{ config, depot, ... }: let inherit (depot.lib.meta) domain; login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}"; in { age.secrets.oauth2_proxy-secrets = { file = ../../../../secrets/oauth2_proxy-secrets.age; owner = "root"; group = "root"; mode = "0400"; }; services.oauth2-proxy = { enable = true; nginx.domain = config.services.keycloak.settings.hostname; approvalPrompt = "auto"; provider = "keycloak"; scope = "openid"; clientID = "net.privatevoid.admin-interfaces1"; keyFile = config.age.secrets.oauth2_proxy-secrets.path; loginURL = login "auth"; redeemURL = login "token"; validateURL = login "userinfo"; cookie = { secure = true; domain = ".${domain}"; }; email.domains = [ domain ]; extraConfig = { keycloak-group = "/admins"; skip-provider-button = true; }; }; }