Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / c4a6e96c428cf3b8f801a9fcd93a46ce28eba6d4 / . / modules / common / oauth2_proxy.nix
blob: 2c760d2c65ab174d02fa53bad834ae422d7a0d59 [file] [log] [blame]
Skyler Grey1462d752024-01-10 19:25:48 +0000[diff] [blame]1{pkgs, config, ...}: {
Skyler Grey9faaa8a2023-12-23 18:50:04 +0000[diff] [blame]2
3 sops.secrets.OAUTH2_PROXY_CLIENT_SECRET = {
4 mode = "0400";
5 owner = config.users.users.root.name;
6 group = config.users.users.root.group;
7 sopsFile = ../../secrets/oauth2_proxy.env.bin;
8 format = "binary";
9 };
10
11 services.oauth2_proxy = {
12 enable = true;
13
14 keyFile = config.sops.secrets.OAUTH2_PROXY_CLIENT_SECRET.path;
15
16 httpAddress = "http://127.0.0.255:1034";
17 nginx.virtualHosts = [ "calibre.coded.codes" ];
18 reverseProxy = true;
19
20 provider = "keycloak-oidc";
21 clientID = "oauth2_proxy";
22
23 setXauthrequest = true;
24
25 email.domains = [ "*" ];
26
27 extraConfig = {
28 oidc-issuer-url = "https://login.clicks.codes/realms/master";
29 code-challenge-method = "S256";
30 redis-connection-url = "unix://${config.services.redis.servers.oauth2_proxy.unixSocket}";
31 session-store-type = "redis";
32 cookie-csrf-per-request = "true";
33 cookie-secure = "true";
34 cookie-csrf-expire = "5m";
35 whitelist-domain = ".clicks.codes,.coded.codes,.thecoded.prof,.starrysky.fyi,.crawling.us";
36 skip-provider-button = "true";
37 };
38 };
39
40 services.redis.servers.oauth2_proxy = {
41 enable = true;
42 user = "oauth2_proxy";
43 };
Skyler Grey1462d752024-01-10 19:25:48 +0000[diff] [blame]44
45 systemd.services.oauth2_proxy.preStart = "while [[ \"$(${pkgs.curl}/bin/curl -s -o /dev/null -w ''%{http_code}'' https://login.clicks.codes)\" != \"200\" ]]; do sleep 5; done";
46
Skyler Grey9faaa8a2023-12-23 18:50:04 +0000[diff] [blame]47}