| {config, ...}: { |
| |
| sops.secrets.OAUTH2_PROXY_CLIENT_SECRET = { |
| mode = "0400"; |
| owner = config.users.users.root.name; |
| group = config.users.users.root.group; |
| sopsFile = ../../secrets/oauth2_proxy.env.bin; |
| format = "binary"; |
| }; |
| |
| services.oauth2_proxy = { |
| enable = true; |
| |
| keyFile = config.sops.secrets.OAUTH2_PROXY_CLIENT_SECRET.path; |
| |
| httpAddress = "http://127.0.0.255:1034"; |
| nginx.virtualHosts = [ "calibre.coded.codes" ]; |
| reverseProxy = true; |
| |
| provider = "keycloak-oidc"; |
| clientID = "oauth2_proxy"; |
| |
| setXauthrequest = true; |
| |
| email.domains = [ "*" ]; |
| |
| extraConfig = { |
| oidc-issuer-url = "https://login.clicks.codes/realms/master"; |
| code-challenge-method = "S256"; |
| redis-connection-url = "unix://${config.services.redis.servers.oauth2_proxy.unixSocket}"; |
| session-store-type = "redis"; |
| cookie-csrf-per-request = "true"; |
| cookie-secure = "true"; |
| cookie-csrf-expire = "5m"; |
| whitelist-domain = ".clicks.codes,.coded.codes,.thecoded.prof,.starrysky.fyi,.crawling.us"; |
| skip-provider-button = "true"; |
| }; |
| }; |
| |
| services.redis.servers.oauth2_proxy = { |
| enable = true; |
| user = "oauth2_proxy"; |
| }; |
| } |