feat(services): enhance paperless integration with authelia OIDC
All checks were successful
Flake checker / Build Nix targets (push) Successful in 9m29s
All checks were successful
Flake checker / Build Nix targets (push) Successful in 9m29s
This commit is contained in:
uttarayan21
@@ -13,7 +13,7 @@
|
||||
./minecraft.nix
|
||||
|
||||
./nextcloud.nix
|
||||
./paperless.nix
|
||||
# ./paperless.nix
|
||||
./prowlarr.nix
|
||||
./resolved.nix
|
||||
./searxng.nix
|
||||
|
||||
@@ -1,48 +1,96 @@
|
||||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
sops = {
|
||||
secrets."paperless/adminpass".owner = config.users.users.paperless.name;
|
||||
secrets."paperless/secret_key".owner = config.users.users.paperless.name;
|
||||
secrets."authelia/oidc/paperless/client_id".owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
|
||||
secrets."authelia/oidc/paperless/client_secret".owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
|
||||
templates = {
|
||||
"PAPERLESS.env".content = ''
|
||||
PAPERLESS_APPS="allauth.socialaccount.providers.github"
|
||||
PAPERLESS_SOCIALACCOUNT_PROVIDERS='{"authelia": {"APPS": [{"provider_id": "authelia","name": "Authelia","client_id": "${config.sops.placeholder."authelia/oidc/paperless/client_id"}","secret": "${config.sops.placeholder."authelia/oidc/paperless/client_secret"}"}]}}'
|
||||
# PAPERLESS_ENABLE_HTTP_REMOTE_USER=true
|
||||
PAPERLESS_URL=https://paperless.darksailor.dev
|
||||
PAPERLESS_SECRET_KEY=${config.sops.placeholder."paperless/secret_key"}
|
||||
"PAPERLESS.env" = {
|
||||
content = ''
|
||||
PAPERLESS_SOCIALACCOUNT_PROVIDERS='${config.sops.templates."PAPERLESS_SOCIALACCOUNT_PROVIDERS.json".content}'
|
||||
'';
|
||||
restartUnits = ["paperless-web.service" "authelia-darksailor.service"];
|
||||
};
|
||||
"PAPERLESS_SOCIALACCOUNT_PROVIDERS.json" = {
|
||||
content =
|
||||
/*
|
||||
json
|
||||
*/
|
||||
builtins.toJSON
|
||||
{
|
||||
authelia = {
|
||||
OAUTH_PKCE_ENABLED = "True";
|
||||
APPS = [
|
||||
{
|
||||
provider_id = "authelia";
|
||||
name = "Authelia";
|
||||
"client_id" = "${config.sops.placeholder."authelia/oidc/paperless/client_id"}";
|
||||
"secret" = "${config.sops.placeholder."authelia/oidc/paperless/client_secret"}";
|
||||
"settings" = {
|
||||
"server_url" = "https://auth.darksailor.dev/.well-known/openid-configuration";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
restartUnits = ["paperless-web.service" "authelia-darksailor.service"];
|
||||
};
|
||||
};
|
||||
};
|
||||
# systemd.services.paperless-web.script = lib.mkBefore ''
|
||||
# oidcSecret=$(< ${config.sops.secrets."authelia/oidc/paperless/client_secret".path})
|
||||
# export PAPERLESS_SOCIALACCOUNT_PROVIDERS=$(
|
||||
# ${pkgs.jq}/bin/jq <<< "$PAPERLESS_SOCIALACCOUNT_PROVIDERS" \
|
||||
# --compact-output \
|
||||
# --arg oidcSecret "$oidcSecret" '.openid_connect.APPS.[0].secret = $oidcSecret'
|
||||
# )
|
||||
# '';
|
||||
services = {
|
||||
paperless = {
|
||||
enable = true;
|
||||
passwordFile = config.sops.secrets."paperless/adminpass".path;
|
||||
settings = {
|
||||
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
|
||||
PAPERLESS_SOCIAL_AUTO_SIGNUP = "True";
|
||||
PAPERLESS_DISABLE_REGULAR_LOGIN = "True";
|
||||
PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS = "True";
|
||||
PAPERLESS_URL = "https://paperless.darksailor.dev";
|
||||
};
|
||||
environmentFile = "${config.sops.templates."PAPERLESS.env".path}";
|
||||
};
|
||||
caddy = {
|
||||
virtualHosts."paperless.darksailor.dev".extraConfig = ''
|
||||
import auth
|
||||
reverse_proxy localhost:28981
|
||||
'';
|
||||
};
|
||||
|
||||
authelia = {
|
||||
instances.darksailor = {
|
||||
settings = {
|
||||
access_control = {
|
||||
rules = [
|
||||
identity_providers = {
|
||||
oidc = {
|
||||
clients = [
|
||||
{
|
||||
domain = "paperless.darksailor.dev";
|
||||
policy = "bypass";
|
||||
resources = [
|
||||
"^/api([/?].*)?$"
|
||||
client_name = "paperless";
|
||||
client_id = ''{{ secret "${config.sops.secrets."authelia/oidc/paperless/client_id".path}" }}'';
|
||||
client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/paperless/client_secret".path}" }}'';
|
||||
public = false;
|
||||
authorization_policy = "one_factor";
|
||||
require_pkce = false;
|
||||
redirect_uris = [
|
||||
"https://paperless.darksailor.dev/auth/login"
|
||||
];
|
||||
}
|
||||
{
|
||||
domain = "paperless.darksailor.dev";
|
||||
policy = "one_factor";
|
||||
scopes = ["openid" "profile" "email"];
|
||||
response_types = ["code"];
|
||||
grant_types = ["authorization_code"];
|
||||
# access_token_signed_response_alg = "none";
|
||||
userinfo_signed_response_alg = "none";
|
||||
token_endpoint_auth_method = "client_secret_post";
|
||||
}
|
||||
];
|
||||
};
|
||||
@@ -50,4 +98,5 @@
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user