feat(miniflux): set up SSO

2023-12-09 04:08:41 +01:00 · 2023-12-09 04:08:41 +01:00 · 9676f0ada2
commit 9676f0ada2
parent fe85437544
4 changed files with 42 additions and 3 deletions
--- a/services/authelia.nix
+++ b/services/authelia.nix
@ -25,6 +25,11 @@ in {
    owner = cfg.user;
  };

+  age.secrets.authelia-oidc-miniflux = {
+    file = ../secrets/authelia/oidc-miniflux.age;
+    owner = cfg.user;
+  };
+
  services.authelia.instances.main = {
    enable = true;
    secrets = {
@ -103,6 +108,14 @@ in {
      #   host = "smtp.web.de";
      #   port = 587;
      # };
+      identity_providers.oidc.clients = [{
+        id = "miniflux";
+        secret =
+          "$pbkdf2-sha512$310000$1iBgcyIDTDzELv49KWtcHQ$WaRknbgeOHPWIc1BdQsUJaftwISJlY5S1Nyw6Z5omPvnZINhPyn7WVMgogVv1Dekmici7Oz7opb8S7uQAc8hzw";
+        redirect_uris = [ "https://news.felschr.com/oauth2/oidc/callback" ];
+        authorization_policy = "one_factor";
+        scopes = [ "openid" "email" "profile" ];
+      }];
    };
  };

--- a/services/miniflux.nix
+++ b/services/miniflux.nix
@ -1,13 +1,25 @@
-{ config, pkgs, ... }:
+{ config, ... }:

-let port = 8002;
+let
+  domain = "news.felschr.com";
+  port = 8002;
 in {
  age.secrets.miniflux.file = ../secrets/miniflux.age;

  services.miniflux = {
    enable = true;
    adminCredentialsFile = config.age.secrets.miniflux.path;
-    config = { LISTEN_ADDR = "localhost:${toString port}"; };
+    config = {
+      LISTEN_ADDR = "localhost:${toString port}";
+      BASE_URL = "https://${domain}";
+      OAUTH2_PROVIDER = "oidc";
+      OAUTH2_CLIENT_ID = "miniflux";
+      OAUTH2_CLIENT_SECRET_FILE =
+        config.age.secrets.authelia-oidc-miniflux.path;
+      OAUTH2_REDIRECT_URL = "https://news.felschr.com/oauth2/oidc/callback";
+      OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.felschr.com";
+      OAUTH2_USER_CREATION = "1";
+    };
  };

  services.nginx = {