[timetagger,traefik] Adds timetagger back, and attempts to put it behind an oauth proxy, but the traefik config isn't quite right.

2025-05-29 17:05:48 -07:00
parent 07123a0fc2
commit 9411f87dbc
8 changed files with 253 additions and 114 deletions
--- a/system/hosts/mcp/containers/traefik.nix
+++ b/system/hosts/mcp/containers/traefik.nix
@@ -5,28 +5,62 @@ let
    name = "traefik-config";
    path = ./traefik;
  };
-in {
-  virtualisation.oci-containers.containers.traefik = mkContainer {
-      image = "traefik";
-      hostName = "proxy";
-      port = 8080;
-      domain = blazestar;
-      public = false;
-      ports = [
-        "80:80"
-        "443:443"
-      ];
-      volumes =
-      [
-        "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
-        "${traefikConfigDir}:/etc/traefik"
-        "/tank/config/traefik/acme:/etc/traefik/acme"
-      ];
-      homepageOpts = {
-        name = "Traefik";
-        icon = "traefik.svg";
-        group = "Infra";
-        description = "Reverse Proxy";
-      };
+in
+{
+
+  sops.secrets = {
+    "traefik/oauth2-client-secret" = {
+      restartUnits = [ "podman-traefik.service" ];
+      mode = "0400";
    };
-  }
+  };
+
+  sops.templates."traefik/oauth2-config.yaml".content = ''
+    experimental:
+      plugins:
+        traefik-oidc-auth:
+          moduleName: "github.com/sevensolutions/traefik-oidc-auth"
+          version: "v0.11.0"
+
+    http:
+      middlewares:
+        oidc-auth:
+          plugin:
+            traefik-oidc-auth:
+              Provider:
+                Url: "https://auth.blazestar.net/"
+                ClientId: "3e3f7d9a-a684-4412-866c-ea7281954a9f"
+                ClientSecret: "${config.sops.placeholder."traefik/oauth2-client-secret"}"
+                TokenValidation: "IdToken"
+              Scopes: ["openid", "profile", "email"]
+  '';
+
+  virtualisation.oci-containers.containers.traefik = mkContainer {
+    image = "traefik";
+    hostName = "proxy";
+    port = 8080;
+    domain = blazestar;
+    public = false;
+    ports = [
+      "80:80"
+      "443:443"
+    ];
+    volumes = [
+      "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
+      # All the configs from the config directory
+      "${traefikConfigDir}:/etc/traefik"
+      # Oauth2 config containing secrets
+      "${config.sops.templates."traefik/oauth2-config.yaml".path}:/etc/traefik/dynamic/oauth2-config.yaml"
+      # Persistent storage for acme certificates
+      # TODO: It may be possible to just use docker storage because persistence
+      # is not critical when the cert can just be renewed.
+      "/tank/config/traefik/acme:/etc/traefik/acme"
+    ];
+    homepageOpts = {
+      name = "Traefik";
+      icon = "traefik.svg";
+      group = "Infra";
+      description = "Reverse Proxy";
+    };
+  };
+}