depot/cluster/services/sso/oauth2-proxy.nix

35 lines
917 B
Nix

{ config, depot, ... }:
let
inherit (depot.lib.meta) domain;
login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}";
in
{
age.secrets.oauth2_proxy-secrets = {
file = ../../../secrets/oauth2_proxy-secrets.age;
owner = "root";
group = "root";
mode = "0400";
};
services.oauth2-proxy = {
enable = true;
nginx.domain = config.services.keycloak.settings.hostname;
approvalPrompt = "auto";
provider = "keycloak";
scope = "openid";
clientID = "net.privatevoid.admin-interfaces1";
keyFile = config.age.secrets.oauth2_proxy-secrets.path;
loginURL = login "auth";
redeemURL = login "token";
validateURL = login "userinfo";
cookie = {
secure = true;
domain = ".${domain}";
};
email.domains = [ domain ];
extraConfig = {
keycloak-group = "/admins";
skip-provider-button = true;
};
};
}