diff options
| -rw-r--r-- | machines/nixos/x86_64-linux/argonath.nix | 6 | ||||
| -rw-r--r-- | machines/nixos/x86_64-linux/rivendell.nix | 1 | ||||
| -rw-r--r-- | profiles/authelia.nix | 24 | ||||
| -rw-r--r-- | profiles/miniflux.nix | 32 | ||||
| -rw-r--r-- | secrets/authelia-jwks.age | bin | 0 -> 2026 bytes | |||
| -rw-r--r-- | secrets/miniflux-oidc.age | bin | 0 -> 395 bytes | |||
| -rw-r--r-- | secrets/secrets.nix | 12 |
7 files changed, 74 insertions, 1 deletions
diff --git a/machines/nixos/x86_64-linux/argonath.nix b/machines/nixos/x86_64-linux/argonath.nix index f6ff166..63ff2c9 100644 --- a/machines/nixos/x86_64-linux/argonath.nix +++ b/machines/nixos/x86_64-linux/argonath.nix @@ -96,6 +96,12 @@ in proxyPass = "http://10.100.0.60:9092"; }; }; + "reader.fcuny.net" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyPass = "http://10.100.0.60:8002"; + }; "fcuny.net" = { enableACME = true; acmeRoot = null; diff --git a/machines/nixos/x86_64-linux/rivendell.nix b/machines/nixos/x86_64-linux/rivendell.nix index 88172dd..e07e876 100644 --- a/machines/nixos/x86_64-linux/rivendell.nix +++ b/machines/nixos/x86_64-linux/rivendell.nix @@ -13,6 +13,7 @@ ../../../profiles/git-server.nix ../../../profiles/hardware/framework-desktop.nix ../../../profiles/home-manager.nix + ../../../profiles/miniflux.nix ../../../profiles/remote-unlock.nix ../../../profiles/restic-backup.nix ../../../profiles/server.nix diff --git a/profiles/authelia.nix b/profiles/authelia.nix index ccc3d11..8a345b2 100644 --- a/profiles/authelia.nix +++ b/profiles/authelia.nix @@ -13,12 +13,17 @@ file = ../secrets/authelia-users.yaml.age; owner = "authelia-main"; }; + authelia-jwks = { + file = ../secrets/authelia-jwks.age; + owner = "authelia-main"; + }; }; services.authelia.instances.main = { enable = true; - secrets.storageEncryptionKeyFile = config.age.secrets."authelia-storage-key".path; secrets.jwtSecretFile = config.age.secrets."authelia-jwt-key".path; + secrets.oidcIssuerPrivateKeyFile = config.age.secrets."authelia-jwks".path; + secrets.storageEncryptionKeyFile = config.age.secrets."authelia-storage-key".path; settings = { server.address = "tcp://:9092"; default_2fa_method = "totp"; @@ -33,6 +38,23 @@ path = "/var/lib/authelia-main/db.sqlite3"; }; }; + identity_providers.oidc = { + clients = [ + { + id = "miniflux"; + description = "Miniflux RSS"; + secret = "$pbkdf2-sha512$310000$OPAy.BbYps2sWTt4Broxbg$uB6QZaHK1n7MHheaWhly/cvnNIw4gZbY.BibTCHvodcRAAggSTUA8rTdjzudaKtJZW7Lm4u0j2C2D1VFmRV2Aw"; + redirect_uris = [ "https://reader.fcuny.net/oauth2/oidc/callback" ]; + scopes = [ + "openid" + "email" + "profile" + ]; + } + ]; + }; }; }; + + networking.firewall.allowedTCPPorts = [ 9092 ]; } diff --git a/profiles/miniflux.nix b/profiles/miniflux.nix new file mode 100644 index 0000000..2d110ad --- /dev/null +++ b/profiles/miniflux.nix @@ -0,0 +1,32 @@ +{ config, ... }: +let + domain = "reader.fcuny.net"; + port = 8002; +in +{ + age.secrets.miniflux-oidc = { + owner = "miniflux"; + file = ../secrets/miniflux-oidc.age; + }; + + services.miniflux = { + enable = true; + config = { + LISTEN_ADDR = "0.0.0.0:${toString port}"; + BASE_URL = "https://${domain}"; + CREATE_ADMIN = 0; + OAUTH2_PROVIDER = "oidc"; + OAUTH2_CLIENT_ID = "miniflux"; + OAUTH2_CLIENT_SECRET_FILE = "/run/credentials/miniflux.service/oauth2-client-secret"; + OAUTH2_REDIRECT_URL = "https://${domain}/oauth2/oidc/callback"; + OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.fcuny.net"; + OAUTH2_USER_CREATION = "1"; + }; + }; + + networking.firewall.allowedTCPPorts = [ 8002 ]; + + systemd.services.miniflux.serviceConfig.LoadCredential = [ + "oauth2-client-secret:${config.age.secrets.miniflux-oidc.path}" + ]; +} diff --git a/secrets/authelia-jwks.age b/secrets/authelia-jwks.age Binary files differnew file mode 100644 index 0000000..59ac430 --- /dev/null +++ b/secrets/authelia-jwks.age diff --git a/secrets/miniflux-oidc.age b/secrets/miniflux-oidc.age Binary files differnew file mode 100644 index 0000000..d6447df --- /dev/null +++ b/secrets/miniflux-oidc.age diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 5d5dac2..2639a8c 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -35,6 +35,11 @@ in hosts.mba ]; + "miniflux-oidc.age".publicKeys = [ + users.fcuny + hosts.rivendell + ]; + # generated with: # openssl rand 64 | openssl base64 -A | tr '+/' '-_' | tr -d '=' "authelia-storage-key.age".publicKeys = [ @@ -49,6 +54,13 @@ in hosts.rivendell ]; + # generated with: + # authelia crypto pair rsa generate + "authelia-jwks.age".publicKeys = [ + users.fcuny + hosts.rivendell + ]; + "authelia-users.yaml.age".publicKeys = [ users.fcuny hosts.rivendell |