homelab/config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Freshrss oidc

Browse source
This commit is contained in:
kalle 2025-04-11 23:12:24 +02:00
parent 644d0d78ba
commit 248a0fd69c
2 changed files with 27 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
roles/freshrss.nix
View file

@ -47,10 +47,22 @@
"freshrss/db_pass" = { "freshrss/db_pass" = {
owner = "freshrss"; owner = "freshrss";
}; };
"freshrss/admin_pass" = { "freshrss/client_id" = {
owner = "freshrss";
};
"freshrss/client_secret" = {
owner = "freshrss"; owner = "freshrss";
}; };
}; };
sops.templates."freshrss-secret.env" = {
owner = "freshrss";
content = ''
OIDC_CLIENT_ID=${config.sops.placeholder."freshrss/client_id"}
OIDC_CLIENT_SECRET=${config.sops.placeholder."freshrss/client_secret"}
'';
};
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${config.services.freshrss.dataDir}/cache' 0750 ${config.services.freshrss.user} ${config.services.freshrss.user} - -" "d '${config.services.freshrss.dataDir}/cache' 0750 ${config.services.freshrss.user} ${config.services.freshrss.user} - -"
"d '${config.services.freshrss.dataDir}/users' 0750 ${config.services.freshrss.user} ${config.services.freshrss.user} - -" "d '${config.services.freshrss.dataDir}/users' 0750 ${config.services.freshrss.user} ${config.services.freshrss.user} - -"
@ -66,6 +78,15 @@
}; };
systemd.services.nginx = { systemd.services.nginx = {
after = [ "cephfs.mount" ]; after = [ "cephfs.mount" ];
serviceConfig = {
Environment = [
"OIDC_ENABLED=1"
"OIDC_PROVIDER_METADATA_URL=https://auth.kallestruik.nl/application/o/freshrss/.well-known/openid-configuration"
"OIDC_X_FORWARDED_HEADERS=\"X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host\""
"OIDC_SCOPES=\"openid email profile\""
];
EnvironmentFile = config.sops.templates."freshrss-secret.env".path;
};
}; };
# Enable and configure the service # Enable and configure the service
@ -74,8 +95,7 @@
baseUrl = "https://${cfg.domain}"; baseUrl = "https://${cfg.domain}";
virtualHost = cfg.domain; virtualHost = cfg.domain;
dataDir = "/cephfs/appdata/freshrss"; dataDir = "/cephfs/appdata/freshrss";
defaultUser = cfg.adminUser; authType = "http_auth";
passwordFile = secrets."freshrss/admin_pass".path;
database = { database = {
type = "pgsql"; type = "pgsql";

