home/kubernetes-deployments
2
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

Use OIDC auth for freshrss

Browse source
This commit is contained in:
Pim Kunis 2025-02-08 13:02:59 +01:00
parent 05f020ecb3
commit 7f1505878b
4 changed files with 76 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
modules/authelia.nix
View file

@ -51,9 +51,52 @@
key = "smtpPassword";
path = "smtpPassword";
}
{
key = "oidc_hmac_secret";
path = "oidc_hmac_secret";
}
{
key = "oidc_jwk_rs256_private";
path = "oidc.jwk.RS256.pem";
}
{
key = "freshrss_client_secret";
path = "freshrss_client_secret";
}
];
configMap = {
identity_providers.oidc = {
enabled = true;
consent_mode = "implicit";
hmac_secret = {
secret_name = "authelia";
path = "oidc_hmac_secret";
};
jwks = [
{
algorithm = "RS256";
key.path = "/secrets/authelia/oidc.jwk.RS256.pem";
}
];
clients = [
{
client_id = "HDp48U5TaX-3gWKNEfHx5ea2C7gfaQm-OsSWREq4WTzln56IBGy.rT61lq9rF-LTZFlWOd44";
client_name = "FreshRSS";
client_secret.path = "/secrets/authelia/freshrss_client_secret";
public = false;
authorization_policy = "two_factor";
redirect_uris = ["https://rss.kun.is:443/i/oidc/"];
scopes = ["openid" "groups" "email" "profile"];
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_basic";
}
];
};
access_control = {
default_policy = "one_factor";
@ -140,6 +183,10 @@
session = "ref+sops://secrets.yml#/authelia/encryption_keys/session";
smtpPassword = "ref+sops://secrets.yml#/authelia/smtpPassword";
users = "ref+sops://secrets.yml#/authelia/users";
oidc_hmac_secret = "ref+sops://secrets.yml#/authelia/oidc/hmac_secret";
oidc_jwk_rs256_private = "ref+sops://secrets.yml#/authelia/oidc/jwk_rs256/private";
oidc_jwk_rs256_public = "ref+sops://secrets.yml#/authelia/oidc/jwk_rs256/public";
freshrss_client_secret = "ref+sops://secrets.yml#/authelia/oidc/freshrss_client_secret";
};
};
};

19
modules/freshrss.nix
View file

@ -36,6 +36,14 @@
CRON_MIN.value = "2,32";
ADMIN_EMAIL.value = "pim@kunis.nl";
PUBLISHED_PORT.value = "443";
OIDC_ENABLED.value = "1";
OIDC_PROVIDER_METADATA_URL.value = "https://auth.kun.is/.well-known/openid-configuration";
OIDC_CLIENT_ID.value = "HDp48U5TaX-3gWKNEfHx5ea2C7gfaQm-OsSWREq4WTzln56IBGy.rT61lq9rF-LTZFlWOd44";
OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authelia/oidc/freshrss_client_secret";
OIDC_CLIENT_CRYPTO_KEY.value = "ref+sops://secrets.yml#/freshrss/oidc_crypto_key";
OIDC_REMOTE_USER_CLAIM.value = "preferred_username";
OIDC_SCOPES.value = "openid groups email profile";
OIDC_X_FORWARDED_HEADERS.value = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";
ADMIN_PASSWORD.valueFrom.secretKeyRef = {
name = "server";
@ -76,9 +84,20 @@
targetPort = "web";
};
};
ingresses.freshrss.metadata.annotations."traefik.ingress.kubernetes.io/router.middlewares" = "kube-system-forwardauth-authelia@kubernetescrd";
};
lab = {
ingresses.freshrss = {
host = "rss.kun.is";
service = {
name = "server";
portName = "web";
};
};
tailscaleIngresses.tailscale = {
host = "freshrss";
service.name = "server";

2
modules/tailscale-ingress.nix
View file

@ -42,7 +42,7 @@
pathType = "Prefix";
backend.service = {
name = service.name;
inherit (service) name;
port.name = service.portName;
};
}

