[habits] Adds beaver habits. [oidc] Sets up OIDC auth forwarding, it works, but not sure which header.

system/hosts/mcp/containers/havenisms.com/beaver-habits.nix

@@ -0,0 +1,18 @@
+{ ... }:
+{
+  virtualisation.web-containers.containers.beaver-habits = {
+    hostname = "habits";
+    domain = "havenisms.com";
+    image = "daya0576/beaverhabits:latest";
+    port = 8080;
+    oauthProxy = true;
+    volumes = [
+      "/tank/beaver-habits:/app/.user/"
+    ];
+    environment = {
+      HABITS_STORAGE = "DATABASE";
+      INDEX_HABIT_DATE_COLUMNS = "7";
+      TRUSTED_EMAIL_HEADER = "X-Oidc-Email";
+    };
+  };
+}

system/hosts/mcp/containers/havenisms.com/default.nix

@@ -1,6 +1,8 @@
 { ... }:
 {
   imports = [
+    ./beaver-habits.nix
     ./chat.nix
+    ./storyden.nix
   ];
 }

system/hosts/mcp/containers/havenisms.com/storyden.nix

@@ -0,0 +1,17 @@
+{ config, ... }:
+let
+  inherit (import ../lib.nix config) havenisms;
+in
+{
+
+  virtualisation.web-containers.containers.storyden = {
+    image = "ghcr.io/southclaws/storyden";
+    port = 8000;
+    hostname = "storyden";
+    domain = havenisms;
+    environment = {
+      PUBLIC_WEB_ADDRESS = "https://storyden.${havenisms}";
+      PUBLIC_API_ADDRESS = "https://storyden.${havenisms}";
+    };
+  };
+}

system/hosts/mcp/containers/traefik.nix

@@ -25,14 +25,28 @@ in
         oidc-auth:
           plugin:
             traefik-oidc-auth:
+              LogLevel: DEBUG
               Secret: "${config.sops.placeholder."traefik/oauth2-plugin-secret"}"
-              CallbackUri: "https://auth.blazestar.net/oidc/callback"
+              # Omitting the Callback URL means it will use the current domain for the callback.
+              # CallbackUri: "https://oidc.blazestar.net/oidc/callback"
               Provider:
                 Url: "https://auth.blazestar.net/"
                 ClientId: "3e3f7d9a-a684-4412-866c-ea7281954a9f"
                 ClientSecret: "${config.sops.placeholder."traefik/oauth2-client-secret"}"
                 TokenValidation: "IdToken"
+                UsePkce: false
               Scopes: ["openid", "profile", "email"]
+              Headers:
+                - Name: "X-Oidc-Username"
+                  Value: "{{`{{ .claims.preferred_username }}`}}"
+                - Name: "X-Oidc-Email"
+                  Value: "{{`{{ .claims.email }}`}}"
+                - Name: "X-Oidc-Subject"
+                  Value: "sub"
+                - Name: "Authorization"
+                  Value: "{{`Bearer {{ .accessToken }}`}}"
+                - Name: "IdToken"
+                  Value: "{{`Bearer {{ .idToken }}`}}"
   '';
 
   virtualisation.oci-containers.containers.traefik = mkContainer {

system/hosts/mcp/containers/traefik/traefik.yaml

@@ -46,9 +46,11 @@ metrics:
     entryPoint: "metrics"
 
 # Plugins must be defined in static config
+# Configuration of the plugin is in traefik.nix because it contains secrets.
+# TODO: Convert this whole file to a template in Nix
 experimental:
   plugins:
     traefik-oidc-auth:
       moduleName: "github.com/sevensolutions/traefik-oidc-auth"
-      version: "v0.11.0"
+      version: "v0.13.0"