blob: 2c760d2c65ab174d02fa53bad834ae422d7a0d59 [file] [log] [blame]
{pkgs, config, ...}: {
sops.secrets.OAUTH2_PROXY_CLIENT_SECRET = {
mode = "0400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
sopsFile = ../../secrets/oauth2_proxy.env.bin;
format = "binary";
};
services.oauth2_proxy = {
enable = true;
keyFile = config.sops.secrets.OAUTH2_PROXY_CLIENT_SECRET.path;
httpAddress = "http://127.0.0.255:1034";
nginx.virtualHosts = [ "calibre.coded.codes" ];
reverseProxy = true;
provider = "keycloak-oidc";
clientID = "oauth2_proxy";
setXauthrequest = true;
email.domains = [ "*" ];
extraConfig = {
oidc-issuer-url = "https://login.clicks.codes/realms/master";
code-challenge-method = "S256";
redis-connection-url = "unix://${config.services.redis.servers.oauth2_proxy.unixSocket}";
session-store-type = "redis";
cookie-csrf-per-request = "true";
cookie-secure = "true";
cookie-csrf-expire = "5m";
whitelist-domain = ".clicks.codes,.coded.codes,.thecoded.prof,.starrysky.fyi,.crawling.us";
skip-provider-button = "true";
};
};
services.redis.servers.oauth2_proxy = {
enable = true;
user = "oauth2_proxy";
};
systemd.services.oauth2_proxy.preStart = "while [[ \"$(${pkgs.curl}/bin/curl -s -o /dev/null -w ''%{http_code}'' https://login.clicks.codes)\" != \"200\" ]]; do sleep 5; done";
}