7
secrets/cloud.yaml
View file

@ -1,6 +1,7 @@
freshrss: freshrss:
db_pass: ENC[AES256_GCM,data:6/DOnp9vzUUdibx1FdEMucgXzxsyae7UHwDMC7byaQ8YrQmkGCCDi3Q4ZqE=,iv:LS/IMe97HifOq5uoP5n0++vMLfaiJC6FOQ7tKmR5438=,tag:XLhYQ5N+HbrUOPY6VVB8qA==,type:str] db_pass: ENC[AES256_GCM,data:6/DOnp9vzUUdibx1FdEMucgXzxsyae7UHwDMC7byaQ8YrQmkGCCDi3Q4ZqE=,iv:LS/IMe97HifOq5uoP5n0++vMLfaiJC6FOQ7tKmR5438=,tag:XLhYQ5N+HbrUOPY6VVB8qA==,type:str]
admin_pass: ENC[AES256_GCM,data:jyMRdALA/Niy2SQXk37sYUApGZl8i6yDWS+5EsLDmAslEkbqPv49kXv8I2I=,iv:xxVu1CFJQFgfaMOv0lzbloZkSkUetpzK8SCtGlMFZXI=,tag:RQWNHLc0e9Dcf4govwfjjA==,type:str] client_id: ENC[AES256_GCM,data:pn/rhQ4AOngFUAk+Ty0Ms0Vrq2/ZwJj6O1dVKBxNloZnW5i6cEQWvQ==,iv:plsNXFQLNyYlb5EIZZM3AmF2BqGbHDftq6X54w5kBhc=,tag:3FZpwjWQ8O2sIfbaGhsl8Q==,type:str]
client_secret: ENC[AES256_GCM,data:86taBVM/JdN0cfLC7Yfl5OPuK55jLDedzYyv+iRZTViZSBfUCoQKLqiZOznHXEH07qJCGSJ9QjmaGy6DbtXjZ1OHAX/9egr8yx0GNdtaoDbzNxYEY0hhzxmMJHdVa5qRaiw+yZNLUzXFBXYjRCltKncAk2h2O+PRnjvgWeYqnzQ=,iv:vlkWwBLcxDGZRWyVRpm8DBQ0ZAPRsB6J/0j+Ucg1p9s=,tag:r/lXsVBncl3d+6kS389GoQ==,type:str]
postgres: postgres:
freshrss: ENC[AES256_GCM,data:qlo1HBwm7V2WKuhdy8aAKheTL2mUuVuMslSTLYX30ZKHt9IvjmsG6/e3Gjo=,iv:3FF13Hv3X8YG7Nj9oEKX1tuzhbaQv56oKsBvR6u5LT0=,tag:gMh7z+fPnPud2nQA6Lu3KQ==,type:str] freshrss: ENC[AES256_GCM,data:qlo1HBwm7V2WKuhdy8aAKheTL2mUuVuMslSTLYX30ZKHt9IvjmsG6/e3Gjo=,iv:3FF13Hv3X8YG7Nj9oEKX1tuzhbaQv56oKsBvR6u5LT0=,tag:gMh7z+fPnPud2nQA6Lu3KQ==,type:str]
sops: sops:
@ -36,8 +37,8 @@ sops:
aWxTNjVPTmZGMUJFK2ZCMTg1eHlEeTAK7EPDDmFXMGSe96L6vv7ZCrebLxITYHQ/ aWxTNjVPTmZGMUJFK2ZCMTg1eHlEeTAK7EPDDmFXMGSe96L6vv7ZCrebLxITYHQ/
TmMTLj6YN+PsdVv3AgKnOytgJll5/GFsmvR5HnDuHaEqDI71q+8nIQ== TmMTLj6YN+PsdVv3AgKnOytgJll5/GFsmvR5HnDuHaEqDI71q+8nIQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-11T19:59:02Z" lastmodified: "2025-04-11T21:12:13Z"
mac: ENC[AES256_GCM,data:RSSDQB8KB1pLWtmbkEGrc1qoh2h/12EY4Wtyuvf5NbgsYEo1nMt8Uhieol3/EtIzE3LL2nszwuECxcOlW7wSQvU+eYjOT403+E/oFqhSfg1QYePJlJCGw/c4F6Hb8xLwLxdWrLpe1JNyDv1e2ENoHrZK75ZADmb3GWOVKOIMp5U=,iv:NINSNtWz5YFLoj3VXTak4lwCwp8bl6ogO1XWwUXDJbs=,tag:mSUjfar7aTJireuUOVTzWg==,type:str] mac: ENC[AES256_GCM,data:4UJQIwojeJJ+OP2GQfvQUcYG89YeaxHsIvGy3NyTM7W0EhJXPOMfn3laXaiFARcXcenEvchnAoX3DcfNMWouXkzrlWJkESj9OTXBLYQxr0BR1VrrgLyG6L4fXE/+Nse35v8OT3KfdGP46QC3SGCHCValS26mWClBy49MnUj/vQ4=,iv:jIp9+oaYtfoGtuMIed1L9uNg6ShXspx4G3wTMJvZS/4=,tag:XhztQl7NP9rk57nFKlRGVg==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.4 version: 3.9.4