freshrss oidc
This commit is contained in:
soraefir
@@ -11,6 +11,7 @@ let
|
||||
// (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.domain}";} else {})
|
||||
// (if serverCfg.containers?gitea then { GITEA_DOMAIN = "${serverCfg.containers.gitea.subdomain}.${serverCfg.domain}";} else {})
|
||||
// (if serverCfg.containers?immich then { IMMICH_DOMAIN = "${serverCfg.containers.immich.subdomain}.${serverCfg.domain}";} else {})
|
||||
// (if serverCfg.containers?freshrss then { FRESHRSS_DOMAIN = "${serverCfg.containers.freshrss.subdomain}.${serverCfg.domain}";} else {})
|
||||
// (if serverCfg.containers?homepage then { HOMEPAGE_DOMAIN = "${serverCfg.containers.homepage.subdomain}.${serverCfg.domain}";} else {})
|
||||
// (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";} else {});
|
||||
};
|
||||
@@ -107,6 +108,7 @@ in {
|
||||
${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
|
||||
${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
|
||||
${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''}
|
||||
${lib.optionalString (serverCfg.containers ? freshrss) ''$AK apply_blueprint /blueprints/custom/freshrss.yaml''}
|
||||
${lib.optionalString (serverCfg.containers ? homepage) ''$AK apply_blueprint /blueprints/custom/homepage.yaml''}
|
||||
|
||||
echo "Completed Authentik Setup"
|
||||
|
||||
@@ -26,29 +26,34 @@ in {
|
||||
PGID = "1000";
|
||||
TRUSTED_PROXY = "10.0.0.0/8 192.168.0.1/16";
|
||||
PUBLISHED_PORT = "80";
|
||||
ADMIN_PASSWORD = "admin"; # Change this to a secure password in production!
|
||||
ADMIN_API_PASSWORD = "admin"; # Change this to a secure password in production!
|
||||
BASE_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}";
|
||||
SERVER_DNS = "${containerCfg.subdomain}.${serverCfg.domain}";
|
||||
DB_HOST = "${builder.host}";
|
||||
DB_BASE = "freshrss_db";
|
||||
DB_USER = "freshrss_user";
|
||||
|
||||
OIDC_PROVIDER_METADATA_URL = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/freshrss/.well-known/openid-configuration";
|
||||
OIDC_REMOTE_USER_CLAIM = "preferred_username";
|
||||
OIDC_CLIENT_ID = "freshrss";
|
||||
OIDC_SCOPES = "openid profile";
|
||||
OIDC_X_FORWARDED_HEADERS = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";
|
||||
OIDC_CLIENT_SECRET = "123"; #SECRET
|
||||
# OIDC_CLIENT_CRYPTO_KEY = "123"; #SECRET
|
||||
};
|
||||
|
||||
overrides = {
|
||||
volumes = [
|
||||
"${serverCfg.configPath}/freshrss:/config"
|
||||
];
|
||||
volumes = [];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
setup = {
|
||||
trigger = "server"; # Triggers atomic environment verification on main controller
|
||||
envFile = config.sops.secrets."FRESHRSS".path;
|
||||
envFile = [ config.sops.secrets."FRESHRSS".path config.sops.secrets."CUSTOM".path];
|
||||
script = pkgs.writeShellScript "setup-freshrss" ''
|
||||
RSS_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
|
||||
${pkgs.curl}/bin/curl -s -X POST "$RSS_URL/i/index.php?step=0" -H "Content-Type: application/x-www-form-urlencoded" --data-raw "language=en"
|
||||
|
||||
RSS="${pkgs.podman}/bin/podman --events-backend=none exec freshrss-server"
|
||||
$RSS ./cli/prepare.php
|
||||
$RSS ./cli/do-install.php --default-user $DEFAULT_ADMIN_USERNAME --auth-type http_auth --base-url https://${containerCfg.subdomain}.${serverCfg.domain} --language en \
|
||||
--title RSS --api-enabled --db-type pgsql --db-host ${builder.host} --db-user freshrss-user --db-API $DB_PASSWORD --db-base freshrss-db
|
||||
$RSS ./cli/reconfigure.php
|
||||
$RSS ./cli/update-user.php --user $DEFAULT_ADMIN_USERNAME --password $DEFAULT_ADMIN_PASSWORD --email $DEFAULT_ADMIN_EMAIL
|
||||
|
||||
'';
|
||||
};
|
||||
}
|
||||
58
modules/server/containers/data/authentik/freshrss.yaml
Normal file
58
modules/server/containers/data/authentik/freshrss.yaml
Normal file
@@ -0,0 +1,58 @@
|
||||
version: 1
|
||||
metadata:
|
||||
name: "FreshRSS OAuth2 Provisioning"
|
||||
labels:
|
||||
app: freshrss
|
||||
entries:
|
||||
- model: authentik_providers_oauth2.oauth2provider
|
||||
identifiers:
|
||||
name: "FreshRSS Provider"
|
||||
attrs:
|
||||
authorization_flow:
|
||||
!Find [
|
||||
authentik_flows.flow,
|
||||
[slug, default-provider-authorization-implicit-consent],
|
||||
]
|
||||
authentication_flow:
|
||||
!Find [authentik_flows.flow, [slug, default-authentication-flow]]
|
||||
invalidation_flow:
|
||||
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
|
||||
client_type: "confidential"
|
||||
client_id: "freshrss"
|
||||
|
||||
client_secret: !Env FRESHRSS_OAUTH_SECRET
|
||||
access_code_validity: "minutes=5"
|
||||
token_validity: "days=30"
|
||||
signing_key:
|
||||
!Find [
|
||||
authentik_crypto.certificatekeypair,
|
||||
[name, "authentik Self-signed Certificate"],
|
||||
]
|
||||
redirect_uris:
|
||||
- url: "https://@FRESHRSS_DOMAIN@/i/oidc"
|
||||
matching_mode: "regex"
|
||||
property_mappings:
|
||||
- !Find [
|
||||
authentik_providers_oauth2.scopemapping,
|
||||
[name, "authentik default OAuth Mapping: OpenID 'openid'"],
|
||||
]
|
||||
- !Find [
|
||||
authentik_providers_oauth2.scopemapping,
|
||||
[name, "authentik default OAuth Mapping: OpenID 'email'"],
|
||||
]
|
||||
- !Find [
|
||||
authentik_providers_oauth2.scopemapping,
|
||||
[name, "authentik default OAuth Mapping: OpenID 'profile'"],
|
||||
]
|
||||
|
||||
- model: authentik_core.application
|
||||
identifiers:
|
||||
slug: "freshrss"
|
||||
attrs:
|
||||
name: "FreshRSS"
|
||||
launch_url: "@FRESHRSS_DOMAIN@"
|
||||
provider:
|
||||
!Find [
|
||||
authentik_providers_oauth2.oauth2provider,
|
||||
[name, "FreshRSS Provider"],
|
||||
]
|
||||
Reference in New Issue
Block a user