feat: paperless oauth

2024-03-12 22:49:54 +01:00 · 2024-03-12 22:49:54 +01:00 · 4f8a3c32bf
parent 654b1c0318
commit 4f8a3c32bf
4 changed files with 49 additions and 0 deletions
--- a/hosts/elisabeth/secrets/kanidm/generated/oauth2-paperless.age
+++ b/hosts/elisabeth/secrets/kanidm/generated/oauth2-paperless.age
--- a/hosts/elisabeth/secrets/kanidm/secrets.nix.age
+++ b/hosts/elisabeth/secrets/kanidm/secrets.nix.age
--- a/modules/services/kanidm.nix
+++ b/modules/services/kanidm.nix
@ -33,6 +33,11 @@ in {
      mode = "440";
      group = "kanidm";
    };
+    oauth2-paperless = {
+      generator.script = "alnum";
+      mode = "440";
+      group = "kanidm";
+    };
    oauth2-forgejo = {
      generator.script = "alnum";
      mode = "440";
@ -60,6 +65,21 @@ in {

      inherit (config.secrets.secrets.local.kanidm) persons;

+      groups."paperless.access" = {
+        members = ["paperless.admins"];
+      };
+      # currently not usable
+      groups."paperless.admins" = {
+        members = ["administrator"];
+      };
+      systems.oauth2.paperless = {
+        displayName = "paperless";
+        originUrl = "https://ppl.${config.secrets.secrets.global.domains.web}/";
+        basicSecretFile = config.age.secrets.oauth2-paperless.path;
+        scopeMaps."paperless.access" = ["openid" "email" "profile"];
+        preferShortUsername = true;
+      };
+
      groups."nextcloud.access" = {
        members = ["nextcloud.admins"];
      };
--- a/modules/services/paperless.nix
+++ b/modules/services/paperless.nix
@ -1,4 +1,6 @@
 {
+  pkgs,
+  nodes,
  config,
  lib,
  ...
@ -81,6 +83,22 @@ in {
      PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessdomain}";
      PAPERLESS_TRUSTED_PROXIES = lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnetv4;

+      PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
+
+      PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON {
+        openid_connect = {
+          OAUTH_PKCE_PROVIDER = "True";
+          APPS = [
+            rec {
+              provider_id = "kanidm";
+              name = "Kanidm";
+              client_id = "paperless";
+              settings.server_url = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/${client_id}/.well-known/openid-configuration";
+            }
+          ];
+        };
+      };
+
      # let nginx do all the compression
      PAPERLESS_ENABLE_COMPRESSION = false;
      PAPERLESS_CONSUMER_ENABLE_BARCODES = true;
@ -110,4 +128,15 @@ in {
      mode = "0770";
    }
  ];
+  # Mirror the original oauth2 secret
+  age.secrets.paperless-oauth2-client-secret = {
+    inherit (nodes.elisabeth-kanidm.config.age.secrets.oauth2-paperless) rekeyFile;
+    mode = "440";
+    group = "paperless";
+  };
+
+  systemd.services.paperless-web.script = lib.mkBefore ''
+    paperlessClientSecret=$(< ${config.age.secrets.paperless-oauth2-client-secret.path})
+    export PAPERLESS_SOCIALACCOUNT_PROVIDERS="$( <<< $PAPERLESS_SOCIALACCOUNT_PROVIDERS ${pkgs.jq}/bin/jq -c --arg paperlessClientSecret "$paperlessClientSecret" '.openid_connect.APPS.[0].secret = $paperlessClientSecret')"
+  '';
 }