sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: enable OIDC in paperless

Browse source
This commit is contained in:
oddlama 2024-03-12 23:01:43 +01:00
parent 605aee0a67
commit 6c9042b4d2
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
6 changed files with 77 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

57
hosts/ward/guests/kanidm.nix
View file

@ -7,6 +7,12 @@
sentinelCfg = nodes.sentinel.config;
kanidmDomain = "auth.${domains.me}";
kanidmPort = 8300;
mkRandomSecret = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
in {
meta.wireguard-proxy.sentinel.allowedTCPPorts = [kanidmPort];
@ -22,41 +28,14 @@ in {
group = "kanidm";
};
age.secrets.kanidm-admin-password = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
age.secrets.kanidm-admin-password = mkRandomSecret;
age.secrets.kanidm-idm-admin-password = mkRandomSecret;
age.secrets.kanidm-idm-admin-password = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
age.secrets.kanidm-oauth2-immich = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
age.secrets.kanidm-oauth2-grafana = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
age.secrets.kanidm-oauth2-forgejo = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
age.secrets.kanidm-oauth2-web-sentinel = {
generator.script = "alnum";
mode = "440";
group = "kanidm";
};
age.secrets.kanidm-oauth2-forgejo = mkRandomSecret;
age.secrets.kanidm-oauth2-grafana = mkRandomSecret;
age.secrets.kanidm-oauth2-immich = mkRandomSecret;
age.secrets.kanidm-oauth2-paperless = mkRandomSecret;
age.secrets.kanidm-oauth2-web-sentinel = mkRandomSecret;
nodes.sentinel = {
networking.providedDomains.kanidm = kanidmDomain;
@ -130,6 +109,16 @@ in {
scopeMaps."immich.access" = ["openid" "email" "profile"];
};
# Paperless
groups."paperless.access" = {};
systems.oauth2.paperless = {
displayName = "Paperless";
originUrl = "https://${sentinelCfg.networking.providedDomains.paperless}/";
basicSecretFile = config.age.secrets.kanidm-oauth2-paperless.path;
preferShortUsername = true;
scopeMaps."paperless.access" = ["openid" "email" "profile"];
};
# Grafana
groups."grafana.access" = {};
groups."grafana.editors" = {};