depot/hosts/VEGAS/modules/oauth2-proxy/default.nix

59 lines
1.8 KiB
Nix
Raw Normal View History

2023-08-31 01:55:45 +03:00
{ config, lib, depot, ... }:
2021-10-16 20:39:49 +03:00
let
2023-08-31 01:55:45 +03:00
inherit (depot.lib.meta) domain;
2021-10-16 20:39:49 +03:00
login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}";
cfg = config.services.oauth2_proxy;
in
{
age.secrets.oauth2_proxy-secrets = {
file = ../../../../secrets/oauth2_proxy-secrets.age;
owner = "root";
group = "root";
mode = "0400";
};
2021-12-02 22:37:38 +02:00
users.users.oauth2_proxy.group = "oauth2_proxy";
users.groups.oauth2_proxy = {};
2021-10-16 20:39:49 +03:00
services.oauth2_proxy = {
enable = true;
approvalPrompt = "auto";
provider = "keycloak";
scope = "openid";
clientID = "net.privatevoid.admin-interfaces1";
keyFile = config.age.secrets.oauth2_proxy-secrets.path;
loginURL = login "auth";
redeemURL = login "token";
validateURL = login "userinfo";
cookie = {
secure = true;
domain = ".${domain}";
};
email.domains = [ domain ];
extraConfig = {
keycloak-group = "/admins";
skip-provider-button = true;
};
};
2022-10-17 15:54:48 +03:00
services.nginx.virtualHosts = lib.genAttrs cfg.nginx.virtualHosts (_vhost: {
2021-10-16 20:39:49 +03:00
# apply protection to the whole vhost, not just /
extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
'';
locations."/oauth2/".extraConfig = "auth_request off;";
locations."/oauth2/auth".extraConfig = "auth_request off;";
});
}