Freshrss oidc
This commit is contained in:
parent
644d0d78ba
commit
248a0fd69c
2 changed files with 27 additions and 6 deletions
|
@ -47,10 +47,22 @@
|
||||||
"freshrss/db_pass" = {
|
"freshrss/db_pass" = {
|
||||||
owner = "freshrss";
|
owner = "freshrss";
|
||||||
};
|
};
|
||||||
"freshrss/admin_pass" = {
|
"freshrss/client_id" = {
|
||||||
|
owner = "freshrss";
|
||||||
|
};
|
||||||
|
"freshrss/client_secret" = {
|
||||||
owner = "freshrss";
|
owner = "freshrss";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sops.templates."freshrss-secret.env" = {
|
||||||
|
owner = "freshrss";
|
||||||
|
content = ''
|
||||||
|
OIDC_CLIENT_ID=${config.sops.placeholder."freshrss/client_id"}
|
||||||
|
OIDC_CLIENT_SECRET=${config.sops.placeholder."freshrss/client_secret"}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d '${config.services.freshrss.dataDir}/cache' 0750 ${config.services.freshrss.user} ${config.services.freshrss.user} - -"
|
"d '${config.services.freshrss.dataDir}/cache' 0750 ${config.services.freshrss.user} ${config.services.freshrss.user} - -"
|
||||||
"d '${config.services.freshrss.dataDir}/users' 0750 ${config.services.freshrss.user} ${config.services.freshrss.user} - -"
|
"d '${config.services.freshrss.dataDir}/users' 0750 ${config.services.freshrss.user} ${config.services.freshrss.user} - -"
|
||||||
|
@ -66,6 +78,15 @@
|
||||||
};
|
};
|
||||||
systemd.services.nginx = {
|
systemd.services.nginx = {
|
||||||
after = [ "cephfs.mount" ];
|
after = [ "cephfs.mount" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Environment = [
|
||||||
|
"OIDC_ENABLED=1"
|
||||||
|
"OIDC_PROVIDER_METADATA_URL=https://auth.kallestruik.nl/application/o/freshrss/.well-known/openid-configuration"
|
||||||
|
"OIDC_X_FORWARDED_HEADERS=\"X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host\""
|
||||||
|
"OIDC_SCOPES=\"openid email profile\""
|
||||||
|
];
|
||||||
|
EnvironmentFile = config.sops.templates."freshrss-secret.env".path;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Enable and configure the service
|
# Enable and configure the service
|
||||||
|
@ -74,8 +95,7 @@
|
||||||
baseUrl = "https://${cfg.domain}";
|
baseUrl = "https://${cfg.domain}";
|
||||||
virtualHost = cfg.domain;
|
virtualHost = cfg.domain;
|
||||||
dataDir = "/cephfs/appdata/freshrss";
|
dataDir = "/cephfs/appdata/freshrss";
|
||||||
defaultUser = cfg.adminUser;
|
authType = "http_auth";
|
||||||
passwordFile = secrets."freshrss/admin_pass".path;
|
|
||||||
|
|
||||||
database = {
|
database = {
|
||||||
type = "pgsql";
|
type = "pgsql";
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