11
secrets.yml
View file

@ -1,5 +1,6 @@
freshrss:
password: ENC[AES256_GCM,data:ECDPrW+VgO8PY9p2fLIreRETNiRL5ZGnu/PMC7aNj8KaWfyNYL+l3w==,iv:srR/r1EtOpC/CKKrCDKcTLVdMFPAYIJIB1CCg8mS0UU=,tag:YN4PqR5uvPkVskpJWD+91g==,type:str]
oidc_crypto_key: ENC[AES256_GCM,data:+RX1P6PmMuyBeSFlwAChM9tX/JMda4DrQ7JH7Z+tbzXRuRb4nTMR6G7cINeQFah4W30VwdxBqbpRsCdfjR1FrkcwsG1ioDRpuma5VTaHp3TyLZvBWZ/BCi7G+d89qJmymaPGclES2j9YHWRobr7jcFIuiJD/t3jQ/T8iwt72jiY=,iv:lawZnDO7JH2P3jViaFzVzJZFp0e/Ym4/169AsvHg2+0=,tag:SO33RifFpLRXqXFpLQczjw==,type:str]
pihole:
password: ENC[AES256_GCM,data:MA60825Tl6aYEFVoPgo8k5Vjb9zmIxtPLJriQV1B3P1bOKu1KK7vxQ==,iv:RGZHox8CbJiEEEjMo2k/tNbtjCPy/QY7vOuMN/YNZcg=,tag:yphrq03IKpXM/tSDBLeSgA==,type:str]
hedgedoc:
@ -34,6 +35,12 @@ authelia:
storage: ENC[AES256_GCM,data:RbD5StdFItHooBt/ESeAqnBRWV8USKedplz9cnZTA5K9k2EIE99yDdwkL+UNpRjN5oTImqQtWo3ESuBiq439ftSMeMyWT++qkV3ImbPOEYInLPdwHTxb28CC5zbY3FGH+GdB5q9V3zK+Pofslw6BMCsoL++tV8EWjX2isCfkWSk=,iv:e83TCcMW2qEc+R2E8209dhRUJvLZw2MPu4IWMSQVMy8=,tag:opewKZtNr4VT5Gj9l9B71Q==,type:str]
session: ENC[AES256_GCM,data:N50TuHkiOvjxbhTzwy7cjYSyMM9txYCas8x+zEhC2vshWi4pD0dHNDVz90jS0waDYAKLxTMYUT9v9zpkXoQ+X2VWa+tzDU3IWixclHktew/ufWN7nXCRBCW/ZEw8Tm4bB61GTalXfpra3q8Z88bMhGcEfaCiHwfnMbhVn5jjQtM=,iv:QPTVCPzuLAZI06rRPCLYiyW/hd3P/r/nxocI4u3qRtk=,tag:1oqJoQedqGsln48jQphENw==,type:str]
smtpPassword: ENC[AES256_GCM,data:Zd2F237gWaL555lf022zjr7VHVcAFUyFxg==,iv:ka8YuGFclNrWV1U0g2ERypiKy6rN5ppPIVlsjBqkFrI=,tag:e+5fO6VR1z1cqYTXJ6Yo+Q==,type:str]
oidc:
hmac_secret: ENC[AES256_GCM,data:4SDX5lopMeomhkMpkei6Qu6S+BBhFGCZswBfOtfWNSzv3qAEme9h3wQeIQ2W18J84RwprTpDZdkk++bbAYoch2iZF1yEV+8XBcmVcg4q+s5isn0lAaTDhHHCZ6Cci8KuyYy5/tcMDgF61oM5H0g7nGv7rhPD8clDubZwAvEDf7g=,iv:S7cCKyWbB4QaqGYsrp9JavKBAMxnfzhnl5bMRyq4TT4=,tag:S2+NglxgDsi4ivvR2FYjsQ==,type:str]
freshrss_client_secret: ENC[AES256_GCM,data:TLCQaJ8FZX9fVErXE84akyRE0ZWPJBiAxKjdpr4eXClxECGUQZO0Vu07dwj0mzRUiMMpNthBibxNeOGnE147Fht1tET3EuEe,iv:F0iZpzJyZvYjNlxMFeVzLlquWqsV3J0M1eTr0oNn+QQ=,tag:6eD4AUc7VK6aBGUr/Oe0lQ==,type:str]
jwk_rs256:
