hackclub/burrow
1
0
Fork 0
Code Pull requests Releases Packages Activity Actions

Move Burrow Google account aliases into agenix

Browse source
This commit is contained in:
Conrad Kramer 2026-04-18 02:18:22 -07:00
parent bc85e256f2
commit c58d06dfc1
5 changed files with 48 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

24
nixos/modules/burrow-authentik.nix
View file

@ -180,6 +180,12 @@ in
description = "Host-local file containing the Google OAuth client secret for the Authentik source.";
};
googleAccountMapFile = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Optional host-local JSON file mapping external Google accounts onto Burrow Authentik users.";
};
googleSourceSlug = lib.mkOption {
type = lib.types.str;
default = "google";
@ -477,7 +483,7 @@ EOF
cfg.envFile
cfg.googleClientIDFile
cfg.googleClientSecretFile
];
] ++ lib.optional (cfg.googleAccountMapFile != null) cfg.googleAccountMapFile;
path = [
pkgs.bash
pkgs.coreutils
@ -501,12 +507,16 @@ EOF
export AUTHENTIK_GOOGLE_USER_MATCHING_MODE=email_link
export AUTHENTIK_GOOGLE_CLIENT_ID="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.googleClientIDFile})"
export AUTHENTIK_GOOGLE_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.googleClientSecretFile})"
export AUTHENTIK_GOOGLE_ACCOUNT_MAP_JSON='${builtins.toJSON (map (user: {
source_email = user.sourceEmail;
username = user.username;
email = user.email;
name = user.name;
}) (lib.filter (user: user.sourceEmail != null) cfg.bootstrapUsers))}'
if [ -n ${lib.escapeShellArg (cfg.googleAccountMapFile or "")} ]; then
export AUTHENTIK_GOOGLE_ACCOUNT_MAP_JSON="$(tr -d '\n' < ${lib.escapeShellArg (cfg.googleAccountMapFile or "/dev/null")})"
else
export AUTHENTIK_GOOGLE_ACCOUNT_MAP_JSON='${builtins.toJSON (map (user: {
source_email = user.sourceEmail;
username = user.username;
email = user.email;
name = user.name;
}) (lib.filter (user: user.sourceEmail != null) cfg.bootstrapUsers))}'
fi
${pkgs.bash}/bin/bash ${googleSourceSyncScript}
'';