diff --git a/secrets/authelia/oidc.age b/secrets/authelia/oidc.age
new file mode 100644
index 0000000..ce7a730
--- /dev/null
+++ b/secrets/authelia/oidc.age
@@ -0,0 +1,81 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSBER0Rw
+d0VOUVhJLy9KOVJIMkJ0SnNNa1dEaUx6TWJwSFJEemd0SXNjSlhRCmpRb1hPem1X
+QlUzclM1L3d0eDhTNWpHbVZlSWpjUGN1Qmk5K3h6eWV6a2cKLT4gc3NoLWVkMjU1
+MTkgNzJpajd3IGtXSDVhbU9oSmZRNU1oNTg2cFNvZ2R2SC92MGJsNzBiMzRVbks3
+YXRFblUKUzRXLzAxajN4Y3pCdzdtUlF5dUtLR0VpYkZnL1ZaNjdub2lGcUd6Z2dv
+OAotPiAjLWdyZWFzZSAiLGBeMiBCRTQ7RiB7JAp5TytDNXdVRWxwQ2VPOWlTcnNk
+d3pFQjg0Uk9RallYWjRwYUYxMk1aM0NkTTM4bFBKK1dnbkxNRVlLVU4vWmx2CmZx
+aVBHZWs4bGpjOTVqZXl6UjUzVnhGcnpFK0p5aDlvS2h2Y2I4cGR5YjNWNFVIT1pv
+VXY5MjBRckhsNFR6QkUKZXFVCi0tLSBONWtTb0xjWjFIQXpGVi9CYmhDTyt1WHJ5
+VmZMRG5KN25TUjZERXE0MnpnCl7bLHXlBA86mgGtmxamWPqAQqM/kyx92u2ysXeA
+3uAdxWXHN7tBKs7bM6Kh28cRAH4Xvxw5Mav/TIBuZhtssx00pe4KD7Gaimex+8fu
+oBwFUoJ7x2mdKJFY1eZ3fRruXwG7F0yfG9T9s3k04skjkq4IVqmh+Vw0zPzBjRuo
+37zJNyhjlSjipJvgaLucbEgK6+tOGD141IoK/lCXSKrS1lB0cWxJEbz52KHgeSNc
+vil7lWvw2KMG6KV5q8eMlf7AhJ2fAtF3fjv0dHE6pzQ8gruutAWvmAxHWu4uKUxk
+GAylgoQ0saDfFN4Ddn+G0wGe7TLQy64QZh3Z+s6PWULoGJK8WqK9P3qsQeAzP+VF
+M+SMLIjEstAl8sHeDKGComdk5DouNAQJTbO1MTAHHNxtMEZnsMv7o/iYTNFvnWqd
+lWc54NFbJShEHEFX1rv642bk40/XVZWIbkiKbVhxXdcRu5AtCwF1M5RpyPNxNfAD
+xmP4rM2bn8iCftymUBAyOLoXUazQOJYnZ/p31W8JDqpu4IRw7gS2dl19yo8Ss7Bj
+Uoxk+6JLaZiswJUgZjXb2nzYGyDCe8y1cNvSpdDRZ/LW7mz2b4aMoAsgoicrB4YH
+RmuuE9xp836sKgbxdmttdZKDJNijnI3qstURHd+JCPh6OzRP8opr8ybJpwvmEUJM
+p+TSTv+BzWQyhxvYXYtPZF3l34VFIx8QDCi0xuhlgoFavurXRDUKMqKhH2Cu8G1j
+t0oiVkX8s3Pw/19jqcjggI8irbNJQWb1Gc/fYvH7YGJgXKJjzrTe3oDl1uuAyPp6
+R1Twlgm5FD7sgArqdhZd1ecD1XctNeVQQI8fURf8J7/uNc07R12Nogpmiy9dpeIY
+d5ByQ0TMgfwZhCYQ0i/DJE6CZkENAv8btlH9mBNxZCnzuGjBH1R4rgQzac+aaPz3
+7iYF/KZDi6Zfsr/zDwoWgIYMvlHUQPBWOtHRpMtianqHFFXRHrHpEhGTrf1QG8rr
+p7fyR3nyF5Dq73Srqoyz3pR7ZUCy5Yu8WOA9aKJwHFv5Nr5y7VAfhGDuuY30Ytsf
+2DuNHAgIJiTGjeVG+1E+WoM5ujnsOsXgHiezT8PqhwG06ngcFUr78asEKFk+rgbK
+DpXN7AIeA4t3aQYUn3zo5EsYz70fqOcZJzIfOSwjQLltUJc3xihN+qlmRTDOZwLl
+nlJAXsCb3W7QeSZ6g8lmAWYxGZPtBRWBX/Xfd7s03V/wYCM9kkrZi/dp86NU3z94
+RA7fvrypuj0Xu/Lh0QcVn01B2q7+c/L4m3VT4Unlyb8GfORrvu1rthlj4EWv378y
+JcJbFpt3O1fnxmxj1me5c9ysHq2aivWJh7aR8ZA23ecIWHCHsw9G763RzVEP0koT
