Authentik immich
This commit is contained in:
soraefir
@@ -10,6 +10,7 @@ let
|
||||
}
|
||||
// (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.domain}";} else {})
|
||||
// (if serverCfg.containers?gitea then { GITEA_DOMAIN = "${serverCfg.containers.gitea.subdomain}.${serverCfg.domain}";} else {})
|
||||
// (if serverCfg.containers?immich then { IMMICH_DOMAIN = "${serverCfg.containers.immich.subdomain}.${serverCfg.domain}";} else {})
|
||||
// (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";} else {});
|
||||
};
|
||||
in {
|
||||
@@ -102,6 +103,7 @@ in {
|
||||
${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''}
|
||||
${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
|
||||
${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
|
||||
${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''}
|
||||
|
||||
echo "Completed Authentik Setup"
|
||||
'';
|
||||
|
||||
@@ -79,7 +79,7 @@ in {
|
||||
.oauth.autoLaunch = true |
|
||||
.oauth.signingAlgorithm = "RS256" |
|
||||
.oauth.profileSigningAlgorithm = "RS256" |
|
||||
.oauth.clientId = "'"$IMMICH_OAUTH_ID"'" |
|
||||
.oauth.clientId = "immich" |
|
||||
.oauth.clientSecret = "'"$IMMICH_OAUTH_SECRET"'" |
|
||||
.oauth.issuerUrl = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}" |
|
||||
.oauth.scope = "openid profile email" |
|
||||
|
||||
@@ -0,0 +1,62 @@
|
||||
version: 1
|
||||
metadata:
|
||||
name: "Immich OAuth2 Provisioning"
|
||||
labels:
|
||||
app: immich
|
||||
entries:
|
||||
- model: authentik_providers_oauth2.oauth2provider
|
||||
identifiers:
|
||||
name: "Immich Provider"
|
||||
attrs:
|
||||
authorization_flow:
|
||||
!Find [
|
||||
authentik_flows.flow,
|
||||
[slug, default-provider-authorization-implicit-consent],
|
||||
]
|
||||
authentication_flow:
|
||||
!Find [authentik_flows.flow, [slug, default-authentication-flow]]
|
||||
invalidation_flow:
|
||||
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
|
||||
client_type: "confidential"
|
||||
client_id: "immich"
|
||||
|
||||
client_secret: !Env IMMICH_OAUTH_SECRET
|
||||
access_code_validity: "minutes=5"
|
||||
token_validity: "days=30"
|
||||
signing_key:
|
||||
!Find [
|
||||
authentik_crypto.certificatekeypair,
|
||||
[name, "authentik Self-signed Certificate"],
|
||||
]
|
||||
redirect_uris:
|
||||
- url: "app.immich:///oauth-callback"
|
||||
matching_mode: "strict"
|
||||
- url: "https://@IMMICH_DOMAIN@/auth/login"
|
||||
matching_mode: "regex"
|
||||
- url: "https://@IMMICH_DOMAIN@/user-settings"
|
||||
matching_mode: "regex"
|
||||
property_mappings:
|
||||
- !Find [
|
||||
authentik_providers_oauth2.scope_mapping,
|
||||
[scope_name, "openid"],
|
||||
]
|
||||
- !Find [
|
||||
authentik_providers_oauth2.scope_mapping,
|
||||
[scope_name, "email"],
|
||||
]
|
||||
- !Find [
|
||||
authentik_providers_oauth2.scope_mapping,
|
||||
[scope_name, "profile"],
|
||||
]
|
||||
|
||||
- model: authentik_core.application
|
||||
identifiers:
|
||||
slug: "immich"
|
||||
attrs:
|
||||
name: "Immich"
|
||||
launch_url: "@IMMICH_DOMAIN@"
|
||||
provider:
|
||||
!Find [
|
||||
authentik_providers_oauth2.oauth2provider,
|
||||
[name, "Immich Provider"],
|
||||
]
|
||||
|
||||
Reference in New Issue
Block a user