Compare commits
No commits in common. "abd5a3597031820ad46f11ad4457f090fe017c76" and "bc85e256f2299908468d7007306fd5f62d7e1eeb" have entirely different histories.
abd5a35970
...
bc85e256f2
5 changed files with 10 additions and 48 deletions
|
|
@ -8,6 +8,7 @@
|
||||||
contact = {
|
contact = {
|
||||||
displayName = "Burrow";
|
displayName = "Burrow";
|
||||||
canonicalEmail = "contact@burrow.net";
|
canonicalEmail = "contact@burrow.net";
|
||||||
|
sourceEmail = "net.burrow@gmail.com";
|
||||||
isAdmin = true;
|
isAdmin = true;
|
||||||
forgeAuthorized = true;
|
forgeAuthorized = true;
|
||||||
bootstrapAuthentik = true;
|
bootstrapAuthentik = true;
|
||||||
|
|
@ -21,6 +22,7 @@
|
||||||
conrad = {
|
conrad = {
|
||||||
displayName = "Conrad Kramer";
|
displayName = "Conrad Kramer";
|
||||||
canonicalEmail = "conrad@burrow.net";
|
canonicalEmail = "conrad@burrow.net";
|
||||||
|
sourceEmail = "ckrames1234@gmail.com";
|
||||||
isAdmin = true;
|
isAdmin = true;
|
||||||
forgeAuthorized = false;
|
forgeAuthorized = false;
|
||||||
bootstrapAuthentik = true;
|
bootstrapAuthentik = true;
|
||||||
|
|
@ -30,29 +32,6 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
jett = {
|
|
||||||
displayName = "Jett";
|
|
||||||
canonicalEmail = "jett@burrow.net";
|
|
||||||
isAdmin = true;
|
|
||||||
forgeAuthorized = false;
|
|
||||||
bootstrapAuthentik = true;
|
|
||||||
roles = [
|
|
||||||
"member"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
davnotdev = {
|
|
||||||
displayName = "David";
|
|
||||||
canonicalEmail = "davnotdev@burrow.net";
|
|
||||||
isAdmin = true;
|
|
||||||
forgeAuthorized = false;
|
|
||||||
bootstrapAuthentik = true;
|
|
||||||
roles = [
|
|
||||||
"member"
|
|
||||||
"operator"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
agent = {
|
agent = {
|
||||||
displayName = "Burrow Agent";
|
displayName = "Burrow Agent";
|
||||||
canonicalEmail = "agent@burrow.net";
|
canonicalEmail = "agent@burrow.net";
|
||||||
|
|
|
||||||
|
|
@ -13,6 +13,7 @@ let
|
||||||
inherit username;
|
inherit username;
|
||||||
name = identity.displayName;
|
name = identity.displayName;
|
||||||
email = identity.canonicalEmail;
|
email = identity.canonicalEmail;
|
||||||
|
sourceEmail = identity.sourceEmail or null;
|
||||||
isAdmin = identity.isAdmin or false;
|
isAdmin = identity.isAdmin or false;
|
||||||
passwordFile = authentikPasswordSecretPath identity;
|
passwordFile = authentikPasswordSecretPath identity;
|
||||||
}
|
}
|
||||||
|
|
@ -84,12 +85,6 @@ in
|
||||||
group = "root";
|
group = "root";
|
||||||
mode = "0400";
|
mode = "0400";
|
||||||
};
|
};
|
||||||
age.secrets.burrowAuthentikGoogleAccountMap = {
|
|
||||||
file = ../../../secrets/infra/authentik-google-account-map.json.age;
|
|
||||||
owner = "root";
|
|
||||||
group = "root";
|
|
||||||
mode = "0400";
|
|
||||||
};
|
|
||||||
age.secrets.burrowAuthentikUiTestPassword = {
|
age.secrets.burrowAuthentikUiTestPassword = {
|
||||||
file = ../../../secrets/infra/authentik-ui-test-password.age;
|
file = ../../../secrets/infra/authentik-ui-test-password.age;
|
||||||
owner = "root";
|
owner = "root";
|
||||||
|
|
@ -163,7 +158,6 @@ in
|
||||||
tailscaleClientSecretFile = config.age.secrets.burrowTailscaleOidcClientSecret.path;
|
tailscaleClientSecretFile = config.age.secrets.burrowTailscaleOidcClientSecret.path;
|
||||||
googleClientIDFile = config.age.secrets.burrowAuthentikGoogleClientId.path;
|
googleClientIDFile = config.age.secrets.burrowAuthentikGoogleClientId.path;
|
||||||
googleClientSecretFile = config.age.secrets.burrowAuthentikGoogleClientSecret.path;
|
googleClientSecretFile = config.age.secrets.burrowAuthentikGoogleClientSecret.path;
|
||||||
googleAccountMapFile = config.age.secrets.burrowAuthentikGoogleAccountMap.path;
|
|
||||||
googleLoginMode = "redirect";
|
googleLoginMode = "redirect";
|
||||||
userGroupName = contributors.groups.users;
|
userGroupName = contributors.groups.users;
|
||||||
adminGroupName = contributors.groups.admins;
