nixconfig/modules/server/containers/data/authentik/homepage.yaml

version: 1
metadata:
  name: "Homepage Dashboard - OIDC Provisioning"
  labels:
    app: homepage

entries:
  - model: authentik_providers_oauth2.scopemapping
    identifiers:
      name: "Homepage Custom Scope: Groups"
    attrs:
      scope_name: "groups"
      description: "Pass user groups array to Homepage for conditional element rendering"
      expression: |
        return {
            "groups": [group.name for group in request.user.ak_groups.all()]
        }
  # 1. Create the OAuth2/OIDC Provider
  - model: authentik_providers_oauth2.oauth2provider
    identifiers:
      name: "Homepage Provider"
    attrs:
      authorization_flow:
        !Find [
          authentik_flows.flow,
          [slug, default-provider-authorization-implicit-consent],
        ]
      authentication_flow:
        !Find [authentik_flows.flow, [slug, default-authentication-flow]]
      invalidation_flow:
        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
      client_type: "confidential"
      client_id: "homepage"
      client_secret: !Env HOMEPAGE_VAR_OAUTH_SECRET
      access_code_validity: "minutes=5"
      token_validity: "days=30"
      redirect_uris:
        - url: "https://@HOMEPAGE_DOMAIN@/login"
          matching_mode: "regex"
      signing_key:
        !Find [
          authentik_crypto.certificatekeypair,
          [name, "authentik Self-signed Certificate"],
        ]
      property_mappings:
        - !Find [
            authentik_providers_oauth2.scopemapping,
            [name, "authentik default OAuth Mapping: OpenID 'openid'"],
          ]
        - !Find [
            authentik_providers_oauth2.scopemapping,
            [name, "authentik default OAuth Mapping: OpenID 'email'"],
          ]
        - !Find [
            authentik_providers_oauth2.scopemapping,
            [name, "authentik default OAuth Mapping: OpenID 'profile'"],
          ]
        - !Find [
            authentik_providers_oauth2.scopemapping,
            [name, "Homepage Custom Scope: Groups"],
          ]

  # 2. Create the Application and link it to the Provider
  - model: authentik_core.application
    identifiers:
      slug: homepage
    attrs:
      name: "Homepage"
      launch_url: "@HOMEPAGE_DOMAIN@"
      provider:
        !Find [
          authentik_providers_oauth2.oauth2provider,
          [name, Homepage Provider],
        ]
      open_in_new_tab: false

  # 3. Provision the static API token linked to the user account
  - model: authentik_core.user
    state: present
    identifiers:
      username: homepage-svc
    attrs:
      name: Homepage Dashboard Service Account
      path: goauthentik.io/service-accounts
      is_active: true
      attributes:
        goauthentik.io/user/service-account: true

  - model: authentik_policies.policybinding
    state: present
    identifiers:
      user: !Find [authentik_core.user, [username, "homepage-svc"]]
      permission: authentik_core.view_user
    attrs:
      enabled: true

  - model: authentik_policies.policybinding
    state: present
    identifiers:
      user: !Find [authentik_core.user, [username, "homepage-svc"]]
      permission: authentik_events.view_event
    attrs:
      enabled: true

  - model: authentik_core.token
    state: present
    identifiers:
      identifier: homepage-token
    attrs:
      key: !Env HOMEPAGE_VAR_AUTHENTIK_API
      user: !Find [authentik_core.user, [username, "homepage-svc"]]
      intent: api
      expiring: false