private: ENC[AES256_GCM,data:WaTdMntWZF40pBOsHpKlQAcsVoceQDKkPlNbkwlPjY231cZSgHYw2u3V89BHx1p3LT4OUAEQvBcQ3c8sJbRYHTo7wXVYTwMrWL+KIu5AOp1pqHWESJrxO/12tgITcM5xJx+zwAoc/85l0LK3EIXYayEYe6ISNjx13K3YaSuD74iEXrNtWuvqwvbT9zNtYg8gb+l1FEW+TwS6wdzWyglfZl4erOQXb1a373qRdTz5m71MEPY8nJPS948nxO5M1DgJ8eqyztVdHY+z3X40vsDv3anSApeBNe/jexUVGBmuRtOhoAbirbNo7F8tjbI1qVy1lw0YNiaXAyH/BY2EtcSb9bU/VqCRdLteZnSed4LFrCIFt9mYoAWPX4GjXanfshNUaqM0IEFVjH7cXzf4rKql9VnxvCufupIGKhcOkAuxFtuOPL9q3RVT4CkarhmgDpKKjUlyAHRAvLH2F2l+K6zwEengiYDXkyBzd393Gsee6ML30X/MRSwd1TBqKZ1VInpk3bn/GwVMipywiYsviLE6JW+IcRJiHCI3bbch2aRsq9MP8AE9qornqC9nt6DQKnOr2HvEAjTHGvmiJN2nKaRU/B6T5xmH9nsdZ3CTsmTIkWBi/Fa8th9DvT8UrQe4LiQ8t6/6TrhgZ+QCjgwp59B2dwrPnT7oY8B0o5O0k/06HnsaG0YxyEM2JgVBer0K4BzUAoap4S8YGj88oPVlSHV3ks7qjx8J+pytNmyND3O1CzKUuluTjCLoowyDx9OA8AcfxVCva6BI6EqJEVU0eqlo146kdgERPR4U6TgCAU6uk4rb+SQgwN6brd15AezRKUW9iDbr4hoxCA0XNTzcDLJKKFFU2ZlHdvs9WTif7gmVwAsogy31xWyKdTdSCoUME4mAKeHM2o763UICjL4HO6drMn16G5yA0anxkctVJqWKcpLrD9rVCC30bbFy8u3H1Icfzf2dZxbTLCbJVn5i39I9AqehIOapD7SwN3pyXwicfnr6h1prGKdHQ0cXjlwCiiP7lSBLP+Q4DwjoSVF/Iei4DcFQoHqSpGreGeP5yRNiRe8HEp63yQXFM/l6PMIVZw+0q/VDb5sEUZ6XItAi/UL3CqY1WI5SVvbeuxbKivuxRcspiFRHB9aXS2eG8hx/Oq9OFvPq3eAQ7xtZLw5oMAFgED4epZl3mAaYz8n5m2i2J8QujxP1POqotkeA1uQFelQL1xMUdpIg41mRNch0M3H50fcgR5dJ3k41NAJTCi5B+X9lFVoo/ByLvX4hkmx4YeZ5VPW6hVLiZMcdA+RluBWVAShYXBBg5rV3ak/G8Lj9P/cc1Tg32Qr1m9h3Tl4Q8AEmWBABRXYcZ526fMFdTQa0SkdvO3jp6Zt/6TObygSyOrOjBIgXye4BAT3zuyNK07Z1gOP1X0rE23T50S5A4KCI59QCs+szugk9umUbqeZF3DKj1oiVq1f5I1m2zbBuWq6vi6kH7eD7eSnTqpIuYeOsuWlREvsNHfXOA7lrURy+yLheKYuIRqx+5TKJaapgMkagw5nQ74RAvEJgAPHJaKYt5YJklMSxTkUR6FlvZNq2salMpM+mGrtH9l1tEVUbKh6QAyG4EkUbnFmT3orCgBJJFh+HXMpb6pwVL06+/0sSvgBI1ZBfbGYWk//RKSHbVzOi1UXyW1izeLgSwKNc/ZUCDnZ0hrBafQn3S8Ap+5j9h++fdH9NwfQyGV7GuTMYBkCtG3+l9+iitFWPUnZ2PvNypi4kJX31XlSyR/JoQfvFNm3nWw1pdLJRF7shqYxbSuGx/Fz02zocEvNNu5NBp5+0nPXIWp5PoRHqWHXI6TvNduji0/ycKjLhtpnFV3NhhWq0no5fKo+t4seoQ88oFzbH0wVXnLRALPq6yZ1kzbWhGp5RLmtixEMXcAwuw2Ewol2BhIf2+5o7d7ndgmZ6lOM4LzApumzS0m3z91XQ1keqHZUWA0XdCekIucNrhw4uVIWg228G5IWjI1QuL6c9zeIHl8NvSCzC7lJLXR6NiCzFvVH92krQ91yiEsSvg3+8MkU+6mlLiCvbl98WVMcQ6Ig9Hh+p1ALSuUDDqOK8k4ja3sblwjDE1vQhacm9gaCjYfID+UFpbJ1FLwdOiBrcUu3jSnN2zBViWjH48xnM7kvxliDRbAElyMPylD2wE6Gce/nyueSAktsfPzt3GnHzspfuoDokJ2pss+8u/x/5whe+xkMMEhExWJWTe4WiwYxyM7dIX8JLJBqQ+T3pUQLMYwECHvPstLiQjpWy,iv:cZQEw3E1Kq+Qg1ZB0gwMW87NG1z/tGDnQOpRiCsdpUs=,tag:N/JqLdXIwCerHynMhmvhug==,type:str]
