feat: firefly remote user auth

2024-05-24 22:03:14 +02:00 · 2024-05-24 22:03:14 +02:00 · 9efb2817c3
parent 8509fb833b
commit 9efb2817c3
4 changed files with 10 additions and 2 deletions
--- a/config/services/firefly.nix
+++ b/config/services/firefly.nix
@ -26,6 +26,9 @@
      TRUSTED_PROXIES = nodes.elisabeth.config.wireguard.elisabeth.ipv4;
      SITE_OWNER = "firefly-admin@${config.secrets.secrets.global.domains.mail_public}";
      APP_KEY_FILE = config.age.secrets.appKey.path;
      AUTHENTICATION_GUARD = "remote_user_guard";
      AUTHENTICATION_GUARD_HEADER = "X-User";
      AUTHENTICATION_GUARD_EMAIL = "X-Email";
    };
  };
--- a/config/services/kanidm.nix
+++ b/config/services/kanidm.nix
@ -121,6 +121,7 @@ in {
      };
      groups."rss.access" = {};
      groups."firefly.access" = {};
      groups."adguardhome.access" = {
      };
      systems.oauth2.oauth2-proxy = {
@ -129,11 +130,13 @@ in {
        basicSecretFile = config.age.secrets.oauth2-proxy.path;
        scopeMaps."adguardhome.access" = ["openid" "email" "profile"];
        scopeMaps."rss.access" = ["openid" "email" "profile"];
        scopeMaps."firefly.access" = ["openid" "email" "profile"];
        preferShortUsername = true;
        claimMaps.groups = {
          joinType = "array";
          valuesByGroup."adguardhome.access" = ["adguardhome_access"];
          valuesByGroup."rss.access" = ["ttrss_access"];
          valuesByGroup."firefly.access" = ["firefly_access"];
        };
      };
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@ -70,7 +70,7 @@ in {
              # pass information via X-User and X-Email headers to backend,
              # requires running with --set-xauthrequest flag
-              auth_request_set $user   $upstream_http_x_auth_request_user;
+              auth_request_set $user   $upstream_http_x_auth_request_preferred_username;
              auth_request_set $email  $upstream_http_x_auth_request_email;
              proxy_set_header X-User  $user;
              proxy_set_header X-Email $email;
@ -160,7 +160,9 @@ in {
      (blockOf "paperless" {maxBodySize = "5G";})
      (proxyProtect "ttrss" {port = 80;} true)
      (blockOf "yourspotify" {port = 80;})
-      (blockOf "firefly" {port = 80;})
+      ((proxyProtect "firefly" {port = 80;} true)
        // {
        })
      (blockOf "apispotify" {
        port = 3000;
        upstream = "yourspotify";
--- a/hosts/elisabeth/secrets/kanidm/secrets.nix.age
+++ b/hosts/elisabeth/secrets/kanidm/secrets.nix.age