Update SSO setup for Audiobookshelf

More or less copied from jellyfin.
This commit is contained in:
sivert 2025-08-18 21:12:51 +02:00 committed by Pierre Penninckx
parent 30f9f32448
commit b4b70b175e
2 changed files with 88 additions and 46 deletions

View file

@ -47,42 +47,71 @@ in
'';
};
oidcProvider = lib.mkOption {
type = lib.types.str;
description = "OIDC provider name";
default = "Authelia";
};
authEndpoint = lib.mkOption {
type = lib.types.str;
description = "OIDC endpoint for SSO";
example = "https://authelia.example.com";
};
oidcClientID = lib.mkOption {
type = lib.types.str;
description = "Client ID for the OIDC endpoint";
default = "audiobookshelf";
};
oidcAdminUserGroup = lib.mkOption {
type = lib.types.str;
description = "OIDC admin group";
default = "audiobookshelf_admin";
};
oidcUserGroup = lib.mkOption {
type = lib.types.str;
description = "OIDC user group";
default = "audiobookshelf_user";
};
ssoSecret = lib.mkOption {
description = "SSO shared secret.";
sso = lib.mkOption {
description = "SSO configuration.";
default = {};
type = lib.types.submodule {
options = contracts.secret.mkRequester {
owner = "audiobookshelf";
restartUnits = [ "audiobookshelfd.service" ];
options = {
enable = lib.mkEnableOption "SSO";
provider = lib.mkOption {
type = lib.types.str;
description = "OIDC provider name";
default = "Authelia";
};
endpoint = lib.mkOption {
type = lib.types.str;
description = "OIDC endpoint for SSO";
example = "https://authelia.example.com";
};
clientID = lib.mkOption {
type = lib.types.str;
description = "Client ID for the OIDC endpoint";
default = "audiobookshelf";
};
adminUserGroup = lib.mkOption {
type = lib.types.str;
description = "OIDC admin group";
default = "audiobookshelf_admin";
};
userGroup = lib.mkOption {
type = lib.types.str;
description = "OIDC user group";
default = "audiobookshelf_user";
};
authorization_policy = lib.mkOption {
type = lib.types.enum [ "one_factor" "two_factor" ];
description = "Require one factor (password) or two factor (device) authentication.";
default = "one_factor";
};
sharedSecret = lib.mkOption {
description = "OIDC shared secret for Audiobookshelf.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
mode = "0440";
owner = "audiobookshelf";
group = "audiobookshelf";
restartUnits = [ "audiobookshelfd.service" ];
};
};
};
sharedSecretForAuthelia = lib.mkOption {
description = "OIDC shared secret for Authelia.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
mode = "0400";
ownerText = "config.shb.authelia.autheliaUser";
owner = config.shb.authelia.autheliaUser;
};
};
};
};
};
};
@ -144,17 +173,21 @@ in
'';
};
shb.authelia.oidcClients = [
shb.authelia.oidcClients = lib.lists.optionals cfg.sso.enable [
{
client_id = cfg.oidcClientID;
client_id = cfg.sso.clientID;
client_name = "Audiobookshelf";
client_secret.source = cfg.ssoSecret.result.path;
client_secret.source = cfg.sso.sharedSecretForAuthelia.result.path;
public = false;
authorization_policy = "one_factor";
authorization_policy = cfg.sso.authorization_policy;
redirect_uris = [
"https://${cfg.subdomain}.${cfg.domain}/auth/openid/callback"
"https://${cfg.subdomain}.${cfg.domain}/auth/openid/mobile-redirect"
"https://${cfg.subdomain}.${cfg.domain}/auth/openid/callback"
"https://${cfg.subdomain}.${cfg.domain}/auth/openid/mobile-redirect"
];
require_pkce = true;
pkce_challenge_method = "S256";
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_basic";
}
];
} {

View file

@ -69,13 +69,22 @@ let
sso = { config, ... }: {
shb.audiobookshelf = {
authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
ssoSecret.result = config.shb.hardcodedsecret.ssoSecret.result;
sso = {
enable = true;
endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
sharedSecret.result = config.shb.hardcodedsecret.audiobookshelfSSOPassword.result;
sharedSecretForAuthelia.result = config.shb.hardcodedsecret.audiobookshelfSSOPasswordAuthelia.result;
};
};
shb.hardcodedsecret.ssoSecret = {
request = config.shb.audiobookshelf.ssoSecret.request;
settings.content = "ssoSecret";
shb.hardcodedsecret.audiobookshelfSSOPassword = {
request = config.shb.audiobookshelf.sso.sharedSecret.request;
settings.content = "ssoPassword";
};
shb.hardcodedsecret.audiobookshelfSSOPasswordAuthelia = {
request = config.shb.audiobookshelf.sso.sharedSecretForAuthelia.request;
settings.content = "ssoPassword";
};
};
in