitadmin";
|
|
application = "\${authentik_application.gitea.uuid}";
|
|
};
|
|
gituser = {
|
|
name = "gituser";
|
|
application = "\${authentik_application.gitea.uuid}";
|
|
};
|
|
gitrestricted = {
|
|
name = "gitrestricted";
|
|
application = "\${authentik_application.gitea.uuid}";
|
|
};
|
|
};
|
|
|
|
authentik_policy_binding = {
|
|
gitadmin_admin = {
|
|
target = "\${authentik_application_entitlement.gitadmin.id}";
|
|
group = "\${authentik_group.admins.id}";
|
|
order = 0;
|
|
};
|
|
};
|
|
|
|
authentik_outpost_provider_attachment =
|
|
lib.filterAttrs (_: v: v != { }) (
|
|
lib.mapAttrs (
|
|
containerName: def:
|
|
lib.optionalAttrs (def.auth) {
|
|
outpost = "\${data.authentik_outpost.embedded.id}";
|
|
protocol_provider = "\${authentik_provider_proxy.${containerName}.id}";
|
|
}
|
|
) cfg
|
|
)
|
|
// {
|
|
home_assistant = {
|
|
outpost = "\${data.authentik_outpost.embedded.id}";
|
|
protocol_provider = "\${authentik_provider_oauth2.home_assistant.id}";
|
|
};
|
|
matrix = {
|
|
outpost = "\${data.authentik_outpost.embedded.id}";
|
|
protocol_provider = "\${authentik_provider_oauth2.matrix.id}";
|
|
};
|
|
vaultwarden = {
|
|
outpost = "\${data.authentik_outpost.embedded.id}";
|
|
protocol_provider = "\${authentik_provider_oauth2.vaultwarden.id}";
|
|
};
|
|
gitea = {
|
|
outpost = "\${data.authentik_outpost.embedded.id}";
|
|
protocol_provider = "\${authentik_provider_oauth2.gitea.id}";
|
|
};
|
|
nas = {
|
|
outpost = "\${data.authentik_outpost.embedded.id}";
|
|
protocol_provider = "\${authentik_provider_oauth2.nas.id}";
|
|
};
|
|
jellyfin = {
|
|
outpost = "\${data.authentik_outpost.embedded.id}";
|
|
protocol_provider = "\${authentik_provider_oauth2.jellyfin.id}";
|
|
};
|
|
};
|
|
|
|
authentik_property_mapping_provider_scope = {
|
|
vaultwarden_email = {
|
|
name = "vaultwarden_email";
|
|
scope_name = "email";
|
|
expression = ''
|
|
return {
|
|
"email": request.user.email,
|
|
"email_verified": True
|
|
}
|
|
'';
|
|
};
|
|
gitea_entitlements = {
|
|
name = "gitea_entitlements";
|
|
scope_name = "gitea";
|
|
expression = ''
|
|
entitlement_names = {
|
|
entitlement.name
|
|
for entitlement in request.user.app_entitlements(provider.application)
|
|
}
|
|
gitea_claims = {}
|
|
|
|
if "gituser" in entitlement_names:
|
|
gitea_claims["gitea"] = "user"
|
|
if "gitadmin" in entitlement_names:
|
|
gitea_claims["gitea"] = "admin"
|
|
if "gitrestricted" in entitlement_names:
|
|
gitea_claims["gitea"] = "restricted"
|
|
|
|
return gitea_claims
|
|
'';
|
|
};
|
|
};
|
|
|
|
authentik_provider_oauth2 = {
|
|
home_assistant = {
|
|
name = "home_assistant";
|
|
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
|
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
|
client_id = hass.oidc_client_id;
|
|
client_secret = hass.oidc_client_secret;
|
|
|
|
property_mappings = [
|
|
"\${data.authentik_property_mapping_provider_scope.openid_openid.id}"
|
|
"\${data.authentik_property_mapping_provider_scope.openid_email.id}"
|
|
"\${data.authentik_property_mapping_provider_scope.openid_profile.id}"
|
|
"\${data.authentik_property_mapping_provider_scope.authentik_api.id}"
|
|
];
|
|
|
|
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
|
|
|
|
allowed_redirect_uris = [
|
|
{
|
|
matching_mode = "strict";
|
|
url = "https://homeassistant.plg.m0rel.eu/auth/oidc/callback";
|
|
}
|
|
];
|
|
};
|
|
matrix = {
|
|
name = "matrix";
|
|
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
|
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
|
client_id = matrix.oidc_client_id;
|
|
client_secret = matrix.oidc_client_secret;
|
|
|
|
allowed_redirect_uris = [
|
|
{
|
|
matching_mode = "strict";
|
|
url = "https://matrix.plg.m0rel.eu/_synapse/client/oidc/callback";
|
|
}
|
|
];
|
|
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
|
|
};
|
|
vaultwarden = {
|
|
