auth

modules/nixos/homeassistant/services/homeassistant/default.nix

@@ -20,6 +20,36 @@ in
 
   config = mkIf cfg.enable {
 
+    sops = {
+      secrets = {
+        "home-assistant/auth-client-id" = {
+          sopsFile = (lib.snowfall.fs.get-file "secrets/nuc-secrets.yaml");
+          owner = config.users.users.hass.name;
+          group = config.users.users.hass.group;
+          restartUnits = [ "home-assistant.service" ];
+        };
+        "home-assistant/auth-client-secret" = {
+          sopsFile = (lib.snowfall.fs.get-file "secrets/nuc-secrets.yaml");
+          owner = config.users.users.hass.name;
+          group = config.users.users.hass.group;
+          restartUnits = [ "home-assistant.service" ];
+        };
+      };
+      templates = {
+        "auth.yaml" = {
+          content = ''
+            auth_oidc:
+              client_id: "${config.sops.placeholder."home-assistant/auth-client-id"}"
+              client_secret: "${config.sops.placeholder."home-assistant/auth-client-secret"}"
+              discovery_url: "https://authentik.mjallen.dev/application/o/home-assistant/.well-known/openid-configuration"
+          '';
+          owner = config.users.users.hass.name;
+          group = config.users.users.hass.group;
+          restartUnits = [ "home-assistant.service" ];
+        };
+      };
+    };
+
     services.home-assistant = {
       enable = true;
       package = pkgs.home-assistant;
@@ -311,6 +341,8 @@ in
         "scene ui" = "!include scenes.yaml";
         "script ui" = "!include scripts.yaml";
 
+        auth_oidc = "!include ${config.sops.templates."auth.yaml".path}";
+
         http = {
           use_x_forwarded_for = true;
           trusted_proxies = [
@@ -328,11 +360,6 @@ in
           purge_keep_days = 180;
         };
 
-        auth_header = {
-          debug = false;
-          username_header = "X-authentik-username";
-        };
-
         # https://www.home-assistant.io/integrations/ota_updater/
         zha.zigpy_config.ota.z2m_remote_index = "https://raw.githubusercontent.com/Koenkk/zigbee-OTA/master/index.json";
 

secrets/nuc-secrets.yaml

@@ -1,4 +1,6 @@
-hass: ENC[AES256_GCM,data:WfnVfA==,iv:fv66AU1oNjqWSlUmfBIM+i9oyNBZE2OYycGA01RFq30=,tag:fsMd8SoNcBD7wVkbp6AxnQ==,type:bool]
+home-assistant:
+    auth-client-id: ENC[AES256_GCM,data:8vu3Zmhi3bkGCQ2nmhlvasOU24wv3NeEgYhVISKBGARESN5Lzo1m3A==,iv:lpoUR0NIrWo/8jMgm514j+9Jvr9gGV9SnOM6s7pZ3AI=,tag:FMtwTyHtOvgMwmeHUUYTcA==,type:str]
+    auth-client-secret: ENC[AES256_GCM,data:9dC2o+SihvatdHKq+NOhueoHSEpR2T8FcuaUw8EWAla5iaVYgNFb3WJTcyQlGpzVlVoHWxJGJPOg6Hds+3mjsQAB/GdyDf7GqtRv3r2Ly0Nm6r2IYO/tSIubQg+ol5/2wDz9vEwlXdGbCxX8bt3ZZQjh50YA2KDjAbRdhHkoU5o=,iv:hlcDmikRmE3qHGxB25TnCYscIGRKSAclsxinEKtInAQ=,tag:dxdZkovhsyamnlsYrNlUEg==,type:str]
 sops:
     shamir_threshold: 1
     age:
@@ -146,8 +148,8 @@ sops:
             WFJONHNsUjJuditvVEgxQ0Y1RVhXQ1kKwBM8ljdCTTbjdasCdtLj4wZ+fX2XQIXf
             IMgacJ5kxYHaYpNpY5wyK2kHzPY9Ovz75WyXicPj0SCojhoKvMAWXQ==
             -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2025-07-16T02:28:31Z"
-  mac: ENC[AES256_GCM,data:c9bacPoSQ/6iQW6ICJfBRMPM4iPbXh4xPqU5XgGIYD9ssRV5sp2KI9eloTZNdxh5T49nfO8qkwlXsOFXTVjOlz8KAiRO0T6/Lq4mF8AsyRE0uPn2sZqrjDhcjTd3FYIVPCLna28UqvdO1dL8/6yI1t7Z2JrgrWxCqHG9dFtBWsA=,iv:54SRSm6WLe42EtvIm9vRzkq7xTiLYEItUyNuMyNsFas=,tag:ZTL0ON3s1TcNzEX/bLrmLw==,type:str]
+    lastmodified: "2026-03-06T15:16:45Z"
+    mac: ENC[AES256_GCM,data:ircyr5fVawgOdc0+4QU0EFzrASk3LQ+Rks8wsdWR8lncYLKZDbQjSaJQPUqWAOe7vJ8xZuzSHSc+5cZ4Xpdl4PjFNR6sulIioS9C4CeuN/ZkYlHxvVNN8uqZpiZNoftMJX5DbXM6jN36swdk5InLwbzFs46MBnbNMsB0RC+xOYM=,iv:37kXynrwkPZg6l0p/ZnNx84Ls/aX9I5wGNP9jDHlFzg=,tag:CP7zSOEd8FLCBoWE1MQyAQ==,type:str]
     pgp:
         - created_at: "2026-02-06T15:34:31Z"
           enc: |-
@@ -170,4 +172,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: CBCB9B18A6B8930B0B6ABFD1CCB8CBEB30633684
     unencrypted_suffix: _unencrypted
-  version: 3.10.2
+    version: 3.12.1