mirror of
https://github.com/oddlama/nix-config.git
synced 2025-10-10 23:00:39 +02:00
feat: add openid connect to actual
This commit is contained in:
oddlama
parent
c4891afe7d
commit
a1f271caf0
6 changed files with 64 additions and 0 deletions
|
|
@ -1,11 +1,14 @@
|
|||
{
|
||||
config,
|
||||
globals,
|
||||
lib,
|
||||
pkgs,
|
||||
nodes,
|
||||
...
|
||||
}:
|
||||
let
|
||||
actualDomain = "finance.${globals.domains.me}";
|
||||
client_id = "actual";
|
||||
in
|
||||
{
|
||||
wireguard.proxy-sentinel = {
|
||||
|
|
@ -13,6 +16,11 @@ in
|
|||
firewallRuleForNode.sentinel.allowedTCPPorts = [ config.services.actual.settings.port ];
|
||||
};
|
||||
|
||||
# Mirror the original oauth2 secret
|
||||
age.secrets.actual-oauth2-client-secret = {
|
||||
inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-actual) rekeyFile;
|
||||
};
|
||||
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = "/var/lib/private/actual";
|
||||
|
|
@ -25,6 +33,29 @@ in
|
|||
settings.trustedProxies = [ nodes.sentinel.config.wireguard.proxy-sentinel.ipv4 ];
|
||||
};
|
||||
|
||||
# NOTE: state: to enable openid, we need to call their enable-openid script once
|
||||
# which COPIES this data to the database :( so changing these values later will
|
||||
# require manual intervention.
|
||||
systemd.services.actual = {
|
||||
serviceConfig.ExecStart = lib.mkForce [
|
||||
(pkgs.writeShellScript "start-actual" ''
|
||||
export ACTUAL_OPENID_CLIENT_SECRET=$(< "$CREDENTIALS_DIRECTORY"/oauth2-client-secret)
|
||||
exec ${lib.getExe config.services.actual.package}
|
||||
'')
|
||||
];
|
||||
serviceConfig.LoadCredential = [
|
||||
"oauth2-client-secret:${config.age.secrets.actual-oauth2-client-secret.path}"
|
||||
];
|
||||
environment = {
|
||||
ACTUAL_OPENID_ENFORCE = "true";
|
||||
ACTUAL_TOKEN_EXPIRATION = "openid-provider";
|
||||
|
||||
ACTUAL_OPENID_DISCOVERY_URL = "https://${globals.services.kanidm.domain}/oauth2/openid/${client_id}/.well-known/openid-configuration";
|
||||
ACTUAL_OPENID_CLIENT_ID = client_id;
|
||||
ACTUAL_OPENID_SERVER_HOSTNAME = "https://${actualDomain}";
|
||||
};
|
||||
};
|
||||
|
||||
globals.services.actual.domain = actualDomain;
|
||||
globals.monitoring.http.actual = {
|
||||
url = "https://${actualDomain}/";
|
||||
|
|
|
|||
|
|
@ -35,6 +35,7 @@ in
|
|||
age.secrets.kanidm-admin-password = mkRandomSecret;
|
||||
age.secrets.kanidm-idm-admin-password = mkRandomSecret;
|
||||
|
||||
age.secrets.kanidm-oauth2-actual = mkRandomSecret;
|
||||
age.secrets.kanidm-oauth2-forgejo = mkRandomSecret;
|
||||
age.secrets.kanidm-oauth2-grafana = mkRandomSecret;
|
||||
age.secrets.kanidm-oauth2-immich = mkRandomSecret;
|
||||
|
|
@ -136,6 +137,23 @@ in
|
|||
];
|
||||
};
|
||||
|
||||
# Actual
|
||||
groups."actual.access" = { };
|
||||
systems.oauth2.actual = {
|
||||
displayName = "Actual Budget";
|
||||
originUrl = "https://${globals.services.actual.domain}/openid/callback";
|
||||
originLanding = "https://${globals.services.actual.domain}/";
|
||||
basicSecretFile = config.age.secrets.kanidm-oauth2-actual.path;
|
||||
preferShortUsername = true;
|
||||
# XXX: RS256 is used instead of ES256 so additionally we need legacy crypto
|
||||
enableLegacyCrypto = true;
|
||||
scopeMaps."actual.access" = [
|
||||
"openid"
|
||||
"email"
|
||||
"profile"
|
||||
];
|
||||
};
|
||||
|
||||
# Firezone
|
||||
groups."firezone.access" = { };
|
||||
systems.oauth2.firezone = {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue