feat(services): enhance paperless integration with authelia OIDC
All checks were successful
Flake checker / Build Nix targets (push) Successful in 9m29s
All checks were successful
Flake checker / Build Nix targets (push) Successful in 9m29s
This commit is contained in:
uttarayan21
@@ -13,7 +13,7 @@
|
|||||||
./minecraft.nix
|
./minecraft.nix
|
||||||
|
|
||||||
./nextcloud.nix
|
./nextcloud.nix
|
||||||
./paperless.nix
|
# ./paperless.nix
|
||||||
./prowlarr.nix
|
./prowlarr.nix
|
||||||
./resolved.nix
|
./resolved.nix
|
||||||
./searxng.nix
|
./searxng.nix
|
||||||
|
|||||||
@@ -1,50 +1,99 @@
|
|||||||
{
|
{
|
||||||
pkgs,
|
pkgs,
|
||||||
config,
|
config,
|
||||||
|
lib,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
sops = {
|
sops = {
|
||||||
secrets."paperless/adminpass".owner = config.users.users.paperless.name;
|
secrets."paperless/adminpass".owner = config.users.users.paperless.name;
|
||||||
secrets."paperless/secret_key".owner = config.users.users.paperless.name;
|
secrets."paperless/secret_key".owner = config.users.users.paperless.name;
|
||||||
|
secrets."authelia/oidc/paperless/client_id".owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
|
||||||
|
secrets."authelia/oidc/paperless/client_secret".owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
|
||||||
templates = {
|
templates = {
|
||||||
"PAPERLESS.env".content = ''
|
"PAPERLESS.env" = {
|
||||||
PAPERLESS_APPS="allauth.socialaccount.providers.github"
|
content = ''
|
||||||
PAPERLESS_SOCIALACCOUNT_PROVIDERS='{"authelia": {"APPS": [{"provider_id": "authelia","name": "Authelia","client_id": "${config.sops.placeholder."authelia/oidc/paperless/client_id"}","secret": "${config.sops.placeholder."authelia/oidc/paperless/client_secret"}"}]}}'
|
PAPERLESS_SOCIALACCOUNT_PROVIDERS='${config.sops.templates."PAPERLESS_SOCIALACCOUNT_PROVIDERS.json".content}'
|
||||||
# PAPERLESS_ENABLE_HTTP_REMOTE_USER=true
|
'';
|
||||||
PAPERLESS_URL=https://paperless.darksailor.dev
|
restartUnits = ["paperless-web.service" "authelia-darksailor.service"];
|
||||||
PAPERLESS_SECRET_KEY=${config.sops.placeholder."paperless/secret_key"}
|
};
|
||||||
'';
|
"PAPERLESS_SOCIALACCOUNT_PROVIDERS.json" = {
|
||||||
|
content =
|
||||||
|
/*
|
||||||
|
json
|
||||||
|
*/
|
||||||
|
builtins.toJSON
|
||||||
|
{
|
||||||
|
authelia = {
|
||||||
|
OAUTH_PKCE_ENABLED = "True";
|
||||||
|
APPS = [
|
||||||
|
{
|
||||||
|
provider_id = "authelia";
|
||||||
|
name = "Authelia";
|
||||||
|
"client_id" = "${config.sops.placeholder."authelia/oidc/paperless/client_id"}";
|
||||||
|
"secret" = "${config.sops.placeholder."authelia/oidc/paperless/client_secret"}";
|
||||||
|
"settings" = {
|
||||||
|
"server_url" = "https://auth.darksailor.dev/.well-known/openid-configuration";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
restartUnits = ["paperless-web.service" "authelia-darksailor.service"];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
# systemd.services.paperless-web.script = lib.mkBefore ''
|
||||||
|
# oidcSecret=$(< ${config.sops.secrets."authelia/oidc/paperless/client_secret".path})
|
||||||
|
# export PAPERLESS_SOCIALACCOUNT_PROVIDERS=$(
|
||||||
|
# ${pkgs.jq}/bin/jq <<< "$PAPERLESS_SOCIALACCOUNT_PROVIDERS" \
|
||||||
|
# --compact-output \
|
||||||
|
# --arg oidcSecret "$oidcSecret" '.openid_connect.APPS.[0].secret = $oidcSecret'
|
||||||
|
# )
|
||||||
|
# '';
|
||||||
services = {
|
services = {
|
||||||
paperless = {
|
paperless = {
|
||||||
enable = true;
|
enable = true;
|
||||||
passwordFile = config.sops.secrets."paperless/adminpass".path;
|
passwordFile = config.sops.secrets."paperless/adminpass".path;
|
||||||
|
settings = {
|
||||||
|
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
|
||||||
|
PAPERLESS_SOCIAL_AUTO_SIGNUP = "True";
|
||||||
|
PAPERLESS_DISABLE_REGULAR_LOGIN = "True";
|
||||||
|
PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS = "True";
|
||||||
|
PAPERLESS_URL = "https://paperless.darksailor.dev";
|
||||||
|
};
|
||||||
environmentFile = "${config.sops.templates."PAPERLESS.env".path}";
|
environmentFile = "${config.sops.templates."PAPERLESS.env".path}";
|
||||||
};
|
};
|
||||||
caddy = {
|
caddy = {
|
||||||
virtualHosts."paperless.darksailor.dev".extraConfig = ''
|
virtualHosts."paperless.darksailor.dev".extraConfig = ''
|
||||||
import auth
|
|
||||||
reverse_proxy localhost:28981
|
reverse_proxy localhost:28981
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
authelia = {
|
authelia = {
|
||||||
instances.darksailor = {
|
instances.darksailor = {
|
||||||
settings = {
|
settings = {
|
||||||
access_control = {
|
identity_providers = {
|
||||||
rules = [
|
oidc = {
|
||||||
{
|
clients = [
|
||||||
domain = "paperless.darksailor.dev";
|
{
|
||||||
policy = "bypass";
|
client_name = "paperless";
|
||||||
resources = [
|
client_id = ''{{ secret "${config.sops.secrets."authelia/oidc/paperless/client_id".path}" }}'';
|
||||||
"^/api([/?].*)?$"
|
client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/paperless/client_secret".path}" }}'';
|
||||||
];
|
public = false;
|
||||||
}
|
authorization_policy = "one_factor";
|
||||||
{
|
require_pkce = false;
|
||||||
domain = "paperless.darksailor.dev";
|
redirect_uris = [
|
||||||
policy = "one_factor";
|
"https://paperless.darksailor.dev/auth/login"
|
||||||
}
|
];
|
||||||
];
|
scopes = ["openid" "profile" "email"];
|
||||||
|
response_types = ["code"];
|
||||||
|
grant_types = ["authorization_code"];
|
||||||
|
# access_token_signed_response_alg = "none";
|
||||||
|
userinfo_signed_response_alg = "none";
|
||||||
|
token_endpoint_auth_method = "client_secret_post";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
Reference in New Issue
Block a user