| commit | 9faaa8a22befb9bf1e420bb9ec3192a7edf3a199 | [log] [tgz] |
|---|---|---|
| author | Skyler Grey <minion@clicks.codes> | Sat Dec 23 18:50:04 2023 +0000 |
| committer | Skyler Grey <minion@clicks.codes> | Sat Dec 23 19:35:25 2023 +0000 |
| tree | f33f48cf1d68607aaa89b722f9c0f9e2612c73a5 | |
| parent | 58fbb978cebe21d2e93d00544f2f4aa32872875c [diff] |
Add oauth2_proxy and use for calibre oauth2_proxy is a service that allows adding authentication via proxy headers to arbitrary web applications. As calibre doesn't support OIDC directly, we can configure oauth2_proxy with nginx to lock users out of calibre until they authenticate with keycloak, and then provide the username to calibre to authenticate without a password Change-Id: I933a6df20143ac2bd25513a4bcd2817cf6228191 Reviewed-on: https://git.clicks.codes/c/Clicks/NixFiles/+/203 Tested-by: Skyler Grey <minion@clicks.codes> Reviewed-by: Samuel Shuert <coded@clicks.codes>
To deploy these files to our server we use deploy-rs. If you've got a flakes-enabled nix installed on your system you can run
nix run github:serokell/deploy-rs
You can also install deploy-rs to your profile, at which point you'll be able to run
deploy
Secrets are stored in SOPS and deployed using scalpel.
If you have a service which needs to store secrets in its config file, please set systemd reloadTriggers and restartTriggers to automatically reload/restart the service whenever the configuration changes.
It's notable that changing the secrets will not trigger a reload/restart of the service. If you want to update the secrets without updating the rest of the configuration you currently need to manually restart the service. It's possible that this could be solved by using systemd paths to watch the files (see https://superuser.com/questions/1171751/restart-systemd-service-automatically-whenever-a-directory-changes-any-file-ins) but this is not a priority