freshrss:
|
freshrss:
|
||||||
db_pass: ENC[AES256_GCM,data:6/DOnp9vzUUdibx1FdEMucgXzxsyae7UHwDMC7byaQ8YrQmkGCCDi3Q4ZqE=,iv:LS/IMe97HifOq5uoP5n0++vMLfaiJC6FOQ7tKmR5438=,tag:XLhYQ5N+HbrUOPY6VVB8qA==,type:str]
|
db_pass: ENC[AES256_GCM,data:6/DOnp9vzUUdibx1FdEMucgXzxsyae7UHwDMC7byaQ8YrQmkGCCDi3Q4ZqE=,iv:LS/IMe97HifOq5uoP5n0++vMLfaiJC6FOQ7tKmR5438=,tag:XLhYQ5N+HbrUOPY6VVB8qA==,type:str]
|
||||||
admin_pass: ENC[AES256_GCM,data:jyMRdALA/Niy2SQXk37sYUApGZl8i6yDWS+5EsLDmAslEkbqPv49kXv8I2I=,iv:xxVu1CFJQFgfaMOv0lzbloZkSkUetpzK8SCtGlMFZXI=,tag:RQWNHLc0e9Dcf4govwfjjA==,type:str]
|
client_id: ENC[AES256_GCM,data:pn/rhQ4AOngFUAk+Ty0Ms0Vrq2/ZwJj6O1dVKBxNloZnW5i6cEQWvQ==,iv:plsNXFQLNyYlb5EIZZM3AmF2BqGbHDftq6X54w5kBhc=,tag:3FZpwjWQ8O2sIfbaGhsl8Q==,type:str]
|
||||||
|
client_secret: ENC[AES256_GCM,data:86taBVM/JdN0cfLC7Yfl5OPuK55jLDedzYyv+iRZTViZSBfUCoQKLqiZOznHXEH07qJCGSJ9QjmaGy6DbtXjZ1OHAX/9egr8yx0GNdtaoDbzNxYEY0hhzxmMJHdVa5qRaiw+yZNLUzXFBXYjRCltKncAk2h2O+PRnjvgWeYqnzQ=,iv:vlkWwBLcxDGZRWyVRpm8DBQ0ZAPRsB6J/0j+Ucg1p9s=,tag:r/lXsVBncl3d+6kS389GoQ==,type:str]
|
||||||
postgres:
|
postgres:
|
||||||
freshrss: ENC[AES256_GCM,data:qlo1HBwm7V2WKuhdy8aAKheTL2mUuVuMslSTLYX30ZKHt9IvjmsG6/e3Gjo=,iv:3FF13Hv3X8YG7Nj9oEKX1tuzhbaQv56oKsBvR6u5LT0=,tag:gMh7z+fPnPud2nQA6Lu3KQ==,type:str]
|
freshrss: ENC[AES256_GCM,data:qlo1HBwm7V2WKuhdy8aAKheTL2mUuVuMslSTLYX30ZKHt9IvjmsG6/e3Gjo=,iv:3FF13Hv3X8YG7Nj9oEKX1tuzhbaQv56oKsBvR6u5LT0=,tag:gMh7z+fPnPud2nQA6Lu3KQ==,type:str]
|
||||||
sops:
|
sops:
|
||||||
|
@ -36,8 +37,8 @@ sops:
|
||||||
aWxTNjVPTmZGMUJFK2ZCMTg1eHlEeTAK7EPDDmFXMGSe96L6vv7ZCrebLxITYHQ/
|
aWxTNjVPTmZGMUJFK2ZCMTg1eHlEeTAK7EPDDmFXMGSe96L6vv7ZCrebLxITYHQ/
|
||||||
TmMTLj6YN+PsdVv3AgKnOytgJll5/GFsmvR5HnDuHaEqDI71q+8nIQ==
|
TmMTLj6YN+PsdVv3AgKnOytgJll5/GFsmvR5HnDuHaEqDI71q+8nIQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2025-04-11T19:59:02Z"
|
lastmodified: "2025-04-11T21:12:13Z"
|
||||||
mac: ENC[AES256_GCM,data:RSSDQB8KB1pLWtmbkEGrc1qoh2h/12EY4Wtyuvf5NbgsYEo1nMt8Uhieol3/EtIzE3LL2nszwuECxcOlW7wSQvU+eYjOT403+E/oFqhSfg1QYePJlJCGw/c4F6Hb8xLwLxdWrLpe1JNyDv1e2ENoHrZK75ZADmb3GWOVKOIMp5U=,iv:NINSNtWz5YFLoj3VXTak4lwCwp8bl6ogO1XWwUXDJbs=,tag:mSUjfar7aTJireuUOVTzWg==,type:str]
|
mac: ENC[AES256_GCM,data:4UJQIwojeJJ+OP2GQfvQUcYG89YeaxHsIvGy3NyTM7W0EhJXPOMfn3laXaiFARcXcenEvchnAoX3DcfNMWouXkzrlWJkESj9OTXBLYQxr0BR1VrrgLyG6L4fXE/+Nse35v8OT3KfdGP46QC3SGCHCValS26mWClBy49MnUj/vQ4=,iv:jIp9+oaYtfoGtuMIed1L9uNg6ShXspx4G3wTMJvZS/4=,tag:XhztQl7NP9rk57nFKlRGVg==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.9.4
|
version: 3.9.4
|
||||||
|
|
Loading…
Add table
Reference in a new issue