[habits] Adds beaver habits. [oidc] Sets up OIDC auth forwarding, it works, but not sure which header.

2025-07-25 12:22:33 -07:00
parent b3c6e951ee
commit 19d8c5c097
7 changed files with 59 additions and 5 deletions
--- a/system/hosts/mcp/containers/traefik.nix
+++ b/system/hosts/mcp/containers/traefik.nix
@@ -25,14 +25,28 @@ in
        oidc-auth:
          plugin:
            traefik-oidc-auth:
+              LogLevel: DEBUG
              Secret: "${config.sops.placeholder."traefik/oauth2-plugin-secret"}"
-              CallbackUri: "https://auth.blazestar.net/oidc/callback"
+              # Omitting the Callback URL means it will use the current domain for the callback.
+              # CallbackUri: "https://oidc.blazestar.net/oidc/callback"
              Provider:
                Url: "https://auth.blazestar.net/"
                ClientId: "3e3f7d9a-a684-4412-866c-ea7281954a9f"
                ClientSecret: "${config.sops.placeholder."traefik/oauth2-client-secret"}"
                TokenValidation: "IdToken"
+                UsePkce: false
              Scopes: ["openid", "profile", "email"]
+              Headers:
+                - Name: "X-Oidc-Username"
+                  Value: "{{`{{ .claims.preferred_username }}`}}"
+                - Name: "X-Oidc-Email"
+                  Value: "{{`{{ .claims.email }}`}}"
+                - Name: "X-Oidc-Subject"
+                  Value: "sub"
+                - Name: "Authorization"
+                  Value: "{{`Bearer {{ .accessToken }}`}}"
+                - Name: "IdToken"
+                  Value: "{{`Bearer {{ .idToken }}`}}"
  '';

  virtualisation.oci-containers.containers.traefik = mkContainer {