home/kubernetes-deployments
2
0
Fork 0
Code Issues 3 Pull requests Projects Releases Packages Wiki Activity Actions

Enable Authelia auth for Hedgedoc

Browse source
This commit is contained in:
Pim Kunis 2025-02-09 00:23:12 +01:00
parent c69d909b2f
commit 9838069c4c
5 changed files with 45 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

18
modules/authelia.nix
View file

@ -63,6 +63,10 @@
key = "freshrss_client_secret";
path = "freshrss_client_secret";
}
{
key = "hedgedoc_client_secret";
path = "hedgedoc_client_secret";
}
];
configMap = {
@ -94,6 +98,17 @@
token_endpoint_auth_method = "client_secret_basic";
consent_mode = "implicit";
}
{
client_id = "ZZI33JnLIuGk58HPkN_YEfETxNTz-1Mq--YPu9Sa6Y39BwykY0GDmxBVn1w9X70fIHT09xHq";
client_name = "HedgeDoc";
client_secret.path = "/secrets/authelia/hedgedoc_client_secret";
public = false;
authorization_policy = "two_factor";
redirect_uris = ["https://md.kun.is/auth/oauth2/callback"];
scopes = ["openid" "profile" "email" "groups"];
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_post";
}
];
};
@ -186,7 +201,8 @@
oidc_hmac_secret = "ref+sops://secrets.yml#/authelia/oidc/hmac_secret";
oidc_jwk_rs256_private = "ref+sops://secrets.yml#/authelia/oidc/jwk_rs256/private";
oidc_jwk_rs256_public = "ref+sops://secrets.yml#/authelia/oidc/jwk_rs256/public";
freshrss_client_secret = "ref+sops://secrets.yml#/authelia/oidc/freshrss_client_secret";
freshrss_client_secret = "ref+sops://secrets.yml#/freshrss/oidc/client_secret/digest";
hedgedoc_client_secret = "ref+sops://secrets.yml#/hedgedoc/oidc/client_secret/digest";
};
};
};

4
modules/freshrss.nix
View file

@ -39,8 +39,8 @@
OIDC_ENABLED.value = "1";
OIDC_PROVIDER_METADATA_URL.value = "https://auth.kun.is/.well-known/openid-configuration";
OIDC_CLIENT_ID.value = "HDp48U5TaX-3gWKNEfHx5ea2C7gfaQm-OsSWREq4WTzln56IBGy.rT61lq9rF-LTZFlWOd44";
OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authelia/oidc/freshrss_client_secret";
OIDC_CLIENT_CRYPTO_KEY.value = "ref+sops://secrets.yml#/freshrss/oidc_crypto_key";
OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/freshrss/oidc/client_secret/password";
OIDC_CLIENT_CRYPTO_KEY.value = "ref+sops://secrets.yml#/freshrss/oidc/crypto_key";
OIDC_REMOTE_USER_CLAIM.value = "preferred_username";
OIDC_SCOPES.value = "openid groups email profile";
OIDC_X_FORWARDED_HEADERS.value = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";

13
modules/hedgedoc.nix
View file

@ -54,6 +54,19 @@
CMD_PROTOCOL_USESSL.value = "true";
CMD_CSP_ENABLE.value = "false";
CMD_OAUTH2_PROVIDERNAME.value = "Authelia";
CMD_OAUTH2_AUTHORIZATION_URL.value = "https://auth.kun.is/api/oidc/authorization";
CMD_OAUTH2_TOKEN_URL.value = "https://auth.kun.is/api/oidc/token";
CMD_OAUTH2_USER_PROFILE_URL.value = "https://auth.kun.is/api/oidc/userinfo";
CMD_OAUTH2_CLIENT_ID.value = "ZZI33JnLIuGk58HPkN_YEfETxNTz-1Mq--YPu9Sa6Y39BwykY0GDmxBVn1w9X70fIHT09xHq";
CMD_OAUTH2_CLIENT_SECRET.value = "ref+sops://secrets.yml#/hedgedoc/oidc/client_secret/password";
CMD_OAUTH2_SCOPE.value = "openid email profile groups";
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR.value = "preferred_username";
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR.value = "name";
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR.value = "email";
CMD_OAUTH2_ROLES_CLAIM.value = "groups";
CMD_OAUTH2_ACCESS_ROLE.value = "hedgedoc";
CMD_DB_URL.valueFrom.secretKeyRef = {
name = "hedgedoc";
key = "databaseURL";

1
modules/traefik.nix
View file

@ -70,6 +70,7 @@
spec.forwardAuth = {
address = "http://authelia.authelia.svc.cluster.local/api/authz/forward-auth";
authResponseHeaders = [
"Remote-User"
"Remote-Groups"