44 lines
1.3 KiB
Nix
44 lines
1.3 KiB
Nix
|
{ ... }:
|
||
|
|
|
||
|
|
{
|
||
|
|
resource.vault_jwt_auth_backend.authentik = {
|
||
|
|
default_role = "user";
|
||
|
|
namespace_in_state = true;
|
||
|
|
|
||
|
|
oidc_discovery_url = "https://auth.lukegb.com/application/o/vault/";
|
||
|
|
oidc_client_id = "33e3bdaf2dcc48cba5614e69cca22df701728d4d";
|
||
|
|
oidc_client_secret = "\${data.vault_generic_secret.misc.data[\"authentikAuthToken\"]}";
|
||
|
|
};
|
||
|
|
|
||
|
|
my.authBackend.authentik = {
|
||
|
|
resourceType = "vault_jwt_auth_backend";
|
||
|
|
type = "oidc";
|
||
|
|
|
||
|
|
tune.default_lease_ttl = "24h";
|
||
|
|
tune.max_lease_ttl = "24h";
|
||
|
|
};
|
||
|
|
|
||
|
|
resource.vault_jwt_auth_backend_role = let
|
||
|
|
baseRole = {
|
||
|
|
backend = "\${resource.vault_jwt_auth_backend.authentik.path}";
|
||
|
|
role_type = "oidc";
|
||
|
|
bound_audiences = ["\${resource.vault_jwt_auth_backend.authentik.oidc_client_id}"];
|
||
|
|
user_claim = "sub";
|
||
|
|
allowed_redirect_uris = [
|
||
|
|
"http://localhost:8250/oidc/callback"
|
||
|
|
"https://vault-server-j2gbzkpiaq-ew.a.run.app/ui/vault/auth/oidc/authentik/callback"
|
||
|
|
"https://vault.int.lukegb.com/ui/vault/auth/oidc/authentik/callback"
|
||
|
|
];
|
||
|
|
};
|
||
|
|
in {
|
||
|
|
authentik_user = baseRole // {
|
||
|
|
role_name = "user";
|
||
|
|
token_policies = ["base" "user"];
|
||
|
|
};
|
||
|
|
authentik_admin = baseRole // {
|
||
|
|
role_name = "admin";
|
||
|
|
token_policies = ["base" "admin"];
|
||
|
|
};
|
||
|
|
};
|
||
|
|
}
|