freshrss oidc

2026-06-01 22:27:12 +02:00
parent 7805758114
commit 70eb9f8664
4 changed files with 81 additions and 16 deletions
--- a/modules/server/containers/apps/authentik.nix
+++ b/modules/server/containers/apps/authentik.nix
@@ -11,6 +11,7 @@ let
    // (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.domain}";} else {})
    // (if serverCfg.containers?gitea then { GITEA_DOMAIN = "${serverCfg.containers.gitea.subdomain}.${serverCfg.domain}";} else {})
    // (if serverCfg.containers?immich then { IMMICH_DOMAIN = "${serverCfg.containers.immich.subdomain}.${serverCfg.domain}";} else {})
+    // (if serverCfg.containers?freshrss then { FRESHRSS_DOMAIN = "${serverCfg.containers.freshrss.subdomain}.${serverCfg.domain}";} else {})
    // (if serverCfg.containers?homepage then { HOMEPAGE_DOMAIN = "${serverCfg.containers.homepage.subdomain}.${serverCfg.domain}";} else {})
    // (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";} else {});
  };
@@ -107,6 +108,7 @@ in {
      ${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
      ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
      ${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''}
+      ${lib.optionalString (serverCfg.containers ? freshrss) ''$AK apply_blueprint /blueprints/custom/freshrss.yaml''}
      ${lib.optionalString (serverCfg.containers ? homepage) ''$AK apply_blueprint /blueprints/custom/homepage.yaml''}

      echo "Completed Authentik Setup"
--- a/modules/server/containers/apps/freshrss.nix
+++ b/modules/server/containers/apps/freshrss.nix
@@ -26,29 +26,34 @@ in {
        PGID = "1000";
        TRUSTED_PROXY = "10.0.0.0/8 192.168.0.1/16";
        PUBLISHED_PORT = "80";
-        ADMIN_PASSWORD = "admin"; # Change this to a secure password in production!
-        ADMIN_API_PASSWORD = "admin"; # Change this to a secure password in production!
-        BASE_URL = "https://${containerCfg.subdomain}.${serverCfg.domain}";
-        SERVER_DNS = "${containerCfg.subdomain}.${serverCfg.domain}";
-        DB_HOST = "${builder.host}";
-        DB_BASE = "freshrss_db";
-        DB_USER = "freshrss_user";
+
+        OIDC_PROVIDER_METADATA_URL = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/freshrss/.well-known/openid-configuration";
+        OIDC_REMOTE_USER_CLAIM = "preferred_username";
+        OIDC_CLIENT_ID = "freshrss";
+        OIDC_SCOPES = "openid profile";
+        OIDC_X_FORWARDED_HEADERS = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";
+        OIDC_CLIENT_SECRET = "123"; #SECRET
+        # OIDC_CLIENT_CRYPTO_KEY = "123"; #SECRET
      };

      overrides = {
-        volumes = [
-          "${serverCfg.configPath}/freshrss:/config"
-        ];
+        volumes = [];
      };
    };
  };

  setup = {
    trigger = "server"; # Triggers atomic environment verification on main controller
-    envFile = config.sops.secrets."FRESHRSS".path;
+    envFile = [ config.sops.secrets."FRESHRSS".path config.sops.secrets."CUSTOM".path];
    script = pkgs.writeShellScript "setup-freshrss" ''
-      RSS_URL="https://${containerCfg.subdomain}.${serverCfg.domain}"
-      ${pkgs.curl}/bin/curl -s -X POST "$RSS_URL/i/index.php?step=0" -H "Content-Type: application/x-www-form-urlencoded" --data-raw "language=en"
+
+      RSS="${pkgs.podman}/bin/podman --events-backend=none exec freshrss-server"
+      $RSS ./cli/prepare.php
+      $RSS ./cli/do-install.php --default-user $DEFAULT_ADMIN_USERNAME --auth-type http_auth --base-url https://${containerCfg.subdomain}.${serverCfg.domain} --language en \
+        --title RSS --api-enabled --db-type pgsql --db-host ${builder.host} --db-user freshrss-user --db-API $DB_PASSWORD --db-base freshrss-db
+      $RSS ./cli/reconfigure.php
+      $RSS ./cli/update-user.php --user $DEFAULT_ADMIN_USERNAME --password $DEFAULT_ADMIN_PASSWORD --email $DEFAULT_ADMIN_EMAIL
+      
    '';
  };
 }
--- a/modules/server/containers/data/authentik/freshrss.yaml
+++ b/modules/server/containers/data/authentik/freshrss.yaml
@@ -0,0 +1,58 @@
+version: 1
+metadata:
+  name: "FreshRSS OAuth2 Provisioning"
+  labels:
+    app: freshrss
+entries:
+  - model: authentik_providers_oauth2.oauth2provider
+    identifiers:
+      name: "FreshRSS Provider"
+    attrs:
+      authorization_flow:
+        !Find [
+          authentik_flows.flow,
+          [slug, default-provider-authorization-implicit-consent],
+        ]
+      authentication_flow:
+        !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+      invalidation_flow:
+        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+      client_type: "confidential"
+      client_id: "freshrss"
+
+      client_secret: !Env FRESHRSS_OAUTH_SECRET
+      access_code_validity: "minutes=5"
+      token_validity: "days=30"
+      signing_key:
+        !Find [
+          authentik_crypto.certificatekeypair,
+          [name, "authentik Self-signed Certificate"],
+        ]
+      redirect_uris:
+        - url: "https://@FRESHRSS_DOMAIN@/i/oidc"
+          matching_mode: "regex"
+      property_mappings:
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [name, "authentik default OAuth Mapping: OpenID 'openid'"],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [name, "authentik default OAuth Mapping: OpenID 'email'"],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [name, "authentik default OAuth Mapping: OpenID 'profile'"],
