patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

feat: firefly remote user auth

Browse source
This commit is contained in:
Patrick 2024-05-24 22:03:14 +02:00
parent 8509fb833b
commit 9efb2817c3
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
4 changed files with 10 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
config/services/firefly.nix
View file

@ -26,6 +26,9 @@
TRUSTED_PROXIES = nodes.elisabeth.config.wireguard.elisabeth.ipv4;
SITE_OWNER = "firefly-admin@${config.secrets.secrets.global.domains.mail_public}";
APP_KEY_FILE = config.age.secrets.appKey.path;
AUTHENTICATION_GUARD = "remote_user_guard";
AUTHENTICATION_GUARD_HEADER = "X-User";
AUTHENTICATION_GUARD_EMAIL = "X-Email";
};
};

3
config/services/kanidm.nix
View file

@ -121,6 +121,7 @@ in {
};
groups."rss.access" = {};
groups."firefly.access" = {};
groups."adguardhome.access" = {
};
systems.oauth2.oauth2-proxy = {
@ -129,11 +130,13 @@ in {
basicSecretFile = config.age.secrets.oauth2-proxy.path;
scopeMaps."adguardhome.access" = ["openid" "email" "profile"];
scopeMaps."rss.access" = ["openid" "email" "profile"];
scopeMaps."firefly.access" = ["openid" "email" "profile"];
preferShortUsername = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup."adguardhome.access" = ["adguardhome_access"];
valuesByGroup."rss.access" = ["ttrss_access"];
valuesByGroup."firefly.access" = ["firefly_access"];
};
};

6
hosts/elisabeth/guests.nix
View file

@ -70,7 +70,7 @@ in {
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $user $upstream_http_x_auth_request_preferred_username;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
@ -160,7 +160,9 @@ in {
(blockOf "paperless" {maxBodySize = "5G";})
(proxyProtect "ttrss" {port = 80;} true)
(blockOf "yourspotify" {port = 80;})
(blockOf "firefly" {port = 80;})
((proxyProtect "firefly" {port = 80;} true)
// {
})
(blockOf "apispotify" {
port = 3000;
upstream = "yourspotify";

BIN
hosts/elisabeth/secrets/kanidm/secrets.nix.age
View file

Binary file not shown.