Erich Blume
8765ee8706
Adds Dex as a central OIDC identity provider running on ringtail's k3s cluster. Grafana is integrated as the first SSO client via generic_oauth. Dex uses Kubernetes CRD storage and ExternalSecrets for all sensitive config (bcrypt hash, client secrets from 1Password). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
28 lines
683 B
Nix
28 lines
683 B
Nix
# Nix-built Dex OIDC identity provider
|
|
# Uses nixpkgs dex-oidc package with Kubernetes CRD storage backend
|
|
# Built with dockerTools.buildLayeredImage for efficient layer caching
|
|
{ pkgs ? import <nixpkgs> { } }:
|
|
|
|
pkgs.dockerTools.buildLayeredImage {
|
|
name = "blumeops/dex";
|
|
tag = "latest";
|
|
|
|
contents = [
|
|
pkgs.dex-oidc
|
|
pkgs.cacert
|
|
pkgs.tzdata
|
|
];
|
|
|
|
config = {
|
|
Entrypoint = [ "${pkgs.dex-oidc}/bin/dex" ];
|
|
Cmd = [ "serve" "/etc/dex/cfg/config.yaml" ];
|
|
Env = [
|
|
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
|
|
"TZDIR=${pkgs.tzdata}/share/zoneinfo"
|
|
];
|
|
ExposedPorts = {
|
|
"5556/tcp" = { };
|
|
};
|
|
User = "65534";
|
|
};
|
|
}
|