depot/cluster/services/sso/oauth2-proxy.nix

36 lines
920 B
Nix
Raw Normal View History

{ config, depot, ... }:
2021-10-16 20:39:49 +03:00
let
2023-08-31 01:55:45 +03:00
inherit (depot.lib.meta) domain;
2021-10-16 20:39:49 +03:00
login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}";
in
{
age.secrets.oauth2_proxy-secrets = {
file = ../../../../secrets/oauth2_proxy-secrets.age;
owner = "root";
group = "root";
mode = "0400";
};
2021-12-02 22:37:38 +02:00
services.oauth2-proxy = {
2021-10-16 20:39:49 +03:00
enable = true;
nginx.domain = config.services.keycloak.settings.hostname;
2021-10-16 20:39:49 +03:00
approvalPrompt = "auto";
provider = "keycloak";
scope = "openid";
clientID = "net.privatevoid.admin-interfaces1";
keyFile = config.age.secrets.oauth2_proxy-secrets.path;
loginURL = login "auth";
redeemURL = login "token";
validateURL = login "userinfo";
cookie = {
secure = true;
domain = ".${domain}";
};
email.domains = [ domain ];
extraConfig = {
keycloak-group = "/admins";
skip-provider-button = true;
};
};
}