55 lines
1.8 KiB
Nix
55 lines
1.8 KiB
Nix
{ config, lib, depot, ... }:
|
|
let
|
|
inherit (depot.lib.meta) domain;
|
|
login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}";
|
|
cfg = config.services.oauth2-proxy;
|
|
in
|
|
{
|
|
age.secrets.oauth2_proxy-secrets = {
|
|
file = ../../../../secrets/oauth2_proxy-secrets.age;
|
|
owner = "root";
|
|
group = "root";
|
|
mode = "0400";
|
|
};
|
|
|
|
services.oauth2-proxy = {
|
|
enable = true;
|
|
approvalPrompt = "auto";
|
|
provider = "keycloak";
|
|
scope = "openid";
|
|
clientID = "net.privatevoid.admin-interfaces1";
|
|
keyFile = config.age.secrets.oauth2_proxy-secrets.path;
|
|
loginURL = login "auth";
|
|
redeemURL = login "token";
|
|
validateURL = login "userinfo";
|
|
cookie = {
|
|
secure = true;
|
|
domain = ".${domain}";
|
|
};
|
|
email.domains = [ domain ];
|
|
extraConfig = {
|
|
keycloak-group = "/admins";
|
|
skip-provider-button = true;
|
|
};
|
|
};
|
|
services.nginx.virtualHosts = lib.genAttrs cfg.nginx.virtualHosts (_vhost: {
|
|
# apply protection to the whole vhost, not just /
|
|
extraConfig = ''
|
|
auth_request /oauth2/auth;
|
|
error_page 401 = /oauth2/sign_in;
|
|
|
|
# pass information via X-User and X-Email headers to backend,
|
|
# requires running with --set-xauthrequest flag
|
|
auth_request_set $user $upstream_http_x_auth_request_user;
|
|
auth_request_set $email $upstream_http_x_auth_request_email;
|
|
proxy_set_header X-User $user;
|
|
proxy_set_header X-Email $email;
|
|
|
|
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
|
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
|
add_header Set-Cookie $auth_cookie;
|
|
'';
|
|
locations."/oauth2/".extraConfig = "auth_request off;";
|
|
locations."/oauth2/auth".extraConfig = "auth_request off;";
|
|
});
|
|
}
|