diff --git a/secrets/mcp.yaml b/secrets/mcp.yaml index c35f1b8..3a3548f 100644 --- a/secrets/mcp.yaml +++ b/secrets/mcp.yaml @@ -12,7 +12,8 @@ offen: secret: ENC[AES256_GCM,data:sH2siPc/QH1O2M7ZlJwqhqlHRIeLIG9r,iv:eD29ALx2ji0rm1t9j6RulTZT3f6VLK7dxpPOze3qDKA=,tag:zqJTgT2UeA/ecBS4VremUw==,type:str] smtp-token: ENC[AES256_GCM,data:ZTfe65g3JykPvG2l0AN8UQ==,iv:GTruGo/vcP+imfJyqB3NX9ic8dz5jvTEh6SF+OeqMDM=,tag:kgwd59pG/WUt8OAaVzi39Q==,type:str] traefik: - oauth2-client-secret: ENC[AES256_GCM,data:c4zU/oH/buelobBo/47V74Xwm6MU76C+UPCFpuARYU8=,iv:7dl0MIjza6B8FGl3i3O/4CxKxlp4z2S+H82xSLUg5iQ=,tag:63E/RNjiw56evIxfhF8acg==,type:str] + oauth2-client-secret: ENC[AES256_GCM,data:gV9/yBCqWPcNG/m7S0PRE3TduKzqRD1ii3RGGjNprQM=,iv:jmwBYWhPQJMZWHZine6Eb+7fdW44QOvkK52LQ6ISK4s=,tag:yNWRJ1IdPcxn6e0DXQe7Cw==,type:str] + oauth2-plugin-secret: ENC[AES256_GCM,data:sArqwKHAdW35o5kD7DGfXSYCXFUXqvKQdoVnXutsNLw=,iv:qWf597QS3BqkVQkeAb99HbpDB0kUhdD+qKdpUPZEB0o=,tag:vXnb93npaklItWkMZ+/M9Q==,type:str] sops: age: - recipient: age1yvdzvuvu5wqztcx6ll2xk6x547uuyqy735tjjdd7zftkz53jsf9qf5ahue @@ -33,7 +34,7 @@ sops: by9aNFY4dXNxaWxnTXFTQS9reHhuQWMKh5rZ93nFtBV9EpFVRp+E+GXZ6xzVy2Jw vFh4deGcAb60q4odSaeWfk1Dr7L9Ua69oK9omjbCNUt+P7Kwlfca7Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-29T23:38:06Z" - mac: ENC[AES256_GCM,data:SImZMvXfUUt2IznmthXEG2o2cUUn485+D44OFZZc3WGmvrPIJ8WjT50HUu3fCEWmwO4mFv1VVBAr/SkN3s6VDgCh7Nbe4clp3zpgyiWamiXlvJP2Y0k1W+KjTd/AQ7jLig9D9UDXHVRBy5rZ5iLZdjZ6s5WQ8rfztcbMpkdi9yk=,iv:XVHHpwFkkhzbO3wYoerIcDeA5Io0GeLxzR2AT+BQij8=,tag:go/0xd1FhG/5h+TXA4xxHg==,type:str] + lastmodified: "2025-05-30T17:07:50Z" + mac: ENC[AES256_GCM,data:R6erzXvuG/viLywni4klvHfJF0xLYw2rNsdN1lugUgqwvH4HuxbBelyr8Co7ePhSoVEI1628futZi+yYAoNnWPbThtKG4G/WUc8Sm9gCVxAqMeeCL1pLbcizlJx5L+Of61m7hUgb3MhcPYkC8HEI4rxkgfEG0FQW6rRy7g8CzNU=,iv:Ou+WXiNUVkcbdDy87+1jPsAzpBvHCPsLfDPrRSWkTKM=,tag:Jqfpvg+vTmhWSvfAuikteA==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/system/hosts/mcp/containers/timetagger.nix b/system/hosts/mcp/containers/timetagger.nix index 8daa5a6..ec64bb7 100644 --- a/system/hosts/mcp/containers/timetagger.nix +++ b/system/hosts/mcp/containers/timetagger.nix @@ -1,12 +1,11 @@ { config, ... }: let - inherit (import ./lib.nix config) mkContainer terakoda_net; + inherit (import ./lib.nix config) mkContainer; in { virtualisation.oci-containers.containers.timetagger = mkContainer { image = "ghcr.io/almarklein/timetagger:v24.12.2"; hostName = "time"; - domain = terakoda_net; port = "80"; oauthProxy = true; homepageOpts = { diff --git a/system/hosts/mcp/containers/traefik.nix b/system/hosts/mcp/containers/traefik.nix index d461c5f..d0f9b3f 100644 --- a/system/hosts/mcp/containers/traefik.nix +++ b/system/hosts/mcp/containers/traefik.nix @@ -13,20 +13,20 @@ in restartUnits = [ "podman-traefik.service" ]; mode = "0400"; }; + "traefik/oauth2-plugin-secret" = { + restartUnits = [ "podman-traefik.service" ]; + mode = "0400"; + }; }; sops.templates."traefik/oauth2-config.yaml".content = '' - experimental: - plugins: - traefik-oidc-auth: - moduleName: "github.com/sevensolutions/traefik-oidc-auth" - version: "v0.11.0" - http: middlewares: oidc-auth: plugin: traefik-oidc-auth: + Secret: "${config.sops.placeholder."traefik/oauth2-plugin-secret"}" + CallbackUri: "https://auth.blazestar.net/oidc/callback" Provider: Url: "https://auth.blazestar.net/" ClientId: "3e3f7d9a-a684-4412-866c-ea7281954a9f" diff --git a/system/hosts/mcp/containers/traefik/traefik.yaml b/system/hosts/mcp/containers/traefik/traefik.yaml index a8d6d30..e184aa2 100644 --- a/system/hosts/mcp/containers/traefik/traefik.yaml +++ b/system/hosts/mcp/containers/traefik/traefik.yaml @@ -37,3 +37,11 @@ metrics: addEntryPointsLabels: true addServicesLabels: true entryPoint: "metrics" + +# Plugins must be defined in static config +experimental: + plugins: + traefik-oidc-auth: + moduleName: "github.com/sevensolutions/traefik-oidc-auth" + version: "v0.11.0" +