fricloud/server-configs
2
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
server-configs/machines/gerd/services/forgejo/auth_sources.nix

109 lines
4.1 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
let
AUTHELIA_AUTH_NAME = "authelia";
scriptAddLDAPAuth = pkgs.writeShellScript "forgejo-add-update-ldap-auth.sh" ''
FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}"
FORGEJO_AUTH_NAME="lldap"
# get auth id if any
FORGEJO_AUTH_ID=$(gitea --work-path "$FORGEJO_WORK_PATH" admin auth list | grep "$FORGEJO_AUTH_NAME" | cut -d$'\t' -f1)
ACTION=""
EXTRA_ARG=""
if [ -n "''${FORGEJO_AUTH_ID}" ]; then
echo "PRERUN-LDAP: Authentication source exists, updating..."
ACTION="update-ldap"
EXTRA_ARG="--id $FORGEJO_AUTH_ID"
else
echo "PRERUN-LDAP: Authentication source does not exists, adding..."
ACTION="add-ldap"
fi
BIND_USERPASS="$(cat $CREDENTIALS_DIRECTORY/lldap-bind-user-pass)"
${pkgs.forgejo}/bin/gitea \
--work-path '${config.mine.zfsMounts."rpool/safe/svcs/forgejo"}' \
admin auth "$ACTION" $EXTRA_ARG \
--name "$FORGEJO_AUTH_NAME" \
--active \
--security-protocol unencrypted \
--skip-tls-verify \
--host ${config.mine.shared.settings.ldap.host} \
--port ${builtins.toString config.mine.shared.settings.ldap.port} \
--bind-dn "${config.mine.shared.settings.ldap.bind_dn}" \
--bind-password "$BIND_USERPASS" \
--user-filter '${config.mine.shared.settings.ldap.user_filter "%[1]s"}' \
--admin-filter '${config.mine.shared.lib.ldap.mkScope (lconfig: llib: llib.mkGroup lconfig.groups.admin)}' \
--username-attribute ${config.mine.shared.settings.ldap.attr.uid} \
--firstname-attribute ${config.mine.shared.settings.ldap.attr.firstname} \
--surname-attribute ${config.mine.shared.settings.ldap.attr.lastname} \
--email-attribute ${config.mine.shared.settings.ldap.attr.email} \
--avatar-attribute ${config.mine.shared.settings.ldap.attr.avatar} \
--synchronize-users \
--user-search-base '${config.mine.shared.settings.ldap.search_base}' \
echo "PRERUN-LDAP: Finished adding/updating..."
'';
scriptAddOAuth = pkgs.writeShellScript "forgejo-add-update-oauth.sh" ''
FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}"
FORGEJO_AUTH_NAME="${AUTHELIA_AUTH_NAME}"
# get auth id if any
FORGEJO_AUTH_ID=$(gitea --work-path "$FORGEJO_WORK_PATH" admin auth list | grep "$FORGEJO_AUTH_NAME" | cut -d$'\t' -f1)
ACTION=""
EXTRA_ARG=""
if [ -n "''${FORGEJO_AUTH_ID}" ]; then
echo "PRERUN-AUTH: Authentication source exists, updating..."
ACTION="update-oauth"
EXTRA_ARG="--id $FORGEJO_AUTH_ID"
else
echo "PRERUN-AUTH: Authentication source does not exists, adding..."
ACTION="add-oauth"
fi
SECRET="$(cat $CREDENTIALS_DIRECTORY/authelia-secret)"
${pkgs.forgejo}/bin/gitea \
--work-path '${config.mine.zfsMounts."rpool/safe/svcs/forgejo"}' \
admin auth "$ACTION" $EXTRA_ARG \
--name "$FORGEJO_AUTH_NAME" \
--provider openidConnect \
--key forgejo \
--secret "$SECRET" \
--auto-discover-url "https://${config.mine.shared.settings.authelia.domain}/.well-known/openid-configuration" \
--skip-local-2fa true \
--scopes "email" \
--scopes "profile" \
echo "PRERUN-AUTH: Finished adding/updating..."
'';
in {
systemd.services.forgejo.preStart = lib.mkAfter ''
${scriptAddLDAPAuth}
${scriptAddOAuth}
'';
systemd.services.forgejo.serviceConfig.LoadCredential = [
"authelia-secret:${config.age.secrets.forgejo-authelia-secret.path}"
"lldap-bind-user-pass:${config.age.secrets.lldap-bind-user-pass.path}"
];
# example configuration for forgejo. Should live in forgejo.nix if needed
services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
client_id = "forgejo";
client_name = "Forgejo";
client_secret = "$pbkdf2-sha512$310000$cOGtLwMHyfugAJCIiUUjfQ$ao7zC8QB1m8aTGNf1dxYbRAPivZ0G1eaJ4bNFVfJiTFZX06U5baBjT0emvoaeFHXMFbYHzorb2/8vxnY/D0b5Q";
redirect_uris = [ "https://${config.mine.shared.settings.forgejo.domain}/user/oauth2/${AUTHELIA_AUTH_NAME}/callback" ];
scopes = [
"openid"
"email"
"profile"
];
}];
}
Reference in a new issue View git blame Copy permalink