diff options
Diffstat (limited to 'profiles')
| -rw-r--r-- | profiles/authelia.nix | 24 | ||||
| -rw-r--r-- | profiles/miniflux.nix | 32 |
2 files changed, 55 insertions, 1 deletions
diff --git a/profiles/authelia.nix b/profiles/authelia.nix index ccc3d11..8a345b2 100644 --- a/profiles/authelia.nix +++ b/profiles/authelia.nix @@ -13,12 +13,17 @@ file = ../secrets/authelia-users.yaml.age; owner = "authelia-main"; }; + authelia-jwks = { + file = ../secrets/authelia-jwks.age; + owner = "authelia-main"; + }; }; services.authelia.instances.main = { enable = true; - secrets.storageEncryptionKeyFile = config.age.secrets."authelia-storage-key".path; secrets.jwtSecretFile = config.age.secrets."authelia-jwt-key".path; + secrets.oidcIssuerPrivateKeyFile = config.age.secrets."authelia-jwks".path; + secrets.storageEncryptionKeyFile = config.age.secrets."authelia-storage-key".path; settings = { server.address = "tcp://:9092"; default_2fa_method = "totp"; @@ -33,6 +38,23 @@ path = "/var/lib/authelia-main/db.sqlite3"; }; }; + identity_providers.oidc = { + clients = [ + { + id = "miniflux"; + description = "Miniflux RSS"; + secret = "$pbkdf2-sha512$310000$OPAy.BbYps2sWTt4Broxbg$uB6QZaHK1n7MHheaWhly/cvnNIw4gZbY.BibTCHvodcRAAggSTUA8rTdjzudaKtJZW7Lm4u0j2C2D1VFmRV2Aw"; + redirect_uris = [ "https://reader.fcuny.net/oauth2/oidc/callback" ]; + scopes = [ + "openid" + "email" + "profile" + ]; + } + ]; + }; }; }; + + networking.firewall.allowedTCPPorts = [ 9092 ]; } diff --git a/profiles/miniflux.nix b/profiles/miniflux.nix new file mode 100644 index 0000000..2d110ad --- /dev/null +++ b/profiles/miniflux.nix @@ -0,0 +1,32 @@ +{ config, ... }: +let + domain = "reader.fcuny.net"; + port = 8002; +in +{ + age.secrets.miniflux-oidc = { + owner = "miniflux"; + file = ../secrets/miniflux-oidc.age; + }; + + services.miniflux = { + enable = true; + config = { + LISTEN_ADDR = "0.0.0.0:${toString port}"; + BASE_URL = "https://${domain}"; + CREATE_ADMIN = 0; + OAUTH2_PROVIDER = "oidc"; + OAUTH2_CLIENT_ID = "miniflux"; + OAUTH2_CLIENT_SECRET_FILE = "/run/credentials/miniflux.service/oauth2-client-secret"; + OAUTH2_REDIRECT_URL = "https://${domain}/oauth2/oidc/callback"; + OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.fcuny.net"; + OAUTH2_USER_CREATION = "1"; + }; + }; + + networking.firewall.allowedTCPPorts = [ 8002 ]; + + systemd.services.miniflux.serviceConfig.LoadCredential = [ + "oauth2-client-secret:${config.age.secrets.miniflux-oidc.path}" + ]; +} |