name = "vaultwarden";
|
|
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
|
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
|
client_id = vw.oidc_client_id;
|
|
client_secret = vw.oidc_secret_id;
|
|
|
|
property_mappings = [
|
|
"\${data.authentik_property_mapping_provider_scope.openid_openid.id}"
|
|
"\${data.authentik_property_mapping_provider_scope.openid_profile.id}"
|
|
"\${data.authentik_property_mapping_provider_scope.openid_offline_access.id}"
|
|
"\${authentik_property_mapping_provider_scope.vaultwarden_email.id}"
|
|
];
|
|
|
|
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
|
|
|
|
allowed_redirect_uris = [
|
|
{
|
|
matching_mode = "strict";
|
|
url = "https://vault.plg.m0rel.eu/identity/connect/oidc-signin";
|
|
}
|
|
];
|
|
};
|
|
gitea = {
|
|
name = "gitea";
|
|
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
|
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
|
client_id = git.oidc_client_id;
|
|
client_secret = git.oidc_client_secret;
|
|
|
|
property_mappings = [
|
|
"\${data.authentik_property_mapping_provider_scope.openid_openid.id}"
|
|
"\${data.authentik_property_mapping_provider_scope.openid_profile.id}"
|
|
"\${data.authentik_property_mapping_provider_scope.openid_offline_access.id}"
|
|
"\${authentik_property_mapping_provider_scope.gitea_entitlements.id}"
|
|
];
|
|
|
|
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
|
|
|
|
allowed_redirect_uris = [
|
|
{
|
|
matching_mode = "strict";
|
|
url = "https://git.plg.m0rel.eu/user/oauth2/authentik/callback";
|
|
}
|
|
];
|
|
};
|
|
nas = {
|
|
name = "nas";
|
|
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
|
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
|
client_id = nas.oidc_client_id;
|
|
client_secret = nas.oidc_client_secret;
|
|
|
|
property_mappings = [
|
|
"\${data.authentik_property_mapping_provider_scope.openid_openid.id}"
|
|
"\${data.authentik_property_mapping_provider_scope.openid_profile.id}"
|
|
"\${data.authentik_property_mapping_provider_scope.openid_email.id}"
|
|
];
|
|
|
|
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
|
|
|
|
allowed_redirect_uris = [
|
|
{
|
|
matching_mode = "strict";
|
|
url = "https://nas.plg.m0rel.eu/";
|
|
}
|
|
];
|
|
};
|
|
jellyfin = {
|
|
name = "jellyfin";
|
|
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
|
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
|
client_id = "ea5qGtQMHx0w2za2Vf8zX4pxReoMdJtGtpYXnHng";
|
|
client_secret = "f76AUcoIRwsrlL8Nrul82z6rAFSX79PsH6o25xSUfCPeeL25uA2pAJGIaCU8uX0yeqJ43aCnLhDeRkStSd9kf6CUdlDjcvMxMw6GdR1sl9VSyeU6mf4fF37PXETShayt";
|
|
|
|
property_mappings = [
|
|
"\${data.authentik_property_mapping_provider_scope.openid_openid.id}"
|
|
"\${data.authentik_property_mapping_provider_scope.openid_profile.id}"
|
|
"\${data.authentik_property_mapping_provider_scope.openid_email.id}"
|
|
];
|
|
|
|
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
|
|
|
|
allowed_redirect_uris = [
|
|
{
|
|
matching_mode = "strict";
|
|
url = "https://media.plg.m0rel.eu/sso/OID/start/authentik";
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
authentik_group = {
|
|
admins = {
|
|
name = "Admin";
|
|
is_superuser = true;
|
|
};
|
|
users = {
|
|
name = "Utilisateur";
|
|
};
|
|
visitors = {
|
|
name = "Visiteur";
|
|
};
|
|
};
|
|
|
|
authentik_user = {
|
|
yoru = {
|
|
username = "yoru";
|
|
name = "Xavier";
|
|
email = "morelx42@protonmail.com";
|
|
groups = [
|
|
"\${authentik_group.admins.id}"
|
|
"\${authentik_group.users.id}"
|
|
];
|
|
};
|
|
shauni = {
|
|
username = "shauni";
|
|
name = "Laetitia";
|
|
email = "laetitia.laversin@gmail.com";
|
|
groups = [
|
|
"\${authentik_group.admins.id}"
|
|
"\${authentik_group.users.id}"
|
|
];
|
|
};
|
|
lily = {
|
|
username = "lily";
|
|
name = "Lily";
|
|
groups = [
|
|
"\${authentik_group.users.id}"
|
|
];
|
|
};
|
|
};
|
|
}
|