From 248a0fd69c073bcd07e4dbb79688695b1fb9534c Mon Sep 17 00:00:00 2001 From: Kalle Struik Date: Fri, 11 Apr 2025 23:12:24 +0200 Subject: [PATCH] Freshrss oidc --- roles/freshrss.nix | 26 +++++++++++++++++++++++--- secrets/cloud.yaml | 7 ++++--- 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/roles/freshrss.nix b/roles/freshrss.nix index 8e3c3f7..e9ccb7d 100644 --- a/roles/freshrss.nix +++ b/roles/freshrss.nix @@ -47,10 +47,22 @@ "freshrss/db_pass" = { owner = "freshrss"; }; - "freshrss/admin_pass" = { + "freshrss/client_id" = { + owner = "freshrss"; + }; + "freshrss/client_secret" = { owner = "freshrss"; }; }; + + sops.templates."freshrss-secret.env" = { + owner = "freshrss"; + content = '' + OIDC_CLIENT_ID=${config.sops.placeholder."freshrss/client_id"} + OIDC_CLIENT_SECRET=${config.sops.placeholder."freshrss/client_secret"} + ''; + }; + systemd.tmpfiles.rules = [ "d '${config.services.freshrss.dataDir}/cache' 0750 ${config.services.freshrss.user} ${config.services.freshrss.user} - -" "d '${config.services.freshrss.dataDir}/users' 0750 ${config.services.freshrss.user} ${config.services.freshrss.user} - -" @@ -66,6 +78,15 @@ }; systemd.services.nginx = { after = [ "cephfs.mount" ]; + serviceConfig = { + Environment = [ + "OIDC_ENABLED=1" + "OIDC_PROVIDER_METADATA_URL=https://auth.kallestruik.nl/application/o/freshrss/.well-known/openid-configuration" + "OIDC_X_FORWARDED_HEADERS=\"X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host\"" + "OIDC_SCOPES=\"openid email profile\"" + ]; + EnvironmentFile = config.sops.templates."freshrss-secret.env".path; + }; }; # Enable and configure the service @@ -74,8 +95,7 @@ baseUrl = "https://${cfg.domain}"; virtualHost = cfg.domain; dataDir = "/cephfs/appdata/freshrss"; - defaultUser = cfg.adminUser; - passwordFile = secrets."freshrss/admin_pass".path; + authType = "http_auth"; database = { type = "pgsql"; diff --git a/secrets/cloud.yaml b/secrets/cloud.yaml index f3f0f90..988857f 100644 --- a/secrets/cloud.yaml +++ b/secrets/cloud.yaml @@ -1,6 +1,7 @@ freshrss: db_pass: ENC[AES256_GCM,data:6/DOnp9vzUUdibx1FdEMucgXzxsyae7UHwDMC7byaQ8YrQmkGCCDi3Q4ZqE=,iv:LS/IMe97HifOq5uoP5n0++vMLfaiJC6FOQ7tKmR5438=,tag:XLhYQ5N+HbrUOPY6VVB8qA==,type:str] - admin_pass: ENC[AES256_GCM,data:jyMRdALA/Niy2SQXk37sYUApGZl8i6yDWS+5EsLDmAslEkbqPv49kXv8I2I=,iv:xxVu1CFJQFgfaMOv0lzbloZkSkUetpzK8SCtGlMFZXI=,tag:RQWNHLc0e9Dcf4govwfjjA==,type:str] + client_id: ENC[AES256_GCM,data:pn/rhQ4AOngFUAk+Ty0Ms0Vrq2/ZwJj6O1dVKBxNloZnW5i6cEQWvQ==,iv:plsNXFQLNyYlb5EIZZM3AmF2BqGbHDftq6X54w5kBhc=,tag:3FZpwjWQ8O2sIfbaGhsl8Q==,type:str] + client_secret: ENC[AES256_GCM,data:86taBVM/JdN0cfLC7Yfl5OPuK55jLDedzYyv+iRZTViZSBfUCoQKLqiZOznHXEH07qJCGSJ9QjmaGy6DbtXjZ1OHAX/9egr8yx0GNdtaoDbzNxYEY0hhzxmMJHdVa5qRaiw+yZNLUzXFBXYjRCltKncAk2h2O+PRnjvgWeYqnzQ=,iv:vlkWwBLcxDGZRWyVRpm8DBQ0ZAPRsB6J/0j+Ucg1p9s=,tag:r/lXsVBncl3d+6kS389GoQ==,type:str] postgres: freshrss: ENC[AES256_GCM,data:qlo1HBwm7V2WKuhdy8aAKheTL2mUuVuMslSTLYX30ZKHt9IvjmsG6/e3Gjo=,iv:3FF13Hv3X8YG7Nj9oEKX1tuzhbaQv56oKsBvR6u5LT0=,tag:gMh7z+fPnPud2nQA6Lu3KQ==,type:str] sops: @@ -36,8 +37,8 @@ sops: aWxTNjVPTmZGMUJFK2ZCMTg1eHlEeTAK7EPDDmFXMGSe96L6vv7ZCrebLxITYHQ/ TmMTLj6YN+PsdVv3AgKnOytgJll5/GFsmvR5HnDuHaEqDI71q+8nIQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-11T19:59:02Z" - mac: ENC[AES256_GCM,data:RSSDQB8KB1pLWtmbkEGrc1qoh2h/12EY4Wtyuvf5NbgsYEo1nMt8Uhieol3/EtIzE3LL2nszwuECxcOlW7wSQvU+eYjOT403+E/oFqhSfg1QYePJlJCGw/c4F6Hb8xLwLxdWrLpe1JNyDv1e2ENoHrZK75ZADmb3GWOVKOIMp5U=,iv:NINSNtWz5YFLoj3VXTak4lwCwp8bl6ogO1XWwUXDJbs=,tag:mSUjfar7aTJireuUOVTzWg==,type:str] + lastmodified: "2025-04-11T21:12:13Z" + mac: ENC[AES256_GCM,data:4UJQIwojeJJ+OP2GQfvQUcYG89YeaxHsIvGy3NyTM7W0EhJXPOMfn3laXaiFARcXcenEvchnAoX3DcfNMWouXkzrlWJkESj9OTXBLYQxr0BR1VrrgLyG6L4fXE/+Nse35v8OT3KfdGP46QC3SGCHCValS26mWClBy49MnUj/vQ4=,iv:jIp9+oaYtfoGtuMIed1L9uNg6ShXspx4G3wTMJvZS/4=,tag:XhztQl7NP9rk57nFKlRGVg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4