authelia: configure oidc and use it for immich

2025-04-02 10:13:51 -04:00 · 2025-04-02 10:13:51 -04:00 · 7653df7715
commit 7653df7715
parent 026abe5123
2 changed files with 27 additions and 2 deletions
--- a/modules/authelia.nix
+++ b/modules/authelia.nix
@ -46,11 +46,32 @@ in
        }];
        storage.local.path = "${varPath}/db.sqlite3";
        notifier.filesystem.filename = "${varPath}/notifications.txt";
+        webauthn = {
+          enable_passkey_login = true;
+        };
+        identity_providers.oidc.clients = [
+          {
+            client_id = "immich";
+            client_name = "immich";
+            client_secret = "$argon2id$v=19$m=65536,t=3,p=4$Vny2G8EbSPafSwnIuq2Zkg$eF2om4WDEaqCFmrAG27h2mYl+cXxXyttPJ7gaPLs+f8";
+            public = false;
+            authorization_policy = "two_factor";
+            redirect_uris = [
+              "https://photos.cy7.sh/auth/login"
+              "https://photos.cy7.sh/user-settings"
+              "app.immich:///oauth-callback"
+            ];
+            scopes = [ "openid" "profile" "email" ];
+            userinfo_signed_response_alg = "none";
+          }
+        ];
      };
      secrets = {
        sessionSecretFile = getSecret "authelia/session";
        storageEncryptionKeyFile = getSecret "authelia/storage";
        jwtSecretFile = getSecret "authelia/jwt";
+        oidcHmacSecretFile = getSecret "authelia/hmac";
+        oidcIssuerPrivateKeyFile = getSecret "authelia/oidc_private";
      };
    };

@ -58,6 +79,8 @@ in
      "authelia/jwt" = sopsConfig;
      "authelia/storage" = sopsConfig;
      "authelia/session" = sopsConfig;
+      "authelia/hmac" = sopsConfig;
+      "authelia/oidc_private" = sopsConfig;
    };

    services.caddy.virtualHosts.${domain}.extraConfig = ''