diff --git a/argocd/manifests/authentik/configmap-blueprint.yaml b/argocd/manifests/authentik/configmap-blueprint.yaml index cc3ff43..27910ef 100644 --- a/argocd/manifests/authentik/configmap-blueprint.yaml +++ b/argocd/manifests/authentik/configmap-blueprint.yaml @@ -346,6 +346,50 @@ data: meta_launch_url: https://jellyfin.ops.eblu.me policy_engine_mode: all + paperless.yaml: | + version: 1 + metadata: + name: BlumeOps Paperless SSO + labels: + blueprints.goauthentik.io/description: "Paperless-ngx OIDC provider and application" + entries: + # OAuth2 provider for Paperless-ngx (confidential client) + - model: authentik_providers_oauth2.oauth2provider + id: paperless-provider + identifiers: + name: Paperless + attrs: + name: Paperless + authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] + invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] + client_type: confidential + client_id: paperless + client_secret: !Env AUTHENTIK_PAPERLESS_CLIENT_SECRET + redirect_uris: + - matching_mode: strict + url: https://paperless.ops.eblu.me/accounts/oidc/authentik/login/callback/ + - matching_mode: strict + url: https://paperless.tail8d86e.ts.net/accounts/oidc/authentik/login/callback/ + signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]] + property_mappings: + - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] + - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]] + - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]] + sub_mode: hashed_user_id + include_claims_in_id_token: true + + # Paperless application — all authenticated users allowed + - model: authentik_core.application + id: paperless-app + identifiers: + slug: paperless + attrs: + name: Paperless + slug: paperless + provider: !KeyOf paperless-provider + meta_launch_url: https://paperless.ops.eblu.me + policy_engine_mode: all + mealie.yaml: | version: 1 metadata: diff --git a/argocd/manifests/authentik/deployment-worker.yaml b/argocd/manifests/authentik/deployment-worker.yaml index 5fe473e..b81ec32 100644 --- a/argocd/manifests/authentik/deployment-worker.yaml +++ b/argocd/manifests/authentik/deployment-worker.yaml @@ -85,6 +85,11 @@ spec: secretKeyRef: name: authentik-config key: mealie-client-secret + - name: AUTHENTIK_PAPERLESS_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: authentik-config + key: paperless-client-secret volumeMounts: - name: blueprints mountPath: /blueprints/custom diff --git a/argocd/manifests/authentik/external-secret.yaml b/argocd/manifests/authentik/external-secret.yaml index fb22f2b..9abf699 100644 --- a/argocd/manifests/authentik/external-secret.yaml +++ b/argocd/manifests/authentik/external-secret.yaml @@ -61,3 +61,7 @@ spec: remoteRef: key: "Authentik (blumeops)" property: mealie-client-secret + - secretKey: paperless-client-secret + remoteRef: + key: "Authentik (blumeops)" + property: paperless-client-secret