feat: enable OIDC in paperless

2024-03-12 23:01:43 +01:00 · 2024-03-12 23:01:43 +01:00 · 6c9042b4d2
commit 6c9042b4d2
parent 605aee0a67
6 changed files with 77 additions and 39 deletions
--- a/hosts/sire/guests/paperless.nix
+++ b/hosts/sire/guests/paperless.nix
@ -2,6 +2,7 @@
  config,
  lib,
  nodes,
+  pkgs,
  ...
 }: let
  sentinelCfg = nodes.sentinel.config;
@ -47,6 +48,13 @@ in {
    group = "paperless";
  };

+  # Mirror the original oauth2 secret
+  age.secrets.paperless-oauth2-client-secret = {
+    inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-paperless) rekeyFile;
+    mode = "440";
+    group = "paperless";
+  };
+
  environment.persistence."/persist".directories = [
    {
      directory = "/var/lib/paperless";
@ -56,11 +64,6 @@ in {
    }
  ];

-  # TODO: workaround for https://github.com/paperless-ngx/paperless-ngx/discussions/5606
-  systemd.services.paperless-web.script = lib.mkBefore ''
-    mkdir -p /tmp/paperless
-  '';
-
  services.paperless = {
    enable = true;
    address = "0.0.0.0";
@ -73,6 +76,24 @@ in {
      PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
      PAPERLESS_TRUSTED_PROXIES = sentinelCfg.meta.wireguard.proxy-sentinel.ipv4;

+      # Authentication via kanidm
+      PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
+      PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON {
+        openid_connect = {
+          OAUTH_PKCE_ENABLED = "True";
+          APPS = [
+            rec {
+              provider_id = "kanidm";
+              name = "Kanidm";
+              client_id = "paperless";
+              # secret will be added dynamically
+              #secret = "";
+              settings.server_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${client_id}/.well-known/openid-configuration";
+            }
+          ];
+        };
+      };
+
      # Ghostscript is entirely bug-free.
      PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
        continue_on_soft_render_error = true;
@ -109,6 +130,16 @@ in {
    mode = "0700";
  };

+  # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS
+  systemd.services.paperless-web.script = lib.mkBefore ''
+    oidcSecret=$(< ${config.age.secrets.paperless-oauth2-client-secret.path})
+    export PAPERLESS_SOCIALACCOUNT_PROVIDERS=$(
+      ${pkgs.jq}/bin/jq <<< "$PAPERLESS_SOCIALACCOUNT_PROVIDERS" \
+        --compact-output \
+        --arg oidcSecret "$oidcSecret" '.openid_connect.APPS.[0].secret = $oidcSecret'
+    )
+  '';
+
  systemd.services.paperless-backup = let
    cfg = config.systemd.services.paperless-consumer;
  in {