[timetagger,traefik] Adds timetagger back, and attempts to put it behind an oauth proxy, but the traefik config isn't quite right.

2025-05-29 17:05:48 -07:00
parent 07123a0fc2
commit 9411f87dbc
8 changed files with 253 additions and 114 deletions
--- a/system/hosts/mcp/containers/oauth2proxy.nix
+++ b/system/hosts/mcp/containers/oauth2proxy.nix
@@ -0,0 +1,50 @@
+{ config, ... }:
+let
+  inherit (import ./lib.nix config) mkContainer blazestar havenisms;
+in
+{
+  sops.secrets = {
+    "oauth2-proxy/cookie-secret" = {
+      restartUnits = [ "podman-oauth2-proxy.service" ];
+      mode = "0400";
+    };
+    "oauth2-proxy/client-secret" = {
+      restartUnits = [ "podman-oauth2-proxy.service" ];
+      mode = "0400";
+    };
+  };
+
+  sops.templates."oauth2-proxy.env".content = ''
+    OAUTH2_PROXY_HTTP_ADDRESS='0.0.0.0:4180'
+    OAUTH2_PROXY_COOKIE_SECRET='${config.sops.placehoder."oauth2-proxy/cookie-secret"}'
+    OAUTH2_PROXY_COOKIE_DOMAINS='.${blazestar} .${havenisms}'
+    OAUTH2_PROXY_WHITELIST_DOMAINS='.${blazestar} .${havenisms}'
+    OAUTH2_PROXY_PROVIDER='oidc'
+    OAUTH2_PROXY_CLIENT_ID='oauth2-proxy'
+    OAUTH2_PROXY_CLIENT_SECRET='${config.sops.placehoder."oauth2-proxy/client-secret"}'
+    OAUTH2_PROXY_EMAIL_DOMAINS='*'
+    OAUTH2_PROXY_OIDC_ISSUER_URL='https://auth.${blazestar}/realms/master'
+    OAUTH2_PROXY_REDIRECT_URL='https://auth.${blazestar}/oauth2/callback'
+    OAUTH2_PROXY_COOKIE_CSRF_PER_REQUEST=true
+    OAUTH2_PROXY_COOKIE_CSRF_EXPIRE='5m'
+    OAUTH2_PROXY_CUSTOM_TEMPLATES_DIR="/templates"
+    OAUTH2_PROXY_REVERSE_PROXY=true
+  '';
+
+  virtualisation.oci-containers.containers.oauth2-proxy = mkContainer {
+    image = "quay.io/oauth2-proxy/oauth2-proxy";
+    hostName = "oauth";
+    domain = blazestar;
+    port = "4180";
+    homepageOpts = {
+      group = "Infra";
+      name = "OAuth2-Proxy";
+      icon = "oauth2-proxy.png";
+      description = "An OAuth2 Reverse Proxy";
+    };
+    volumes = [
+    ];
+    environment = {
+    };
+  };
+}