Compare commits
No commits in common. "abd5a3597031820ad46f11ad4457f090fe017c76" and "bc85e256f2299908468d7007306fd5f62d7e1eeb" have entirely different histories.
abd5a35970
...
bc85e256f2
5 changed files with 10 additions and 48 deletions
|
|
@ -8,6 +8,7 @@
|
|||
contact = {
|
||||
displayName = "Burrow";
|
||||
canonicalEmail = "contact@burrow.net";
|
||||
sourceEmail = "net.burrow@gmail.com";
|
||||
isAdmin = true;
|
||||
forgeAuthorized = true;
|
||||
bootstrapAuthentik = true;
|
||||
|
|
@ -21,6 +22,7 @@
|
|||
conrad = {
|
||||
displayName = "Conrad Kramer";
|
||||
canonicalEmail = "conrad@burrow.net";
|
||||
sourceEmail = "ckrames1234@gmail.com";
|
||||
isAdmin = true;
|
||||
forgeAuthorized = false;
|
||||
bootstrapAuthentik = true;
|
||||
|
|
@ -30,29 +32,6 @@
|
|||
];
|
||||
};
|
||||
|
||||
jett = {
|
||||
displayName = "Jett";
|
||||
canonicalEmail = "jett@burrow.net";
|
||||
isAdmin = true;
|
||||
forgeAuthorized = false;
|
||||
bootstrapAuthentik = true;
|
||||
roles = [
|
||||
"member"
|
||||
];
|
||||
};
|
||||
|
||||
davnotdev = {
|
||||
displayName = "David";
|
||||
canonicalEmail = "davnotdev@burrow.net";
|
||||
isAdmin = true;
|
||||
forgeAuthorized = false;
|
||||
bootstrapAuthentik = true;
|
||||
roles = [
|
||||
"member"
|
||||
"operator"
|
||||
];
|
||||
};
|
||||
|
||||
agent = {
|
||||
displayName = "Burrow Agent";
|
||||
canonicalEmail = "agent@burrow.net";
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ let
|
|||
inherit username;
|
||||
name = identity.displayName;
|
||||
email = identity.canonicalEmail;
|
||||
sourceEmail = identity.sourceEmail or null;
|
||||
isAdmin = identity.isAdmin or false;
|
||||
passwordFile = authentikPasswordSecretPath identity;
|
||||
}
|
||||
|
|
@ -84,12 +85,6 @@ in
|
|||
group = "root";
|
||||
mode = "0400";
|
||||
};
|
||||
age.secrets.burrowAuthentikGoogleAccountMap = {
|
||||
file = ../../../secrets/infra/authentik-google-account-map.json.age;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
mode = "0400";
|
||||
};
|
||||
age.secrets.burrowAuthentikUiTestPassword = {
|
||||
file = ../../../secrets/infra/authentik-ui-test-password.age;
|
||||
owner = "root";
|
||||
|
|
@ -163,7 +158,6 @@ in
|
|||
tailscaleClientSecretFile = config.age.secrets.burrowTailscaleOidcClientSecret.path;
|
||||
googleClientIDFile = config.age.secrets.burrowAuthentikGoogleClientId.path;
|
||||
googleClientSecretFile = config.age.secrets.burrowAuthentikGoogleClientSecret.path;
|
||||
googleAccountMapFile = config.age.secrets.burrowAuthentikGoogleAccountMap.path;
|
||||
googleLoginMode = "redirect";
|
||||
userGroupName = contributors.groups.users;
|
||||
adminGroupName = contributors.groups.admins;
|
||||
|
|
|
|||
|
|
@ -180,12 +180,6 @@ in
|
|||
description = "Host-local file containing the Google OAuth client secret for the Authentik source.";
|
||||
};
|
||||
|
||||
googleAccountMapFile = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
default = null;
|
||||
description = "Optional host-local JSON file mapping external Google accounts onto Burrow Authentik users.";
|
||||
};
|
||||
|
||||
googleSourceSlug = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "google";
|
||||
|
|
@ -483,7 +477,7 @@ EOF
|
|||
cfg.envFile
|
||||
cfg.googleClientIDFile
|
||||
cfg.googleClientSecretFile
|
||||
] ++ lib.optional (cfg.googleAccountMapFile != null) cfg.googleAccountMapFile;
|
||||
];
|
||||
path = [
|
||||
pkgs.bash
|
||||
pkgs.coreutils
|
||||
|
|
@ -507,16 +501,12 @@ EOF
|
|||
export AUTHENTIK_GOOGLE_USER_MATCHING_MODE=email_link
|
||||
export AUTHENTIK_GOOGLE_CLIENT_ID="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.googleClientIDFile})"
|
||||
export AUTHENTIK_GOOGLE_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.googleClientSecretFile})"
|
||||
if [ -n ${lib.escapeShellArg (cfg.googleAccountMapFile or "")} ]; then
|
||||
export AUTHENTIK_GOOGLE_ACCOUNT_MAP_JSON="$(tr -d '\n' < ${lib.escapeShellArg (cfg.googleAccountMapFile or "/dev/null")})"
|
||||
else
|
||||
export AUTHENTIK_GOOGLE_ACCOUNT_MAP_JSON='${builtins.toJSON (map (user: {
|
||||
source_email = user.sourceEmail;
|
||||
username = user.username;
|
||||
email = user.email;
|
||||
name = user.name;
|
||||
}) (lib.filter (user: user.sourceEmail != null) cfg.bootstrapUsers))}'
|
||||
fi
|
||||
export AUTHENTIK_GOOGLE_ACCOUNT_MAP_JSON='${builtins.toJSON (map (user: {
|
||||
source_email = user.sourceEmail;
|
||||
username = user.username;
|
||||
email = user.email;
|
||||
name = user.name;
|
||||
}) (lib.filter (user: user.sourceEmail != null) cfg.bootstrapUsers))}'
|
||||
|
||||
${pkgs.bash}/bin/bash ${googleSourceSyncScript}
|
||||
'';
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@ in
|
|||
"secrets/infra/authentik.env.age".publicKeys = burrowForgeRecipients;
|
||||
"secrets/infra/authentik-google-client-id.age".publicKeys = burrowForgeRecipients;
|
||||
"secrets/infra/authentik-google-client-secret.age".publicKeys = burrowForgeRecipients;
|
||||
"secrets/infra/authentik-google-account-map.json.age".publicKeys = burrowForgeRecipients;
|
||||
"secrets/infra/authentik-ui-test-password.age".publicKeys = uiTestRecipients;
|
||||
"secrets/infra/forgejo-oidc-client-secret.age".publicKeys = burrowForgeRecipients;
|
||||
"secrets/infra/forgejo-nsc-autoscaler-config.age".publicKeys = burrowForgeRecipients;
|
||||
|
|
|
|||
Binary file not shown.
Loading…
Add table
Add a link
Reference in a new issue