mirror of
https://github.com/auricom/home-cluster.git
synced 2025-09-17 18:24:14 +02:00
feat: freshrss sso
This commit is contained in:
auricom
@@ -39,28 +39,26 @@ access_control:
|
|||||||
identity_providers:
|
identity_providers:
|
||||||
oidc:
|
oidc:
|
||||||
cors:
|
cors:
|
||||||
endpoints: ["authorization", "token", "revocation", "introspection"]
|
endpoints: [authorization, token, revocation, introspection]
|
||||||
allowed_origins_from_client_redirect_uris: true
|
allowed_origins_from_client_redirect_uris: true
|
||||||
clients:
|
clients:
|
||||||
- id: gitea
|
- client_id: freshrss
|
||||||
secret: "${GITEA_OAUTH_CLIENT_SECRET}"
|
client_name: freshrss
|
||||||
|
client_secret:
|
||||||
public: false
|
public: false
|
||||||
authorization_policy: two_factor
|
authorization_policy: two_factor
|
||||||
scopes: ["openid", "profile", "groups", "email"]
|
redirect_uris: ["https://freshrss.${SECRET_PUBLIC_DOMAIN}/i/oidc/"]
|
||||||
redirect_uris:
|
scopes: [openid, profile, groups, email]
|
||||||
[
|
userinfo_signed_response_alg: none
|
||||||
"https://gitea.${SECRET_PUBLIC_DOMAIN}/user/oauth2/authelia/callback",
|
token_endpoint_auth_method: client_secret_basic
|
||||||
]
|
- client_name: grafana
|
||||||
userinfo_signing_algorithm: none
|
client_id: grafana
|
||||||
- id: grafana
|
client_secret: "${GRAFANA_OAUTH_CLIENT_SECRET}"
|
||||||
description: Grafana
|
|
||||||
secret: "${GRAFANA_OAUTH_CLIENT_SECRET}"
|
|
||||||
public: false
|
public: false
|
||||||
authorization_policy: two_factor
|
authorization_policy: two_factor
|
||||||
pre_configured_consent_duration: 1y
|
pre_configured_consent_duration: 1y
|
||||||
scopes: ["openid", "profile", "groups", "email"]
|
scopes: [openid, profile, groups, email]
|
||||||
redirect_uris:
|
redirect_uris: ["https://grafana.${SECRET_PUBLIC_DOMAIN}/login/generic_oauth"]
|
||||||
["https://grafana.${SECRET_PUBLIC_DOMAIN}/login/generic_oauth"]
|
|
||||||
userinfo_signing_algorithm: none
|
userinfo_signing_algorithm: none
|
||||||
- id: outline
|
- id: outline
|
||||||
description: Outline
|
description: Outline
|
||||||
@@ -68,24 +66,14 @@ identity_providers:
|
|||||||
public: false
|
public: false
|
||||||
authorization_policy: two_factor
|
authorization_policy: two_factor
|
||||||
pre_configured_consent_duration: 1y
|
pre_configured_consent_duration: 1y
|
||||||
scopes: ["openid", "profile", "email", "offline_access"]
|
scopes: [openid, profile, email, offline_access]
|
||||||
redirect_uris:
|
redirect_uris: ["https://docs.${SECRET_PUBLIC_DOMAIN}/auth/oidc.callback"]
|
||||||
["https://docs.${SECRET_PUBLIC_DOMAIN}/auth/oidc.callback"]
|
|
||||||
userinfo_signing_algorithm: none
|
userinfo_signing_algorithm: none
|
||||||
- id: immich
|
- client_name: jellyfin
|
||||||
description: Immich
|
client_id: jellyfin
|
||||||
secret: "${IMMICH_OAUTH_CLIENT_SECRET}"
|
client_secret: "${JELLYFIN_OAUTH_CLIENT_SECRET}"
|
||||||
public: false
|
public: false
|
||||||
authorization_policy: one_factor
|
|
||||||
pre_configured_consent_duration: 1y
|
|
||||||
scopes: ["openid", "profile", "email"]
|
|
||||||
redirect_uris: ["https://photos.${SECRET_PUBLIC_DOMAIN}/auth/login", "app.immich:/"]
|
|
||||||
userinfo_signing_algorithm: none
|
|
||||||
- id: jellyfin
|
|
||||||
description: jellyfin
|
|
||||||
public: false
|
|
||||||
secret: "${JELLYFIN_OAUTH_CLIENT_SECRET}"
|
|
||||||
authorization_policy: two_factor
|
authorization_policy: two_factor
|
||||||
pre_configured_consent_duration: 1y
|
pre_configured_consent_duration: 1y
|
||||||
scopes: ["openid", "profile", "groups", "email"]
|
scopes: [openid, profile, groups, email]
|
||||||
redirect_uris: [ "https://jellyfin.${SECRET_PUBLIC_DOMAIN}/sso/OID/redirect/authelia" ]
|
redirect_uris: [ "https://jellyfin.${SECRET_PUBLIC_DOMAIN}/sso/OID/redirect/authelia" ]
|
||||||
|
|||||||
@@ -14,6 +14,8 @@ spec:
|
|||||||
template:
|
template:
|
||||||
engineVersion: v2
|
engineVersion: v2
|
||||||
data:
|
data:
|
||||||
|
# App
|
||||||
|
OIDC_CLIENT_CRYPTO_KEY: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}"
|
||||||
# Postgres Init
|
# Postgres Init
|
||||||
INIT_POSTGRES_DBNAME: freshrss
|
INIT_POSTGRES_DBNAME: freshrss
|
||||||
INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local
|
INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local
|
||||||
@@ -21,6 +23,8 @@ spec:
|
|||||||
INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
|
INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
|
||||||
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
|
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
|
||||||
dataFrom:
|
dataFrom:
|
||||||
|
- extract:
|
||||||
|
key: autthelia
|
||||||
- extract:
|
- extract:
|
||||||
key: cloudnative-pg
|
key: cloudnative-pg
|
||||||
- extract:
|
- extract:
|
||||||
|
|||||||
@@ -49,6 +49,13 @@ spec:
|
|||||||
TZ: ${TIMEZONE}
|
TZ: ${TIMEZONE}
|
||||||
CRON_MIN: 18,48
|
CRON_MIN: 18,48
|
||||||
DOMAIN: "https://freshrss.${SECRET_CLUSTER_DOMAIN}/"
|
DOMAIN: "https://freshrss.${SECRET_CLUSTER_DOMAIN}/"
|
||||||
|
OIDC_ENABLED: 1
|
||||||
|
OIDC_PROVIDER_METADATA_URL: https://auth.${SECRET_CLUSTER_DOMAIN}/.well-known/openid-configuration
|
||||||
|
OIDC_CLIENT_ID: freshrss
|
||||||
|
OIDC_CLIENT_SECRET: insecure_secret
|
||||||
|
OIDC_REMOTE_USER_CLAIM: preferred_username
|
||||||
|
OIDC_SCOPES: openid groups email profile
|
||||||
|
OIDC_X_FORWARDED_HEADERS: X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
cpu: 50m
|
cpu: 50m
|
||||||
|
|||||||
Reference in New Issue
Block a user