35 lines
917 B
Nix
35 lines
917 B
Nix
{ config, depot, ... }:
|
|
let
|
|
inherit (depot.lib.meta) domain;
|
|
login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}";
|
|
in
|
|
{
|
|
age.secrets.oauth2_proxy-secrets = {
|
|
file = ../../../secrets/oauth2_proxy-secrets.age;
|
|
owner = "root";
|
|
group = "root";
|
|
mode = "0400";
|
|
};
|
|
|
|
services.oauth2-proxy = {
|
|
enable = true;
|
|
nginx.domain = config.services.keycloak.settings.hostname;
|
|
approvalPrompt = "auto";
|
|
provider = "keycloak";
|
|
scope = "openid";
|
|
clientID = "net.privatevoid.admin-interfaces1";
|
|
keyFile = config.age.secrets.oauth2_proxy-secrets.path;
|
|
loginURL = login "auth";
|
|
redeemURL = login "token";
|
|
validateURL = login "userinfo";
|
|
cookie = {
|
|
secure = true;
|
|
domain = ".${domain}";
|
|
};
|
|
email.domains = [ domain ];
|
|
extraConfig = {
|
|
keycloak-group = "/admins";
|
|
skip-provider-button = true;
|
|
};
|
|
};
|
|
}
|