public: ENC[AES256_GCM,data:TivRCWgU3skYJbDopZAdSAZBi7OhgzLjOLi0f8bUN3hEfDS9Bqbo3ZirepWkxDZcEBJH9ut/rAwumWGedU6C71eFtOpC/++c/++VILmWGM2BDUvlUaksaWZE0sNQRZxXmHFd5Fnxq13vVhs0i5Grdu6WG6wdq9dD9iFooLqee5KT6z33lD9THitecYiGf4hccVfJXKriNmNfmFkyv2KMaDNBwgSHtAsXSbYoHOpIz68SzS3KrngSIAvavfSSsW1RXDXvf/3aB94lPtizCZVtKZ+JcHYg3xPesXdwwA6h7A5W7rfJoAQdiDGQJMb4hFhtjhaBGmiUAv5JwRvvEAhQIrVtPmkO9ibir3yDDrcwNXuJDgHrcd0rpSjYWyAM1pgzXiWAiLzhh/AcL+l2xV286XRDwm1xxoPNdGdmOYkiN2AZre8CoR1aFkIP+T479rkOylJq14RzSQAbJ8AaZ6dK2mFxKYFyVpW0aMjEoo9Yqd4IFZpMWIlVALeh3+bpqgtCCkBYq3MX3J0FJ6vL4LUV5855GUrP4CJhSSCAnKaiXKnps2TrHN8Kp1dqtnv1ihq8fwVoSgqiISN4xY8VXsW/IjJYcQ==,iv:o8F7qgHLWhWXEOOSzum+Qore2tGSraqmC1VMWtpaj0I=,tag:Kn5myis0OwoCMa+8yhssPg==,type:str]
users: ENC[AES256_GCM,data:Az1vmno1PPpFAqIpZKiMtdAP5TqgoCSzu+x2P3eI2h4C+FPbdRjQrnybpLdKRmaQaVvfGS8p4+RbM8jF1H4sSgAZRcBQIzanWtW4fl+KK4aHxPmRIbH75bGUGnSK8u94jCYMotll5tpMbkR+st6xEkh+IkPz+CSIopZ1o6VeFu9od7qJ2LBwnl+FzZp3XFoLXHLNFf4J01gUwtlxvbLHOD5tFxOFHXDi/CKsYJOBr3m9wUoHKGwaeuYpNfy+3C5dcwf0eiXOkxYyjwjlxQ0MumcyzSdVBCTWJRRTwFa1akw6P/sl0Cdw/9GL83zBGLSfFK+DaIaHzG+h51KcELj9lVbNHPbC1UwRnwy0SdxYXiPz7Y8R9J/u5wI5eyyimDtJp83+c4eqOO7+animxUJ8EIuKEiUPMr5mQg0KtK5P3jTu/wZuGgxdqi1nR44+UHKmWrD62qDwjcjv60RDlQxcm4dBOL3wCaV7V8K5UBF0UhiyA2/N0XFHLnibQ1LS/vRfgXjrsjZ6JYzVeY7mDCGa0Kb4NkJJLeMvEEmwsw9sGst9um1w7AQevQPowBST4nkRVdb12JGWrq4S77gDa19Qbm2a0z5XvwvEq1C/47OOEDoSFh/uY2Ycn8tOIZw7S53h5z++cAVKBgYAFVI0fw==,iv:9hm49dFfD6O0YV5YdyXqyiU1vjSHNuH4/+JcXiN+PWI=,tag:jM6atf1M0cgDcAiFOd626Q==,type:str]
sops:
kms: []
@ -59,8 +66,8 @@ sops:
azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68
UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-06T09:44:26Z"
mac: ENC[AES256_GCM,data:1KuTjnTtXftuVzE18ULskydigmLavdy740+/K0PN7p8FSJ7IKU1XP9L93mmxoQOFN1MrVl7ENrY0Wu9/UOG6xSK0S3HcfQKyO8i0Jtgj1tUodcWR/kb7BTwJ3oylQ5xXnHd2rdlaE1y3ZfarFvZqokBsNyux0t9tZYGcRA5W6ZQ=,iv:hnHbV2oNeFu+EJXZS39oa7QMOSL9tuHCVpvjIg6TSFk=,tag:4EijW78hQ4IHb6atatJktQ==,type:str]
lastmodified: "2025-02-08T11:58:45Z"
mac: ENC[AES256_GCM,data:ZHE9vdafH6oQnwHJb1p9FRBKB3Q5V6UK+6kiRt96p82aWG/PYtlxxt/Fc9pdgItSN4iVma8sDSs+IRpS5qUvRE5H71fqNDpGE7gfKn3QbK/GRN1WJv4P0Dg3tghFw+oqQ8hqPffGM2UurYlax9T2TnUEyZw8VdDMaTrGbQrjjQ8=,iv:iErbT0QSfgGFVNbz/QBqqZQbEJcfPn3t5QIGEWQgRx8=,tag:xJsYBMoGmxF26c7Rewtvlg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2