+ZcZdOwthpfynzZH18RhG5rhyLImOGlwXriVVk74PFrfpj0kqKRp1y9m4gjmpCAER
+4Pfuh7Ojqw3Tl/QLh1a3IODeG4xpBYG4uAY9Bch3MelQKdb3cSqGQVYRRJjns6vN
+oSYenIOh0dqYHnsCZaZjafUeEj50Uflfl3aiSuJ/gyDB545Ks9LKSpbLyH0Wsmwh
+B/SCLYP+lHKDqCW/1g2MAaQqQTb2OmayfkHKN+U6pr0kmDVy/0tPIqrD/EXy9cvh
+U80+DiUfGDBMXhWYXOMglHv7XFWc3IDxnuJ61ADXWtDWz6I99snJNdHueXF7nN6c
+0na83A0E1/e/VoCLk1yg++miHbLSkDLc5F9NDToYt7lcp27yBc+wQLVeYrn1eEBH
+WvokNGzoMNy6Q37eSMIxHh7hyzh4XQSh0b2d0tUYZZHK1xcefoGVytv8O9KhgUWe
+m2IL/7pjZCZwHx3Z1padYqH4p6BsiE2JjA/5q7r5DMdi2GZ1hCyv9zJXh6EEPf3H
+mS6gdTgUON3k+lKsKzgAP19xA5VkPmmgFPzJWp0JJTozUcucDDBHhRhaFKZUjbvP
+m5DqK6NiE/PJO4/YmIfol+MTdGs/Yhsy1LOTfm4KHJ/OHl5cEjUsW/jdA4XgvF9r
+5Zl5oTciuHdIHRZAGmBBO5d5ocfB/brPJXkTAQX2PZUukvgfl3a1GFrVsQQRwg3q
+UkzDyJvNhTqkRttx16fXukeap8C0RfEcJAdrib12sRKQxk94cXkrdmoDm31QI17e
+iQOlW/kFzGpMVHmcUYjQo7eqK6gQaH4Ycjgiof5OSs8IVz9pMLwfh6PSks3XnniK
+clOM48Vzp1HzwZx4kOp3LOB/Y3CgslvtKr9ygdcyNWlWDgJ4i7glG02vfJe589mZ
+HxX8qyOixdJTVaMVEDnu2i4ViL3VQ85GJTZLDPZC4cxa1UcVYtdb4F7z6fnOon7n
+9+nFUcmcHDxdgStqibbkOcxn/tncBYMnlt7PnjZpbKituabaxEf5uv+7HVgLkazx
+iKHL8s+zktQuFfcQh083bhOjOwyUTrJUs2rmz+hg9r8hhd6+xQQTe2kjpHv448oI
+ZjV4FrVApStXJUmzAXyoL2G14Yw9IldskuKX5W7Q/8K6LwOlinNpHz82OGLgjooI
+vR2xw9bieq/Z/yOygXkREG2LPjFOZJfGjKGvPvQ6ZqkiHJjAqdYGyU2vpgAVKIu+
+68ZoyUPSv6Qc6g04zxefwYAPI59jPnI25KVHTWPVhTGmfZ/fPV0pRhwLK3R+8jfs
+XcrzwDoyKisWWDitonJfpyG/P/0Asd8oqfn5SrHAJ07IKvk4pbdf7dU6m6cwJeT4
+ypgPfYx1tVnNpQThbicwnzrf56SOPAheJF41ofisXTYi/UGzqcolf55fcvCGBAzU
+ZNpBUbo5MY/z1+xq+fcu1Owmn5b6TmPmvSIXxY5+469XX/Ory5gDzoll0+EN7Mns
+6bbrvoAhZHfFHXGX7gOl8XaEQohlmQpKzhVDxjoTucC/eg4gRYp5LePyshKDFaLb
+KJ9/OIaZwlOr4HtqhDFNXwD2WFQpDQJhsXDnpraTT/9fFkc4vBoZVGT7dbynUVPM
+tXOM5S4UUdF2sUODKLUsXiMZoyxZuSHlnz1F3rwGPcteOQ0gyF5YRDpmqsL0NUwP
+Guq8KfCr9IjBw8emBYJHbzeIlhgnOLBthqQSID1llQob9ytV7eBUR0z1/JZOOyIK
+J3f1MvuSFc/WqlbIFEm9SAuPZhAIoRWI1oZHXw0b15aWx0foEAEfvXup/k0wI3Nt
+cWJ+wCOlGzaS4O31Fxc5MS/7QuFGX5R0eRMF0FZ5QFd4m/6vmh97cjM0RnSa9ovw
+lpW8/7lMEhGjx2vhc64A6P+wUarIat5EkmSL1rPPdKGht57adyhFIBT95C3g34Lu
+ROXRyUyUasInuLnh2PTM+EWBWIU5pFgmpduTP+6qcvN/zkF56yNchbkoUyKPNAJr
+emTV99K8vNDELcensvO/qhmA/HVdLJP73K/EFAyCBqlcpDeAxq0krGGU78WewqmQ
+Xd+2j/CFiqG0lyFw0u1FSA7eTcLNdAEyYFD7GmxuXDoGhz+0rt7jk78ByALPdULp
