sora/nixconfig
1
0
Fork 1
Code Issues 2 Pull Requests Actions Releases Activity

fix

Browse Source
This commit is contained in:
soraefir
2026-05-31 14:21:50 +02:00
parent cdfdb24910
commit fcf923f068
3 changed files with 65 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
modules/server/containers/apps/authentik.nix
View File

@@ -11,6 +11,7 @@ let
// (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.domain}";} else {}) // (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.domain}";} else {})
// (if serverCfg.containers?gitea then { GITEA_DOMAIN = "${serverCfg.containers.gitea.subdomain}.${serverCfg.domain}";} else {}) // (if serverCfg.containers?gitea then { GITEA_DOMAIN = "${serverCfg.containers.gitea.subdomain}.${serverCfg.domain}";} else {})
// (if serverCfg.containers?immich then { IMMICH_DOMAIN = "${serverCfg.containers.immich.subdomain}.${serverCfg.domain}";} else {}) // (if serverCfg.containers?immich then { IMMICH_DOMAIN = "${serverCfg.containers.immich.subdomain}.${serverCfg.domain}";} else {})
// (if serverCfg.containers?homepage then { HOMEPAGE_DOMAIN = "${serverCfg.containers.homepage.subdomain}.${serverCfg.domain}";} else {})
// (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";} else {}); // (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";} else {});
}; };
in { in {
@@ -49,6 +50,8 @@ in {
AUTHENTIK_POSTGRESQL__SSLMODE = "disable"; AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
}; };
overrides = { overrides = {
environmentFiles = [ config.sops.secrets."AUTHENTIK".path config.sops.secrets."CUSTOM".path ] ;
cmd = [ "server" ]; cmd = [ "server" ];
volumes = [ volumes = [
"${serverCfg.configPath}/authentik/media:/media" "${serverCfg.configPath}/authentik/media:/media"
@@ -104,6 +107,7 @@ in {
${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''} ${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''} ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''} ${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''}
${lib.optionalString (serverCfg.containers ? homepage) ''$AK apply_blueprint /blueprints/custom/homepage.yaml''}
echo "Completed Authentik Setup" echo "Completed Authentik Setup"
''; '';

58
modules/server/containers/data/authentik/homepage.yaml Normal file
View File

@@ -0,0 +1,58 @@
version: 1
metadata:
name: "Homepage Dashboard - OIDC Provisioning"
labels:
blueprints.goauthentik.io/instantiate: "true"
entries:
# 1. Create the OIDC Scope Mapping for Groups
- model: authentik_providers_oauth2.scopemapping
identifiers:
slug: homepage-scope-groups
attrs:
name: "Homepage Custom Scope: Groups"
scope_name: "groups"
description: "Pass user groups array to Homepage for conditional element rendering"
expression: |
return {
"groups": [group.name for group in request.user.ak_groups.all()]
}
# 2. Create the OAuth2/OIDC Provider
- model: authentik_providers_oauth2.oauth2provider
identifiers:
slug: homepage-provider
attrs:
name: "Homepage Dashboard Provider"
client_type: "confidential"
client_id: !Env HOMEPAGE_CLIENT_ID"
client_secret: !Env HOMEPAGE_CLIENT_SECRET"
authorization_flow:
!Find [authentik_flows.flow, [slug, default-authorization-flow]]
# Update this URI to match your dashboard's literal URL
redirect_uris:
- "https://@HOMEPAGE_DOMAIN@"
# Bind default OpenID scopes plus our custom groups scope
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
- !Find [
authentik_providers_oauth2.scopemapping,
[slug, homepage-scope-groups],
]
# 3. Create the Application and link it to the Provider
- model: authentik_core.application
identifiers:
slug: homepage-dashboard
attrs:
name: "Homepage Dashboard"
slug: "homepage"
launch_url: "@HOMEPAGE_DOMAIN@"
provider:
!Find [
authentik_providers_oauth2.oauth2provider,
[slug, homepage-provider],
]
open_in_new_tab: false