|
adminGroupName = contributors.groups.admins;
|
||||||
|
|
|
||||||
|
|
@ -180,12 +180,6 @@ in
|
||||||
description = "Host-local file containing the Google OAuth client secret for the Authentik source.";
|
description = "Host-local file containing the Google OAuth client secret for the Authentik source.";
|
||||||
};
|
};
|
||||||
|
|
||||||
googleAccountMapFile = lib.mkOption {
|
|
||||||
type = lib.types.nullOr lib.types.str;
|
|
||||||
default = null;
|
|
||||||
description = "Optional host-local JSON file mapping external Google accounts onto Burrow Authentik users.";
|
|
||||||
};
|
|
||||||
|
|
||||||
googleSourceSlug = lib.mkOption {
|
googleSourceSlug = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
default = "google";
|
default = "google";
|
||||||
|
|
@ -483,7 +477,7 @@ EOF
|
||||||
cfg.envFile
|
cfg.envFile
|
||||||
cfg.googleClientIDFile
|
cfg.googleClientIDFile
|
||||||
cfg.googleClientSecretFile
|
cfg.googleClientSecretFile
|
||||||
] ++ lib.optional (cfg.googleAccountMapFile != null) cfg.googleAccountMapFile;
|
];
|
||||||
path = [
|
path = [
|
||||||
pkgs.bash
|
pkgs.bash
|
||||||
pkgs.coreutils
|
pkgs.coreutils
|
||||||
|
|
@ -507,16 +501,12 @@ EOF
|
||||||
export AUTHENTIK_GOOGLE_USER_MATCHING_MODE=email_link
|
export AUTHENTIK_GOOGLE_USER_MATCHING_MODE=email_link
|
||||||
export AUTHENTIK_GOOGLE_CLIENT_ID="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.googleClientIDFile})"
|
export AUTHENTIK_GOOGLE_CLIENT_ID="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.googleClientIDFile})"
|
||||||
export AUTHENTIK_GOOGLE_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.googleClientSecretFile})"
|
export AUTHENTIK_GOOGLE_CLIENT_SECRET="$(tr -d '\r\n' < ${lib.escapeShellArg cfg.googleClientSecretFile})"
|
||||||
if [ -n ${lib.escapeShellArg (cfg.googleAccountMapFile or "")} ]; then
|
export AUTHENTIK_GOOGLE_ACCOUNT_MAP_JSON='${builtins.toJSON (map (user: {
|
||||||
export AUTHENTIK_GOOGLE_ACCOUNT_MAP_JSON="$(tr -d '\n' < ${lib.escapeShellArg (cfg.googleAccountMapFile or "/dev/null")})"
|
source_email = user.sourceEmail;
|
||||||
else
|
username = user.username;
|
||||||
export AUTHENTIK_GOOGLE_ACCOUNT_MAP_JSON='${builtins.toJSON (map (user: {
|
email = user.email;
|
||||||
source_email = user.sourceEmail;
|
name = user.name;
|
||||||
username = user.username;
|
}) (lib.filter (user: user.sourceEmail != null) cfg.bootstrapUsers))}'
|
||||||
email = user.email;
|
|
||||||
name = user.name;
|
|
||||||
}) (lib.filter (user: user.sourceEmail != null) cfg.bootstrapUsers))}'
|
|
||||||
fi
|
|
||||||
|
|
||||||
${pkgs.bash}/bin/bash ${googleSourceSyncScript}
|
${pkgs.bash}/bin/bash ${googleSourceSyncScript}
|
||||||
'';
|
'';
|
||||||
|
|
|
||||||
|
|
@ -14,7 +14,6 @@ in
|
||||||
"secrets/infra/authentik.env.age".publicKeys = burrowForgeRecipients;
|
"secrets/infra/authentik.env.age".publicKeys = burrowForgeRecipients;
|
||||||
"secrets/infra/authentik-google-client-id.age".publicKeys = burrowForgeRecipients;
|
"secrets/infra/authentik-google-client-id.age".publicKeys = burrowForgeRecipients;
|
||||||
"secrets/infra/authentik-google-client-secret.age".publicKeys = burrowForgeRecipients;
|
"secrets/infra/authentik-google-client-secret.age".publicKeys = burrowForgeRecipients;
|
||||||
"secrets/infra/authentik-google-account-map.json.age".publicKeys = burrowForgeRecipients;
|
|
||||||
"secrets/infra/authentik-ui-test-password.age".publicKeys = uiTestRecipients;
|
"secrets/infra/authentik-ui-test-password.age".publicKeys = uiTestRecipients;
|
||||||
"secrets/infra/forgejo-oidc-client-secret.age".publicKeys = burrowForgeRecipients;
|
"secrets/infra/forgejo-oidc-client-secret.age".publicKeys = burrowForgeRecipients;
|
||||||
"secrets/infra/forgejo-nsc-autoscaler-config.age".publicKeys = burrowForgeRecipients;
|
"secrets/infra/forgejo-nsc-autoscaler-config.age".publicKeys = burrowForgeRecipients;
|
||||||
|
|
|
||||||
Binary file not shown.
Loading…
Add table
Add a link
Reference in a new issue