+AwxbqXttcNFfcDnNC7+CxR8pkj1eC6tE62Bo5H9A+u8OU/5bzuH/LNC0G1rn8FWJ
+b/7Qhwg4QftkFmP1NZEW41dkeNyErjGI0RRzhrQeL+T7eBi5I9Y7gEON1SG+CJET
+slFnaWphf9m7939eFoGrnkBCK4D31U9rBdz1RYfu6xTuo70uVcWTPRLf2zYVWIYp
+MkEf+9lzx5TrcOYn6RdjByHMkwsG3Ufp2f+2/fpo8e71XNkZv++B6FI4VqiNsLfH
+muC1nG747Qt3Jcnsip/82mt7WQzFQcR4Y6AZfpV34GzS7HeRBa9q/X/5WHc1G1sL
+L81bvhqDwfarp4oRSh7hnMjhJzB9emcwCIE+vrMRqHre/HHaoMz7doQxXEJk9V6K
+CfABhr2YymHcRr7Ehb/AOrkGJRLe7SPMwbb4HngPXcGmTFy1ZMNmZ8V4VGe4Z34k
+9TWckxnaf9CvYbGGpJxCFxviZMesxFzaLIek9vH+QuZ4T9s2AiHLiacGKiV2Dlkt
+P4/QPFtvsjaDITmBO5mkuIrnOcuRVMuqmfrJ3u5YdzKllTRGNXLtjKtnjAtH5X9O
+2qpw5DgYRNrJ+EZKULpV0EN32CRDiiftqVeS8yao2fv30AC+AzAy9EUbPqU571gA
+75stz448Vz0nQJ2Bi8Nc/ZHCgV1/H66rwuJiNw5UKZQlHVzBgvYRyZj/CtS7rQ8f
+FjIQX1lY+35jmEBSqS6qmltQP7kvrmeXbcPSnJRvOp4CWLmppnOT2P6F9K13s17z
+IpjIoG7RTrj/fY5rrWg1zdV3HR8Z1J1i2qIgSqPIIRBXJ/PQVdQhLbkUi4qn+SGz
+3xN8lGao8ElrbCMazmj+kCU5Rc2suE5Ldq8X18/Vwy9kABNPILrCQGDHxSO8d0Cp
+U0XVhLbknKXCEaw=
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 0a9656a..0fc46bc 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -36,6 +36,7 @@ in {
"authelia/jwt.age".publicKeys = [ felschr home-server ];
"authelia/session.age".publicKeys = [ felschr home-server ];
"authelia/storage.age".publicKeys = [ felschr home-server ];
+ "authelia/oidc.age".publicKeys = [ felschr home-server ];
"hass/secrets.age".publicKeys = [ felschr home-server ];
"esphome/password.age".publicKeys = [ felschr home-server ];
"focalboard/.env.age".publicKeys = [ felschr home-server ];
diff --git a/services/authelia.nix b/services/authelia.nix
index f241f89..ba041d5 100644
--- a/services/authelia.nix
+++ b/services/authelia.nix
@@ -20,6 +20,10 @@ in {
file = ../secrets/authelia/storage.age;
owner = cfg.user;
};
+ age.secrets.authelia-oidc = {
+ file = ../secrets/authelia/oidc.age;
+ owner = cfg.user;
+ };
services.authelia.instances.main = {
enable = true;
@@ -27,6 +31,7 @@ in {
jwtSecretFile = config.age.secrets.authelia-jwt.path;
storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
sessionSecretFile = config.age.secrets.authelia-session.path;
+ oidcIssuerPrivateKeyFile = config.age.secrets.authelia-oidc.path;
};
environmentVariables = {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =