Node-RED SSO

Author: esselius

nixos-configurations/adama.nix

@@ -23,7 +23,7 @@
   formfactor = "server";
 
   networking.firewall.allowedTCPPorts = [
-    443  # Nginx
+    443 # Nginx
     # 1880 # Node-RED
     1883 # Mosquitto
     # 3000 # Grafana
@@ -59,47 +59,89 @@
 
   services.authentik.environmentFile = config.age.secrets.authentik-env.path;
 
-  services.authentik.blueprints = [{
-    metadata.name = "grafana-oauth";
-    entries = [
-      {
-        model = "authentik_providers_oauth2.oauth2provider";
-        state = "present";
-        identifiers.name = "Grafana";
-        id = "provider";
-        attrs = {
-          authentication_flow = "!Find [authentik_flows.flow, [slug, default-authentication-flow]]";
-          authorization_flow = "!Find [authentik_flows.flow, [slug, default-provider-authorization-explicit-consent]]";
-          client_type = "confidential";
-          client_id = "grafana";
-          client_secret = "secret";
-          access_code_validity = "minutes=1";
-          access_token_validity = "minutes=5";
-          refresh_token_validity = "days=30";
-          property_mappings = [
-            "!Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]"
-            "!Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]"
-            "!Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]"
-            "!Find [authentik_providers_oauth2.scopemapping, [scope_name, offline_access]]"
-          ];
-          sub_mode = "hashed_user_id";
-          include_claims_in_id_token = true;
-          issuer_mode = "per_provider";
-        };
-      }
-      {
-        model = "authentik_core.application";
-        state = "present";
-        identifiers.slug = "grafana";
-        id = "grafana";
-        attrs = {
-          name = "Grafana";
-          provider = "!KeyOf provider";
-          policy_engine_mode = "any";
-        };
-      }
-    ];
-  }];
+  services.authentik.blueprints = [
+    {
+      metadata.name = "grafana-oauth";
+      entries = [
+        {
+          model = "authentik_providers_oauth2.oauth2provider";
+          state = "present";
+          identifiers.name = "Grafana";
+          id = "provider";
+          attrs = {
+            authentication_flow = "!Find [authentik_flows.flow, [slug, default-authentication-flow]]";
+            authorization_flow = "!Find [authentik_flows.flow, [slug, default-provider-authorization-explicit-consent]]";
+            client_type = "confidential";
+            client_id = "grafana";
+            client_secret = "secret";
+            access_code_validity = "minutes=1";
+            access_token_validity = "minutes=5";
+            refresh_token_validity = "days=30";
+            property_mappings = [
+              "!Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]"
+              "!Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]"
+              "!Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]"
+              "!Find [authentik_providers_oauth2.scopemapping, [scope_name, offline_access]]"
+            ];
+            sub_mode = "hashed_user_id";
+            include_claims_in_id_token = true;
+            issuer_mode = "per_provider";
+          };
+        }
+        {
+          model = "authentik_core.application";
+          state = "present";
+          identifiers.slug = "grafana";
+          id = "grafana";
+          attrs = {
+            name = "Grafana";
+            provider = "!KeyOf provider";
+            policy_engine_mode = "any";
+          };
+        }
+      ];
+    }
+    {
+      metadata.name = "nodered-oauth";
+      entries = [
+        {
+          model = "authentik_providers_oauth2.oauth2provider";
+          state = "present";
+          identifiers.name = "Node-RED";
+          id = "provider";
+          attrs = {
+            authentication_flow = "!Find [authentik_flows.flow, [slug, default-authentication-flow]]";
+            authorization_flow = "!Find [authentik_flows.flow, [slug, default-provider-authorization-explicit-consent]]";
+            client_type = "confidential";
+            client_id = "node-red";
+            client_secret = "secret";
+            access_code_validity = "minutes=1";
+            access_token_validity = "minutes=5";
+            refresh_token_validity = "days=30";
+            property_mappings = [
+              "!Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]"
+              "!Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]"
+              "!Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]"
+            ];
+            sub_mode = "hashed_user_id";
+            include_claims_in_id_token = true;
+            issuer_mode = "per_provider";
+          };
+        }
+        {
+          model = "authentik_core.application";
+          state = "present";
+          identifiers.slug = "node-red";
+          id = "node-red";
+          attrs = {
+            name = "Node-RED";
+            provider = "!KeyOf provider";
+            policy_engine_mode = "any";
+          };
+        }
+      ];
+    }
+  ];
 