+          ]
+
+  - model: authentik_core.application
+    identifiers:
+      slug: "freshrss"
+    attrs:
+      name: "FreshRSS"
+      launch_url: "@FRESHRSS_DOMAIN@"
+      provider:
+        !Find [
+          authentik_providers_oauth2.oauth2provider,
+          [name, "FreshRSS Provider"],
+        ]
--- a/modules/server/sops/server.yaml
+++ b/modules/server/sops/server.yaml
@@ -1,4 +1,4 @@
-CUSTOM: ENC[AES256_GCM,data:7QblAIVKUop4NOE4DvuTJUFigXoc0VJ20ADbSjunP1JZfCvrWSZU0gJRr1jmJ2uZrtyWOZUlISmn0HzzGpeJ+FPmj2tCSiqd8aG+j62Dz3JObVJikFde6f95vcn7cnX9AL4IUil+bB6vCPojEskmHVTmcqy9APN7fOlkpvWkBPgN1FnN2PBxIFGNspRHasWZBfXdkpKU2fOLDv6oeNq3U/6o+mqdZru6pHqVsCLOrq8svdoLnWV7KSZ6PFK9HaxI4BfasXZvZaoMSlAKaREeQx52M3xab6vCCh7lTUN2oQD0B47bQhWrC/QpK2e3EdUBfzJWL94tUcTFbLpN+5qwdl6rfM17laFP6ZAjOnYrnK5PXPnOI7WARFw2bs4rBJka+GgCTy8jYgOSGae1Gl1ti9cLkuSy2kiUf2N5uIr5x796TyLA6RH5eGapSR9h+7uTMtozM4TJ3NNwYkvMJR5Uh/5sDNnZ6kcWhqpfvFC9ZFYB7v6wdbYY2As9jLMBPmUe38ivTrqsQSQAdKCgQotGXFEG228VideGn6DeBQCv2T2OVFQHxjYFiTq11S0eOlO87PVGDlOpd6RaKyZJ9mjORTisSNGlFK+GhQtQ0KFMxdZiolEY3Q4UqBR4J5Dx40xSK/1Jo1dZV+P8gRKtdKkVGb2wzjYtfKPlDB1mH3YTl+tU/xomeBnvHm4+XyD7kivCbnLs+009sFocRGPDr7M9MRHwLVBV5UCnewJEJDTvVbPddDSQK/P8gHLYN3pzc6H24dIjWe2w2LSjEEoPh0gCHBBICt746c0N2iJvL190qB9AY7iLMXpitrmYcLVrqfQN3/pzafxNMLaOTIwVc2yeOXwlLBzd1Ze8Inp/e/kirgWQJtjjj3OiqBWnuCLG9d3vCHz7HJidhvX3rSrdqElir6LrjwxJA3g6beNLtnMlM1a4aQS/ouStN1M3u+fMW+iSc3JDsKFH+1qesgPm409+wQPDeRMzsAfKot9tGOH8Y2PV9sBXe2k7H/x3IDIHoY+ArECMIQu/VSU4zmyAZFSYQwvLdvzVjC6vmGrS2gsDpXT0bWW9R5bJuPQTd9wCQhIFJ8oTtmlgJcJ9Xt0bmckhMzsyi5jWZcMgRsaBLmaGCDZ1yQNK/EwFMJwCEf2tgNqLSPuOLFn3RsmSV0sfjghlzxUJtSDeWhgidjGOHSfkgc8tnBVOxfR7mqNoZiMEhymlGUr2sHQR4CDS/YNccwBQR/bktp0eRxvsyfKuFIEPzpRnYtBV9ZUPa/BPKJ9MTuVoJu6bKWR6J9fU0Gltrti+uGUt9/LM6rVGsGYiazIHRfTW1oq3NuipMbmqPneegIk=,iv:bwKIbhcmV0Z5jwrkhI71BDq+og7ZqFVVc3eR2UNa7iE=,tag:l0oi/zALYAOy/43cbA4uZg==,type:str]
+CUSTOM: ENC[AES256_GCM,data:UdxcMBZVmWKoikP713KcpuiMH0OJbR+CFvJ9Os4lTfLkVb0PMOCftprLKIdVbb39Ov4O1F4cpWbVD5ypCj5PPBygQM8ce1bDNRa/M7E3VPPwZw5ZtXtkgGlPwPpuHeoVC1K8XxltxpuqdQtSNUPsDg4rYnsEaXTnpJ3YTWHliM7W1oU8okEgxdtQFvjcHFhNTTSNKHfMHd3CyOABf1J0FX55uqgXydCBbeHnge9Rbiue4FjIdewvpZatVy6mhi0ILGEEL6XAObkFrWrv9rLWM/ymd6Lb5I+xAkmYTJ7AaYfaokTey/NJ1cJ5KBftQBgQ5Wo11kfRuNrGGRZROT59vGIEaO/QUiiKndsSGE5XpRylAkHNV8SEHg2PWeI8fz/n2zVRT6Gmy+xXQTbvEhRm+LQ2hMNXVEzUq47tsPL2OXcWgNZKrhz95Ct2/OegPI7/HTdMmD3Wbqs3FlrkOMrL1W3GKCzUfV69cmXFy8llXBMyEk7Vf/+2CjOmeDuvjlFKF4Jkip/rVGB5rTB4xPToS5tCz2qksggaRXidd4lSCyI+CxZN9NdL8klMSJ0bhawxltt3xMBO7egF4KDHmxJTBvohp4HBHZXy3pJ9AXQX2aYzC+L9cjSkvto7qyuC5rD/HgX8n4YiHFR8ua72bickgZ2JKpNawVDRWdDFNyVBCQbhZfkZzyCECQ1AfNUn969TQsTzP91vEk+F2QzmoE6hYEVJ8PRg2p89TeevcTuH70qVBMT2TAtLAlkZ4gQegByo4vvjtSGlFzHy5idKTxjHM/HTLkRImCXRBj663PU7e/zse+bCzk6DfhM4JsNt8mZRRPU1cYqnzgfjz5O+IP50BUYYgmsoQhNKH22E3tUaXihvddNusfnxdq5RFgwcGTcfIVUSB3c98Q1yf2Ft896dzl9OLcRj6tsAUId2e3iJ13FhZEpm5Y+zc5CSAdOuEAya0j5FRYopMUkKJ8uC/CRXTFuSIAo4kw9/Dc05Td/IsLGVQKnL9oyWzj7p1V4J0hLc37ELF5/TShFmkCL99m50XXctupVoLOVP35O36QzFcduw8knNF9iNqrK42tTS8Jt1ZY3BR4L5Nm1TM9rMO6afGy18b1fag5Zk7pByTzGwLped7ST2qf3R3KtbK3CWXbojpnQhYHYnDVaXT0JCPhdqSRIXV+f7hFEH6AwvyCkoahBO19oL6/YizqJe51pKQqWudzVjqDhSt9Z9NsqLRfCIL+cl63LSjQjhyBXKTtxJbqqkYP6uGLULAE89WUzjP5D1oE8EspHmcpirfDyjLa6JJyLWBMGbFDAzHeOJT3AXmGXNvEYsHk28DrJ+LsWFH8MDUPFCXz2Acj8M0B1Kv8822/Xir4xw2AlnS2Y0mL6i8evQ7S2/wg0C9G/nscLZfNeFOvph+sZhQd3/5osgit38TwWPCvg6ulu9nzDjAjI8vAZ3PG/d1PgeJzoWLDmE1EDxqDlR/UFq,iv:0bnj/W2ys7bNJKfAfUmgsiXeyHdiqhRAeB3qDGU2Is0=,tag:oiZMxOk4ABhzguaZbRQZxg==,type:str]
 TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str]
 AUTHENTIK: ENC[AES256_GCM,data:HlUFb7JjzSMTM345miSLlUE4SEXgaRAx7SkDDQzaJzs9VuifJKtOE2M4PCKc35VjVt9xIFH+YoIE93re10Rwbe+QEaUphPOgb/G7jRhaaPV/roBYuv6uO5xy68jaVJZpobxajOSVUmJa1JANCh1qrX0+Imr6udYULvK6wQzAnu2tEDkElQ3eZtezUa4E5ia1j7RCYTTPW9oie+YEVJl5Aws2HzPK5q0wKojZOmHanbnKzij3KnSgtsMc3ftL1Fam3wlSk2n3Tw0nz8aBag9IPwYje5zdBkDJY6qiBwYKcBPQUIW+Na0xX2JHymwJSzMdKmW8cEV9b1fXCPsnYVXulb4VMVkTk4MibZ3YT57wlFhqhSy7D39ZTySllIZg8sOrj8cKhpJ3HlSbceD1GnPJatVzZkDkDeyICLu9sYX3B+KrCDlL5sUMPagUFc3g3HUAPxLVPltoP69ro69acUoz5w8gkAwHlE45I3biC/jLz4telEcW8GkF868j3gsHiayE3f87T5MOPvuvhAFdSMl3SF1ND3mWjJq7+FmA6BhxgESg4m+vPnYyVumcbXJnbgfW69BgPYcL1CWZcA+SP6OWg9GOYT5SuWixkaGn2TgRAUj3nlCcAja8,iv:uXAyOIBl9lGYBvALMdvp2hf6cj6QGWRcyUvEsjIDr1I=,tag:iLxO/qYT2zafXhFGVVUYkA==,type:str]
 NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str]
@@ -35,8 +35,8 @@ sops:
            S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
            d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-06-01T16:51:24Z"
-    mac: ENC[AES256_GCM,data:rwOoGGhzrCVJGNbHRAG+yjbneeseLlwtBO2ZmTKXWbruZ9Zu4T41DntxkFl+Lw3vTrLriAPiRkdvxTEVRS9ehHTAikUiyPO18vJmOLhlNq7n/HE2YqADJMq2cIJLGhCzA1AFuB5p07ovATPoUyo2OHvnEDgcRVdXJ+ml5zPTvSU=,iv:vYYShdVUDW1SsDlDEpO2EAaahIDexxBLJ5cs5fIx3qA=,tag:F5Q6zAXtRumGYYLDLGL5mw==,type:str]
+    lastmodified: "2026-06-01T20:24:35Z"
+    mac: ENC[AES256_GCM,data:AJXUt6rewB5foPc18+tIoKeFhlvUlSMv4blrpdyvHIg1srnK86M2Kbp9NT2rANrVFY42JsiyAzQEvGnvn+u/g9/0RspQFhIqEb1ghV8iRZ5Y0tB/qXFTs8rWFRnrY9APhJLyrJiNIXWwhPnifC1sfU8SlQsC5ijwHN3Zt1xTo00=,iv:lQGHV0zNt1o9ZyKBRIyHC6ihyMXS4RBXYNX95VvupCA=,tag:QpsSs8WC/kT5mTKUn+T2kA==,type:str]
    pgp:
        - created_at: "2026-05-05T23:46:27Z"
          enc: |-