sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: add client secret to mealie

Browse source
This commit is contained in:
oddlama 2025-05-18 21:36:14 +02:00
parent c983b43fda
commit 6ed22d37af
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
5 changed files with 47 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -54,7 +54,8 @@ I've included the major components in the lists below.
📄 Documents | Paperless | [Link](./hosts/sire/guests/paperless.nix) | Document management system. With per-user Samba share integration (consume & archive) 📄 Documents | Paperless | [Link](./hosts/sire/guests/paperless.nix) | Document management system. With per-user Samba share integration (consume & archive)
🗓️ CalDAV/CardDAV | Radicale | [Link](./hosts/ward/guests/radicale.nix) | Contacts, Calender and Tasks synchronization 🗓️ CalDAV/CardDAV | Radicale | [Link](./hosts/ward/guests/radicale.nix) | Contacts, Calender and Tasks synchronization
📁 NAS | Samba | [Link](./hosts/sire/guests/samba.nix) | Network attached storage. Cross-integration with paperless 📁 NAS | Samba | [Link](./hosts/sire/guests/samba.nix) | Network attached storage. Cross-integration with paperless
🌐 VPN | Firezone | [Link](./hosts/ward/guests/firezone.nix) | Internal network gateway and wireguard VPN server with dynamic peer configuration and SSO authentication. 🌐 VPN | Firezone | [Link](./hosts/ward/guests/firezone.nix) | Internal network gateway and wireguard VPN server with dynamic peer configuration and SSO authentication
🥗 Recipes | Mealie | [Link](./hosts/ward/guests/mealie.nix) | Recipe manager and meal planner
🏠 Home Automation | Home Assistant | [Link](./hosts/zackbiene/home-assistant.nix) | Automation with Home Assistant and many related services 🏠 Home Automation | Home Assistant | [Link](./hosts/zackbiene/home-assistant.nix) | Automation with Home Assistant and many related services
📧 Mailserver | Stalwart | [Link](./hosts/envoy/stalwart-mail.nix) | Modern mail server setup with custom self-service alias management including Bitwarden integration 📧 Mailserver | Stalwart | [Link](./hosts/envoy/stalwart-mail.nix) | Modern mail server setup with custom self-service alias management including Bitwarden integration
🧱 Minecraft | PaperMC | [Link](./hosts/sire/guests/minecraft.nix) | Minecraft game server. Autostart on connect, systemd service with background console, automatic backups 🧱 Minecraft | PaperMC | [Link](./hosts/sire/guests/minecraft.nix) | Minecraft game server. Autostart on connect, systemd service with background console, automatic backups

34
hosts/ward/guests/mealie.nix
View file

@ -13,9 +13,23 @@ in
firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ config.services.mealie.port ]; firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ config.services.mealie.port ];
}; };
# Mirror the original oauth2 secret # Mirror the original oauth2 secret, but prepend OIDC_CLIENT_SECRET=
age.secrets.mealie-oauth2-client-secret = { # so it can be used as an EnvironmentFile
inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-mealie) rekeyFile; age.secrets.oauth2-client-secret = {
generator.dependencies = [
nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-mealie
];
generator.script =
{
lib,
decrypt,
deps,
...
}:
''
echo -n "OIDC_CLIENT_SECRET="
${decrypt} ${lib.escapeShellArg (lib.head deps).file}
'';
mode = "440"; mode = "440";
}; };
@ -41,16 +55,22 @@ in
ALLOW_SIGNUP = "false"; ALLOW_SIGNUP = "false";
BASE_URL = "https://${mealieDomain}"; BASE_URL = "https://${mealieDomain}";
TZ = config.time.timeZone; TZ = config.time.timeZone;
TOKEN_TIME = 87600; # 10 years session time - this is only internal so who cares TOKEN_TIME = 87600; # 10 years session time - this is only internal so who cares
OIDC_AUTH_ENABLED = "true"; OIDC_AUTH_ENABLED = "true";
OIDC_AUTO_REDIRECT = "true";
OIDC_CLIENT_ID = "mealie";
OIDC_CONFIGURATION_URL = "https://${globals.services.kanidm.domain}/oauth2/openid/${OIDC_CLIENT_ID}/.well-known/openid-configuration";
OIDC_SIGNUP_ENABLED = "true"; OIDC_SIGNUP_ENABLED = "true";
OIDC_AUTO_REDIRECT = "true";
OIDC_REMEMBER_ME = "true";
OIDC_CLIENT_ID = "mealie";
OIDC_SIGNING_ALGORITHM = "ES256";
OIDC_USER_CLAIM = "preferred_username";
OIDC_PROVIDER_NAME = "Kanidm";
OIDC_CONFIGURATION_URL = "https://${globals.services.kanidm.domain}/oauth2/openid/${OIDC_CLIENT_ID}/.well-known/openid-configuration";
OIDC_USER_GROUP = "user"; OIDC_USER_GROUP = "user";
OIDC_ADMIN_GROUP = "admin"; OIDC_ADMIN_GROUP = "admin";
}; };
credentialsFile = config.age.secrets.oauth2-client-secret.path;
}; };
nodes.ward-web-proxy = { nodes.ward-web-proxy = {

10
secrets/generated/ward-mealie/oauth2-client-secret.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> X25519 RAxxDNQO54g1ed7FUHzEc53/LwJK2OWafSum5kuDmhg
PGzHtSg3X4H07zzNvQlzay6qF91FakUUdyPEAWHZk88
-> piv-p256 xqSe8Q Aznl/XQTTYqzEJXuGhthVvPdvaCTwSBtrnna+Eam7oOJ
9ECfOp5JqKbX30CgdFBwBcE2sZZLNvdI06Ah/LZRv3I
-> m?&t#C*-grease ~4\P
NxJuCa+m5uWmcHU6vhvIztKnEWF5VVzwU1G/qMhTKQNszuwgPKhpcykd+8pgH5Wz
C7eBT9tg7WY+jv/4zKVPJgJ1Cr57OYxZXl6PwqhTv6zqWQOvuP0/nco
--- 0KV4iZtllFlmgp19NOn9qtCk1H0cIGrY0pMb9n2gctw
ê;ïjŒ¸n ôÇѶÚèˆJ2a.œßkˆ jÃ=“ä£ûŽš@ °µ¢Ûs†µWbÀá;)°ÅüC)¿ïÒAϨÅ2Š!“¥îýçD‰3ÃÎj«™äTã]N¸�!%�

8
secrets/rekeyed/ward-mealie/3c1d549b74984c0b084371f4642325b3-oauth2-client-secret.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 Wfiv+g MUNwO6FjElqHoc6E/O4c2eMjBmYBSzysxPj4q/UPgRk
TmMt3Fs13aVnxRnY47e0uNTTsdZqQ+rt5eGjPi6nawQ
-> _s-9>9-grease +R] "]+6 3K jc&#cC
ZJpqc6cNVwv4z382Ye1ovkZ4OEl03VVMhyuHrJc
--- JESoNnX1n4GuWgRyhTW8fOLKJck9RJwYA6vFBTPrSuw
Ú2‚
÷éø¦¨T¾Ê1!z¢Eª&Ú!öRœ¦e¬þ|†H—®‚°ÍΩ�ÅTÏÎß\±z~Q4ÃýuE+?9ßÞ ÖÝ©­›\þXú’§d¬ÃÏbØ!K n’ £*éß|ˆ

BIN
secrets/rekeyed/ward-mealie/485e1790e4fd24baa9495d837795ef02-mealie-oauth2-client-secret.age
View file

Binary file not shown.