   profiles.monitoring = {
     enable = true;

nixos-modules/profiles/nodered-settings.js

@@ -0,0 +1,73 @@
+module.exports = {
+  flowFile: 'flows.json',
+  flowFilePretty: true,
+  uiPort: process.env.PORT || 1880,
+  diagnostics: {
+    enabled: true,
+    ui: true,
+  },
+  runtimeState: {
+    enabled: false,
+    ui: false,
+  },
+  logging: {
+    console: {
+      level: "warn",
+      metrics: false,
+      audit: false
+    }
+  },
+  exportGlobalContextKeys: false,
+  externalModules: {},
+  editorTheme: {
+    palette: {},
+    projects: {
+      enabled: false,
+      workflow: {
+        mode: "manual"
+      }
+    },
+    codeEditor: {
+      lib: "monaco",
+      options: {
+      }
+    },
+    markdownEditor: {
+      mermaid: {
+        enabled: true
+      }
+    },
+  },
+  functionExternalModules: true,
+  functionTimeout: 0,
+  functionGlobalContext: {},
+  debugMaxLength: 1000,
+  mqttReconnectTime: 15000,
+  serialReconnectTime: 15000,
+  adminAuth: {
+    type: 'strategy',
+    strategy: {
+      name: "openidconnect",
+      label: 'Sign in with authentik',
+      icon: "fa-cloud",
+      strategy: require("passport-openidconnect").Strategy,
+      options: {
+        issuer: 'https://authentik.adama.lan/application/o/node-red/',
+        authorizationURL: 'https://authentik.adama.lan/application/o/authorize/',
+        tokenURL: 'https://authentik.adama.lan/application/o/token/',
+        userInfoURL: 'https://authentik.adama.lan/application/o/userinfo/',
+        clientID: 'node-red',
+        clientSecret: 'secret',
+        callbackURL: 'https://node-red.adama.lan/auth/strategy/callback/',
+        scope: ['email', 'profile', 'openid'],
+        proxy: true,
+        verify: function (issuer, profile, done) {
+          done(null, profile)
+        }
+      },
+    },
+    users: function (user) {
+      return Promise.resolve({ username: user, permissions: "*" });
+    }
+  },
+}

nixos-modules/profiles/smarthome.nix

@@ -67,7 +67,11 @@ in
     services.node-red = {
       enable = true;
       withNpmAndGcc = true;
-      define."logging.console.level" = "warn";
+      configFile = ./nodered-settings.js;
     };
+    systemd.services.node-red.environment.NODE_PATH = let
+      pkg = (pkgs.callPackage ../../pkgs/passport-openidconnect {}).package;
+    in
+    "${pkg.outPath}/lib/node_modules";
   };
 }

pkgs/passport-openidconnect/default.nix

@@ -0,0 +1,17 @@
+# This file has been generated by node2nix 1.11.1. Do not edit!
+
+{pkgs ? import <nixpkgs> {
+    inherit system;
+  }, system ? builtins.currentSystem, nodejs ? pkgs."nodejs_18"}:
+
+let
+  nodeEnv = import ./node-env.nix {
+    inherit (pkgs) stdenv lib python2 runCommand writeTextFile writeShellScript;
+    inherit pkgs nodejs;
+    libtool = if pkgs.stdenv.isDarwin then pkgs.darwin.cctools else null;
+  };
+in
+import ./node-packages.nix {
+  inherit (pkgs) fetchurl nix-gitignore stdenv lib fetchgit fetchFromGitHub;
+  inherit nodeEnv;
+}