diff --git a/secrets/authelia/oidc-hmac.age b/secrets/authelia/oidc-hmac.age new file mode 100644 index 0000000..c45b459 --- /dev/null +++ b/secrets/authelia/oidc-hmac.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSBOeTN2 +eXNxYUtkRHNWdXlFd3gvVnY3ZmlqUE1yVUxpK2pJaVB3V0N5a1dzCnhYSXR6MHZ2 +QWRqUkdyZ01ETU9na1dSQzh0c0xFSVF3ZEw3dVpMS1FRRGMKLT4gc3NoLWVkMjU1 +MTkgNzJpajd3IDlWSFRQTmtuUEpGUzljQ2YwQjAwa1FkWkkza1h3UG5RRE1IczlP +aEVRMkkKMUJoaFNVVzliSHBpc2U3U2t2dzNHVUxaaHUrYVUwb081VUxXdlA3OFBm +RQotPiB2Q21PQTM4Zi1ncmVhc2UgJ3lUbiBxKl9aXnkKeDJlektzRWh3TjZRa3E0 +OHo4Y0d0U3AzN25icGNvMVI5ZERKZDlWNm85VXhhalYrYnVRaWM3K3JNWWJtZGJj +QQpxMlkKLS0tIE1BakJxNzJQc1NaQWQ2UDNBRXJnU0JGM0Rpa21QUGlFTUR5MVoz +VTV3dzAKHgertuq5yCjF4ALVBdKPsBiIsYq83xbt6RqjqoWK/DMTO5aVntnCWymA +JMlreORfUKmwhGFAZv2OZxkklrVoCMKlSvO1QI4PEfHbv4gUDmshY/Cej+9UTYQb +FkMtqfcFsw== +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/authelia/oidc.age b/secrets/authelia/oidc-issuer.age similarity index 100% rename from secrets/authelia/oidc.age rename to secrets/authelia/oidc-issuer.age diff --git a/secrets/authelia/oidc-miniflux.age b/secrets/authelia/oidc-miniflux.age index ec7fbdd..102c083 100644 --- a/secrets/authelia/oidc-miniflux.age +++ b/secrets/authelia/oidc-miniflux.age @@ -1,13 +1,14 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSAzbm1k -SmpxNnlXaThldnhzMVhUdjIxN3dIakRsa0RSNXY1SDZtL2FBTlhNCk1JNG1QTG9m -a1F6QlgrZXo2U09GYzFUckNIREN3VXlmN2NFZ1hxSVhOZ1kKLT4gc3NoLWVkMjU1 -MTkgNzJpajd3IDVZaGg5Mk05aUQvaWZsdzFhR1ZVNUVnSUpRSVpVNGFuYy9jMWph -eXJ2QnMKSUNaK3lla2tRUFQvS2tqd0ZneGZjQUVyV2l2U1V5clVudjBtVHJrMHJy -VQotPiBwe2VyW2cpLWdyZWFzZSBVKHYoZ019ciBSIElSWUhuJ1AKMlJ3VWxIcUpH -SEtaUWNLUlFwS08zV3hvNndHSkc1QUsvb1Y4V3lZT0xhaUM2S3p5RHdMWkt6TzVr -U2gvRDYxVwpmZwotLS0gM1drWlhhSHV0aGtSYy9kSTJvMlNrc1JBdnYxVjhwQ3JP -SVhnQWladGc2WQpodvux+sDp5r7EFBwFixva1mfBlEG20nyr/D/ZJXb9NxKazBHI -7IQMBR2LHZoTgIQiNCYCi3rr9HxGUqYCRTvTYd2njhUYNh5qEgHca4Tmbp3OThwr -9gMkYqZrNsxMZpO91R/e6Om9NGc= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSB1dVN2 +UG9SNWxzZFlHWXZMR2ZQeUVUbjBpakx6a2ErT3BxRTk0WHRrMDM4CnMvSy9wQVc2 +eVp1bUtldElqYTZoeEk1T2RtK1luRUE1THN6TFlGNGpJeE0KLT4gc3NoLWVkMjU1 +MTkgNzJpajd3IDBmOEd1cEpjZDBUZ3d3dDlCRytMaFhIRXJrcFk1V3N0bit3bjNu +RFNNZ1UKdXV4OVFyd1RMS09SYzFUamkwU1owTUl0NUVQK1Q0Y25FN01DQnNDbzBw +NAotPiBSLVpLVl0pKC1ncmVhc2UgdVtKUlcgLyBmCmtxamlDaTlpc1FFbDJKcFQv +N291MHhCTzJMUWZsWGF1bzQ2M0l5dW1lcFFLZjJZclJueFRPTTBjTzhBCi0tLSAw +WmpheFlzWjU5MTJXOSt5TURXbDJGeERsUmZpcGhNTFVockFTNmgvVm5rCmkXpmVC +0KEQMtsKhCPhfYYBRKa6UWvYNNlE88N+Ji2nWBxw1P9FcdZnK3sg07E+uR8h/ePY +zR47LQ+550lj0lwUd6ci6bPWOHH7H9JMk6+Y2PauOrHWOEpMVTJzz0D5QcYESSmg +KRuvuHMtSplfb8tXmOv0QVR1RVktvmFWXYhsD71A/1wJilnaQxhAPReq68AT58cM +nPQPEupuh/9f3kK08uEw -----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix index c45715e..4bd3fd1 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -36,7 +36,8 @@ in { "authelia/jwt.age".publicKeys = [ felschr home-server ]; "authelia/session.age".publicKeys = [ felschr home-server ]; "authelia/storage.age".publicKeys = [ felschr home-server ]; - "authelia/oidc.age".publicKeys = [ felschr home-server ]; + "authelia/oidc-hmac.age".publicKeys = [ felschr home-server ]; + "authelia/oidc-issuer.age".publicKeys = [ felschr home-server ]; "authelia/oidc-miniflux.age".publicKeys = [ felschr home-server ]; "hass/secrets.age".publicKeys = [ felschr home-server ]; "esphome/password.age".publicKeys = [ felschr home-server ]; diff --git a/services/authelia.nix b/services/authelia.nix index a1cb6e1..f5d8000 100644 --- a/services/authelia.nix +++ b/services/authelia.nix @@ -20,8 +20,12 @@ in { file = ../secrets/authelia/storage.age; owner = cfg.user; }; - age.secrets.authelia-oidc = { - file = ../secrets/authelia/oidc.age; + age.secrets.authelia-oidc-hmac = { + file = ../secrets/authelia/oidc-hmac.age; + owner = cfg.user; + }; + age.secrets.authelia-oidc-issuer = { + file = ../secrets/authelia/oidc-issuer.age; owner = cfg.user; }; @@ -36,7 +40,8 @@ in { jwtSecretFile = config.age.secrets.authelia-jwt.path; storageEncryptionKeyFile = config.age.secrets.authelia-storage.path; sessionSecretFile = config.age.secrets.authelia-session.path; - oidcIssuerPrivateKeyFile = config.age.secrets.authelia-oidc.path; + oidcHmacSecretFile = config.age.secrets.authelia-oidc-hmac.path; + oidcIssuerPrivateKeyFile = config.age.secrets.authelia-oidc-issuer.path; }; environmentVariables = { AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =