{ config, lib, pkgs, ... }: let AUTHELIA_AUTH_NAME = "authelia"; scriptAddLDAPAuth = pkgs.writeShellScript "forgejo-add-update-ldap-auth.sh" '' FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}" FORGEJO_AUTH_NAME="lldap" # get auth id if any FORGEJO_AUTH_ID=$(gitea --work-path "$FORGEJO_WORK_PATH" admin auth list | grep "$FORGEJO_AUTH_NAME" | cut -d$'\t' -f1) ACTION="" EXTRA_ARG="" if [ -n "''${FORGEJO_AUTH_ID}" ]; then echo "PRERUN-LDAP: Authentication source exists, updating..." ACTION="update-ldap" EXTRA_ARG="--id $FORGEJO_AUTH_ID" else echo "PRERUN-LDAP: Authentication source does not exists, adding..." ACTION="add-ldap" fi BIND_USERPASS="$(cat $CREDENTIALS_DIRECTORY/lldap-bind-user-pass)" ${pkgs.forgejo}/bin/gitea \ --work-path '${config.mine.zfsMounts."rpool/safe/svcs/forgejo"}' \ admin auth "$ACTION" $EXTRA_ARG \ --name "$FORGEJO_AUTH_NAME" \ --active \ --security-protocol unencrypted \ --skip-tls-verify \ --host ${config.mine.shared.settings.ldap.host} \ --port ${builtins.toString config.mine.shared.settings.ldap.port} \ --bind-dn "${config.mine.shared.settings.ldap.bind_dn}" \ --bind-password "$BIND_USERPASS" \ --user-filter '${config.mine.shared.settings.ldap.user_filter "%[1]s"}' \ --admin-filter '(${config.mine.shared.lib.ldap.mkScope (lconfig: llib: llib.mkGroup lconfig.groups.admin)})' \ --username-attribute ${config.mine.shared.settings.ldap.attr.uid} \ --firstname-attribute ${config.mine.shared.settings.ldap.attr.firstname} \ --surname-attribute ${config.mine.shared.settings.ldap.attr.lastname} \ --email-attribute ${config.mine.shared.settings.ldap.attr.email} \ --avatar-attribute ${config.mine.shared.settings.ldap.attr.avatar} \ --synchronize-users \ --user-search-base '${config.mine.shared.settings.ldap.search_base}' \ echo "PRERUN-LDAP: Finished adding/updating..." ''; scriptAddOAuth = pkgs.writeShellScript "forgejo-add-update-oauth.sh" '' FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}" FORGEJO_AUTH_NAME="${AUTHELIA_AUTH_NAME}" # get auth id if any FORGEJO_AUTH_ID=$(gitea --work-path "$FORGEJO_WORK_PATH" admin auth list | grep "$FORGEJO_AUTH_NAME" | cut -d$'\t' -f1) ACTION="" EXTRA_ARG="" if [ -n "''${FORGEJO_AUTH_ID}" ]; then echo "PRERUN-AUTH: Authentication source exists, updating..." ACTION="update-oauth" EXTRA_ARG="--id $FORGEJO_AUTH_ID" else echo "PRERUN-AUTH: Authentication source does not exists, adding..." ACTION="add-oauth" fi SECRET="$(cat $CREDENTIALS_DIRECTORY/authelia-secret)" ${pkgs.forgejo}/bin/gitea \ --work-path '${config.mine.zfsMounts."rpool/safe/svcs/forgejo"}' \ admin auth "$ACTION" $EXTRA_ARG \ --name "$FORGEJO_AUTH_NAME" \ --provider openidConnect \ --key forgejo \ --secret "$SECRET" \ --auto-discover-url "https://${config.mine.shared.settings.authelia.domain}/.well-known/openid-configuration" \ --skip-local-2fa true \ --scopes "email" \ --scopes "profile" \ echo "PRERUN-AUTH: Finished adding/updating..." ''; in { systemd.services.forgejo.preStart = lib.mkAfter '' ${scriptAddLDAPAuth} ${scriptAddOAuth} ''; systemd.services.forgejo.serviceConfig.LoadCredential = [ "authelia-secret:${config.age.secrets.forgejo-authelia-secret.path}" "lldap-bind-user-pass:${config.age.secrets.lldap-bind-user-pass.path}" ]; # example configuration for forgejo. Should live in forgejo.nix if needed services.authelia.instances.main.settings.identity_providers.oidc.clients = [{ client_id = "forgejo"; client_name = "Forgejo"; client_secret = "$pbkdf2-sha512$310000$cOGtLwMHyfugAJCIiUUjfQ$ao7zC8QB1m8aTGNf1dxYbRAPivZ0G1eaJ4bNFVfJiTFZX06U5baBjT0emvoaeFHXMFbYHzorb2/8vxnY/D0b5Q"; redirect_uris = [ "https://${config.mine.shared.settings.forgejo.domain}/user/oauth2/${AUTHELIA_AUTH_NAME}/callback" ]; scopes = [ "openid" "email" "profile" ]; }]; }