mirror of
https://github.com/nickolaj-jepsen/nixos.git
synced 2026-01-22 08:06:50 +01:00
48 lines
1.3 KiB
Nix
48 lines
1.3 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
...
|
|
}: let
|
|
rootDomain = "nickolaj.com";
|
|
zitadelDomain = "sso.${rootDomain}";
|
|
oathproxyDomain = "oauth2-proxy.${rootDomain}";
|
|
in {
|
|
config = lib.mkIf config.fireproof.homelab.enable {
|
|
age.secrets.oauth2-proxy = {
|
|
rekeyFile = ../../../secrets/hosts/homelab/oauth2-proxy-keyfile.age;
|
|
owner = "oauth2-proxy";
|
|
};
|
|
|
|
services.nginx.virtualHosts."${oathproxyDomain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
proxyWebsockets = true;
|
|
proxyPass = "http://127.0.0.1:4180";
|
|
};
|
|
};
|
|
|
|
services.oauth2-proxy = {
|
|
enable = true;
|
|
provider = "oidc";
|
|
reverseProxy = true;
|
|
redirectURL = "https://${oathproxyDomain}/oauth2/callback";
|
|
validateURL = "https://${zitadelDomain}/oauth2/";
|
|
oidcIssuerUrl = "https://${zitadelDomain}:443";
|
|
keyFile = config.age.secrets.oauth2-proxy.path;
|
|
passBasicAuth = true;
|
|
setXauthrequest = true;
|
|
nginx.domain = oathproxyDomain;
|
|
email.domains = ["*"];
|
|
extraConfig = {
|
|
whitelist-domain = ".${rootDomain}";
|
|
cookie-domain = ".${rootDomain}";
|
|
};
|
|
};
|
|
|
|
systemd.services.oauth2-proxy.serviceConfig = {
|
|
Restart = "always";
|
|
RestartSec = "5s";
|
|
};
|
|
};
|
|
}
|