6
modules/server/sops/server.yaml
View File

@@ -1,4 +1,4 @@
CUSTOM: ENC[AES256_GCM,data:+ge3AyrR0r0myNSMF42iO9JaMk6MfDH5deiBlRj5f0MIXIFtD43MPs1sB4/tjFLKY873aq/UJcgyu6jGz8+FQbdqfsYhIVUHAFeNqCoFbEGtyhZZxf++qtw83HNV+loTygeRPHyIJArLoimUdyuBvibXIB72tjoqz7xuvpC6BfN0hI4mIU4dc+28B/G780t2bzSrzvsgE6svbj0hmpZOBXovkPKF5CfCFKSPRZ0D8htNjcoiygczoFKSgj3MPR6wHNHzt87ik0iNOyTsK9Gu3rk74Tzm6PE2dAKW7szvbwDPIGDh8FFe9mWOdJPSz8Cg9IyMuU4+anZMbyfC4oAjUF/bKySIsR0QZNKmGrSi94BbWTgkdnSeOtP1LLLnLHGzyrJdUXmaFo/XIOhcelhPX0KzCxW+85qVV3L6V9+u3GaPhhCPwep972xM3c25XN+EJg/J5d8GWvAUByj2/CTDzlZDABt/J24IeuqrK4yWHgRSfNYdBhCnsLkn13bZo6s1wSY8GdYwNje1SS+C9hNriScU3EUDwmh64AyW0RRP3RZfebjDQJGqoQxuYp9cjC/9CYM1BEaQ4fFyQCONJgQjiy+w7LcNAJEI6BLl54Z6Nm03a17MyH0TmVoowVasgoRoOTL1zMVP/l+rvoCxIVjNqqks76pAGQ8HDg7PcnfRiczuBIfIB2uw53Ev8zcKaJhlelCpL1nSw6i32QWZypxyz42piy4Uiby7yFc32n8iEvi73gqQo8zEcwiVFC0zJptdjqGOylMGQwGVX46NrFKdnx/5KkYcUGnK1va/0LYPpdLJwywzuMqP+sF+EfwqEUXdltUpWC7yb9vXBSxPIUdQAUPUHDs8aI+pXUubobyiFXF9NLJlK2NLB9WXThV+6vZSMYOHpvY4AeijzGK4D6x4ETUFU1WqXkXlQFFI3C4eZW+2Og2hIIegzqfq/hf/qX3Y/gW8H1J1mswNpDU8dHH33Pim/b79VNV+QX6BA3hKmlKi/YSXgbOpFXUDX7sY3/4ljd1Wqd6a9mWTcssZ0osYzormOffxTriqLr8VaiTZUHi6AQnpVVSi9wKir/dEuQhvyDxMA7gVEtbjPBFcOQyxH1rZesGLmbANIfnpBqI1Gv2tx6UCMrkocYxgKdZaH5QEYGG4i/ul,iv:5gU606gsV26rHAvF+F9gNVJK86+g5j8APsl72FJVMAw=,tag:SclRqy3hntTwbufpaW5A8g==,type:str] CUSTOM: ENC[AES256_GCM,data:v32u5imR24SQPfyM6uCTqyigpDpwYo+QI5d7h3mbJAR8oQXrdrks+ritcigAAtWQR/2tyM3kdvgtInW347u7lbACmOzKJn4qEt8wNgEI7Bot6HzTb1QzlEGmxhVxBo9IXd/nUJVy5xFGVfz/nz+IoF+PYaajOk3R1/csAiJVtqnuX2PtB99qLLB5JxEUqWBamdgxyYCvIubfL111RrhGAyq2eS9FoLtlDJV2CQ16pHWNt/9jBovwuQcRL1DmZdYTbcnsbXGrxNPSFLvOh3wRzYVK8zD3HTegrllRVZI4ucQrGzFGMNhwpXhR91vtYp1NHPMuOjYA/SKfo/Z47wmSsuA7sN24gGNAmtuFA9ngdIMn8DGj+tuj4VjNQBOXv3tGjcQ8fwTiIYy4oDYz9rm/142/MsjXCjKqDOmRCeA32KaFG5SDK0CbnTOIYTZ7+MUGs849vYvZSD0q/+uby2qMvQZxr5RfDEVUN5ieIfR+gdosUrjFoI+Dn1locGw172HdFtCKkBNpOGfduEDLAG6SL+V2IbVUTyIWWvI4NHxFpCv2QIlgTfESvW0me+jGBz0HENBqVfGKZOyLFe0CMnI2jRdhwuesBppEdifPgsU8AP7OvmA5jU/5hfDRmobv9ZLX8VOkrEe4LNEhybNApzQr4jot2snnu7uhU+k1ea10rNF1C7aFYCX2qS6acQdiVGpHN1dz7anq34RuXUelA2mbWIX2Oe02TgAqNQ+c0pmKzFYv/iTrjDv2NOGKe9Hobo1oeNrM1aOm3h4isNzkAUpvnJW+Lk3aCWeLb+3xCq/jn8I27Mb269XgwZYIlhb8T5HZKsWMiLe7i5RaF5DyKTST6/zUfFtQE6KdOvIsROh54Jkh9pCnXIbffPs2RRblaBv31WH4efEbtXuF+3JHIOfv0OPWEO9VoEeAZZHL8PuHZ9YDwblDPiuRcZlB+KNFr792Tprk6e5KkBo872ceukc4k4pemR7WE0LSIA6X4RJJlCCiocGWWU/v3fCzf9jqa/T8yiINAyhFgyT7+8MkKeKo6D3ryrRZnnWukBbJwM156QYSSIPs3DuQiRc2NorEoLkujLtqpMiAvwKgezG5wj1QRThRsHcG2ANXaP33bFKeVHgh6PRSEgkkhp9ahEAadsvHuomaiBsUv3haahV45FOyH+pH/WQJkMH4jUCwvMN+alJbaXP6s00RYge17Ng7KP0=,iv:bTWJJY/wAw79E1VwPCPGKhMpYD7gA8AJC6csCY7dADU=,tag:YalqYrrQuOtTqT/yaiEByQ==,type:str]
TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str] TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str]
AUTHENTIK: ENC[AES256_GCM,data:HlUFb7JjzSMTM345miSLlUE4SEXgaRAx7SkDDQzaJzs9VuifJKtOE2M4PCKc35VjVt9xIFH+YoIE93re10Rwbe+QEaUphPOgb/G7jRhaaPV/roBYuv6uO5xy68jaVJZpobxajOSVUmJa1JANCh1qrX0+Imr6udYULvK6wQzAnu2tEDkElQ3eZtezUa4E5ia1j7RCYTTPW9oie+YEVJl5Aws2HzPK5q0wKojZOmHanbnKzij3KnSgtsMc3ftL1Fam3wlSk2n3Tw0nz8aBag9IPwYje5zdBkDJY6qiBwYKcBPQUIW+Na0xX2JHymwJSzMdKmW8cEV9b1fXCPsnYVXulb4VMVkTk4MibZ3YT57wlFhqhSy7D39ZTySllIZg8sOrj8cKhpJ3HlSbceD1GnPJatVzZkDkDeyICLu9sYX3B+KrCDlL5sUMPagUFc3g3HUAPxLVPltoP69ro69acUoz5w8gkAwHlE45I3biC/jLz4telEcW8GkF868j3gsHiayE3f87T5MOPvuvhAFdSMl3SF1ND3mWjJq7+FmA6BhxgESg4m+vPnYyVumcbXJnbgfW69BgPYcL1CWZcA+SP6OWg9GOYT5SuWixkaGn2TgRAUj3nlCcAja8,iv:uXAyOIBl9lGYBvALMdvp2hf6cj6QGWRcyUvEsjIDr1I=,tag:iLxO/qYT2zafXhFGVVUYkA==,type:str] AUTHENTIK: ENC[AES256_GCM,data:HlUFb7JjzSMTM345miSLlUE4SEXgaRAx7SkDDQzaJzs9VuifJKtOE2M4PCKc35VjVt9xIFH+YoIE93re10Rwbe+QEaUphPOgb/G7jRhaaPV/roBYuv6uO5xy68jaVJZpobxajOSVUmJa1JANCh1qrX0+Imr6udYULvK6wQzAnu2tEDkElQ3eZtezUa4E5ia1j7RCYTTPW9oie+YEVJl5Aws2HzPK5q0wKojZOmHanbnKzij3KnSgtsMc3ftL1Fam3wlSk2n3Tw0nz8aBag9IPwYje5zdBkDJY6qiBwYKcBPQUIW+Na0xX2JHymwJSzMdKmW8cEV9b1fXCPsnYVXulb4VMVkTk4MibZ3YT57wlFhqhSy7D39ZTySllIZg8sOrj8cKhpJ3HlSbceD1GnPJatVzZkDkDeyICLu9sYX3B+KrCDlL5sUMPagUFc3g3HUAPxLVPltoP69ro69acUoz5w8gkAwHlE45I3biC/jLz4telEcW8GkF868j3gsHiayE3f87T5MOPvuvhAFdSMl3SF1ND3mWjJq7+FmA6BhxgESg4m+vPnYyVumcbXJnbgfW69BgPYcL1CWZcA+SP6OWg9GOYT5SuWixkaGn2TgRAUj3nlCcAja8,iv:uXAyOIBl9lGYBvALMdvp2hf6cj6QGWRcyUvEsjIDr1I=,tag:iLxO/qYT2zafXhFGVVUYkA==,type:str]
NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str] NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str]
@@ -32,8 +32,8 @@ sops:
S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA== d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-05-31T11:03:08Z" lastmodified: "2026-05-31T12:17:44Z"
mac: ENC[AES256_GCM,data:gjoWffoFZSfDQSoz3gtt9WO7dITWYPjqI6C9LLGhB6sdBPpNMKtnnOd/3xYa6mk925aRiW4kyPmOSmoxVwC4rX8ftLBSCjVKmf5EuGg/eo7hEU9Igkb3BTk/siBMppBChf9F+3NK1V2iAUstte6EhGw50i0NKiuPv575Js/WJDI=,iv:I1sIPlb4a+hf7ABAVXwNvCcNHR17EzdEhdBxR2WFmlI=,tag:vg761r3Jxeze08Vj3fnwLA==,type:str] mac: ENC[AES256_GCM,data:2zhI9jCR045JOZrKKGwQCzcZmL3RvgOZgrKS4nxljWuDgglbpa29D46uq73yFaBQVhjt8fl+vGutZJfwM+TJokPMf61HXXN3uC1MiBy1RlMVnIcWL7aFQLzbwFvoMVV0fmaGSz+zBOOh6ypBykOkGo6VTUHGHwPvjgY21N2jDQU=,iv:xN7ULx1Bp8Fwq2aojj7fwkZT8nssybqMJ62zKNymH3Y=,tag:LG7c0sjY5AwIDmx+GD3drg==,type:str]
pgp: pgp:
- created_at: "2026-05-05T23:46:27Z" - created_at: "2026-05-05T23:46:27Z"
enc: |- enc: |-