From 6ed22d37af9ea801eaeb2e07e694b468fc988939 Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 18 May 2025 21:36:14 +0200 Subject: [PATCH] fix: add client secret to mealie --- README.md | 3 +- hosts/ward/guests/mealie.nix | 34 ++++++++++++++---- .../ward-mealie/oauth2-client-secret.age | 10 ++++++ ...b084371f4642325b3-oauth2-client-secret.age | 8 +++++ ...837795ef02-mealie-oauth2-client-secret.age | Bin 323 -> 0 bytes 5 files changed, 47 insertions(+), 8 deletions(-) create mode 100644 secrets/generated/ward-mealie/oauth2-client-secret.age create mode 100644 secrets/rekeyed/ward-mealie/3c1d549b74984c0b084371f4642325b3-oauth2-client-secret.age delete mode 100644 secrets/rekeyed/ward-mealie/485e1790e4fd24baa9495d837795ef02-mealie-oauth2-client-secret.age diff --git a/README.md b/README.md index 7e6055c..e702025 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,8 @@ I've included the major components in the lists below. 📄 Documents | Paperless | [Link](./hosts/sire/guests/paperless.nix) | Document management system. With per-user Samba share integration (consume & archive) 🗓️ CalDAV/CardDAV | Radicale | [Link](./hosts/ward/guests/radicale.nix) | Contacts, Calender and Tasks synchronization 📁 NAS | Samba | [Link](./hosts/sire/guests/samba.nix) | Network attached storage. Cross-integration with paperless -🌐 VPN | Firezone | [Link](./hosts/ward/guests/firezone.nix) | Internal network gateway and wireguard VPN server with dynamic peer configuration and SSO authentication. +🌐 VPN | Firezone | [Link](./hosts/ward/guests/firezone.nix) | Internal network gateway and wireguard VPN server with dynamic peer configuration and SSO authentication +🥗 Recipes | Mealie | [Link](./hosts/ward/guests/mealie.nix) | Recipe manager and meal planner 🏠 Home Automation | Home Assistant | [Link](./hosts/zackbiene/home-assistant.nix) | Automation with Home Assistant and many related services 📧 Mailserver | Stalwart | [Link](./hosts/envoy/stalwart-mail.nix) | Modern mail server setup with custom self-service alias management including Bitwarden integration 🧱 Minecraft | PaperMC | [Link](./hosts/sire/guests/minecraft.nix) | Minecraft game server. Autostart on connect, systemd service with background console, automatic backups diff --git a/hosts/ward/guests/mealie.nix b/hosts/ward/guests/mealie.nix index 54289a7..a0cdad0 100644 --- a/hosts/ward/guests/mealie.nix +++ b/hosts/ward/guests/mealie.nix @@ -13,9 +13,23 @@ in firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ config.services.mealie.port ]; }; - # Mirror the original oauth2 secret - age.secrets.mealie-oauth2-client-secret = { - inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-mealie) rekeyFile; + # Mirror the original oauth2 secret, but prepend OIDC_CLIENT_SECRET= + # so it can be used as an EnvironmentFile + age.secrets.oauth2-client-secret = { + generator.dependencies = [ + nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-mealie + ]; + generator.script = + { + lib, + decrypt, + deps, + ... + }: + '' + echo -n "OIDC_CLIENT_SECRET=" + ${decrypt} ${lib.escapeShellArg (lib.head deps).file} + ''; mode = "440"; }; @@ -41,16 +55,22 @@ in ALLOW_SIGNUP = "false"; BASE_URL = "https://${mealieDomain}"; TZ = config.time.timeZone; - TOKEN_TIME = 87600; # 10 years session time - this is only internal so who cares + OIDC_AUTH_ENABLED = "true"; - OIDC_AUTO_REDIRECT = "true"; - OIDC_CLIENT_ID = "mealie"; - OIDC_CONFIGURATION_URL = "https://${globals.services.kanidm.domain}/oauth2/openid/${OIDC_CLIENT_ID}/.well-known/openid-configuration"; OIDC_SIGNUP_ENABLED = "true"; + OIDC_AUTO_REDIRECT = "true"; + OIDC_REMEMBER_ME = "true"; + + OIDC_CLIENT_ID = "mealie"; + OIDC_SIGNING_ALGORITHM = "ES256"; + OIDC_USER_CLAIM = "preferred_username"; + OIDC_PROVIDER_NAME = "Kanidm"; + OIDC_CONFIGURATION_URL = "https://${globals.services.kanidm.domain}/oauth2/openid/${OIDC_CLIENT_ID}/.well-known/openid-configuration"; OIDC_USER_GROUP = "user"; OIDC_ADMIN_GROUP = "admin"; }; + credentialsFile = config.age.secrets.oauth2-client-secret.path; }; nodes.ward-web-proxy = { diff --git a/secrets/generated/ward-mealie/oauth2-client-secret.age b/secrets/generated/ward-mealie/oauth2-client-secret.age new file mode 100644 index 0000000..d39fa39 --- /dev/null +++ b/secrets/generated/ward-mealie/oauth2-client-secret.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 RAxxDNQO54g1ed7FUHzEc53/LwJK2OWafSum5kuDmhg +PGzHtSg3X4H07zzNvQlzay6qF91FakUUdyPEAWHZk88 +-> piv-p256 xqSe8Q Aznl/XQTTYqzEJXuGhthVvPdvaCTwSBtrnna+Eam7oOJ +9ECfOp5JqKbX30CgdFBwBcE2sZZLNvdI06Ah/LZRv3I +-> m?&t#C*-grease ~4\P +NxJuCa+m5uWmcHU6vhvIztKnEWF5VVzwU1G/qMhTKQNszuwgPKhpcykd+8pgH5Wz +C7eBT9tg7WY+jv/4zKVPJgJ1Cr57OYxZXl6PwqhTv6zqWQOvuP0/nco +--- 0KV4iZtllFlmgp19NOn9qtCk1H0cIGrY0pMb9n2gctw +;jn ѶJ2a.k j=@ sWb;)C)AϨ2!D3jT]N!% \ No newline at end of file diff --git a/secrets/rekeyed/ward-mealie/3c1d549b74984c0b084371f4642325b3-oauth2-client-secret.age b/secrets/rekeyed/ward-mealie/3c1d549b74984c0b084371f4642325b3-oauth2-client-secret.age new file mode 100644 index 0000000..1b6a55c --- /dev/null +++ b/secrets/rekeyed/ward-mealie/3c1d549b74984c0b084371f4642325b3-oauth2-client-secret.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 Wfiv+g MUNwO6FjElqHoc6E/O4c2eMjBmYBSzysxPj4q/UPgRk +TmMt3Fs13aVnxRnY47e0uNTTsdZqQ+rt5eGjPi6nawQ +-> _s-9>9-grease +R] "]+6 3K jc&#cC +ZJpqc6cNVwv4z382Ye1ovkZ4OEl03VVMhyuHrJc +--- JESoNnX1n4GuWgRyhTW8fOLKJck9RJwYA6vFBTPrSuw +2 +T1!zE&!Re|HΩT\z~Q4uE+?9 ݩ\Xdb!K n *| \ No newline at end of file diff --git a/secrets/rekeyed/ward-mealie/485e1790e4fd24baa9495d837795ef02-mealie-oauth2-client-secret.age b/secrets/rekeyed/ward-mealie/485e1790e4fd24baa9495d837795ef02-mealie-oauth2-client-secret.age deleted file mode 100644 index dd909e47cea19364557d4a6831c3648f8b51abbc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 323 zcmV-J0lfZUXJsvAZewzJaCB*JZZ2cKeY-dJlIA%e5H%@UlQ9%kVJ|Hw_WF=8DT}Ulwa%Ew2 zWeQGuNKsZ-bZcQyO)^D7QB7h@S7%UeQe;p;MrcekLNZx2P*-P1VKrHI3N0-yAaHOu zFEv?KQ#ox;No+z(d2UTeV`NKMW>``~IXGBmG)!kQY)(^5V@PLN3fwG`z3=qg0c@nY zi^gZo2BapF$z`af@0>J7&Wbx_MQF+w5