[oauth-proxy] Making some progress on this. It's not working, but it's now redirecting and getting 'invalid status code'

secrets/mcp.yaml

@@ -12,7 +12,8 @@ offen:
     secret: ENC[AES256_GCM,data:sH2siPc/QH1O2M7ZlJwqhqlHRIeLIG9r,iv:eD29ALx2ji0rm1t9j6RulTZT3f6VLK7dxpPOze3qDKA=,tag:zqJTgT2UeA/ecBS4VremUw==,type:str]
     smtp-token: ENC[AES256_GCM,data:ZTfe65g3JykPvG2l0AN8UQ==,iv:GTruGo/vcP+imfJyqB3NX9ic8dz5jvTEh6SF+OeqMDM=,tag:kgwd59pG/WUt8OAaVzi39Q==,type:str]
 traefik:
-    oauth2-client-secret: ENC[AES256_GCM,data:c4zU/oH/buelobBo/47V74Xwm6MU76C+UPCFpuARYU8=,iv:7dl0MIjza6B8FGl3i3O/4CxKxlp4z2S+H82xSLUg5iQ=,tag:63E/RNjiw56evIxfhF8acg==,type:str]
+    oauth2-client-secret: ENC[AES256_GCM,data:gV9/yBCqWPcNG/m7S0PRE3TduKzqRD1ii3RGGjNprQM=,iv:jmwBYWhPQJMZWHZine6Eb+7fdW44QOvkK52LQ6ISK4s=,tag:yNWRJ1IdPcxn6e0DXQe7Cw==,type:str]
+    oauth2-plugin-secret: ENC[AES256_GCM,data:sArqwKHAdW35o5kD7DGfXSYCXFUXqvKQdoVnXutsNLw=,iv:qWf597QS3BqkVQkeAb99HbpDB0kUhdD+qKdpUPZEB0o=,tag:vXnb93npaklItWkMZ+/M9Q==,type:str]
 sops:
     age:
         - recipient: age1yvdzvuvu5wqztcx6ll2xk6x547uuyqy735tjjdd7zftkz53jsf9qf5ahue
@@ -33,7 +34,7 @@ sops:
             by9aNFY4dXNxaWxnTXFTQS9reHhuQWMKh5rZ93nFtBV9EpFVRp+E+GXZ6xzVy2Jw
             vFh4deGcAb60q4odSaeWfk1Dr7L9Ua69oK9omjbCNUt+P7Kwlfca7Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-29T23:38:06Z"
+    lastmodified: "2025-05-30T17:07:50Z"
-    mac: ENC[AES256_GCM,data:SImZMvXfUUt2IznmthXEG2o2cUUn485+D44OFZZc3WGmvrPIJ8WjT50HUu3fCEWmwO4mFv1VVBAr/SkN3s6VDgCh7Nbe4clp3zpgyiWamiXlvJP2Y0k1W+KjTd/AQ7jLig9D9UDXHVRBy5rZ5iLZdjZ6s5WQ8rfztcbMpkdi9yk=,iv:XVHHpwFkkhzbO3wYoerIcDeA5Io0GeLxzR2AT+BQij8=,tag:go/0xd1FhG/5h+TXA4xxHg==,type:str]
+    mac: ENC[AES256_GCM,data:R6erzXvuG/viLywni4klvHfJF0xLYw2rNsdN1lugUgqwvH4HuxbBelyr8Co7ePhSoVEI1628futZi+yYAoNnWPbThtKG4G/WUc8Sm9gCVxAqMeeCL1pLbcizlJx5L+Of61m7hUgb3MhcPYkC8HEI4rxkgfEG0FQW6rRy7g8CzNU=,iv:Ou+WXiNUVkcbdDy87+1jPsAzpBvHCPsLfDPrRSWkTKM=,tag:Jqfpvg+vTmhWSvfAuikteA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

system/hosts/mcp/containers/timetagger.nix

@@ -1,12 +1,11 @@
 { config, ... }:
 let
-  inherit (import ./lib.nix config) mkContainer terakoda_net;
+  inherit (import ./lib.nix config) mkContainer;
 in
 {
   virtualisation.oci-containers.containers.timetagger = mkContainer {
     image = "ghcr.io/almarklein/timetagger:v24.12.2";
     hostName = "time";
-    domain = terakoda_net;
     port = "80";
     oauthProxy = true;
     homepageOpts = {

system/hosts/mcp/containers/traefik.nix

@@ -13,20 +13,20 @@ in
       restartUnits = [ "podman-traefik.service" ];
       mode = "0400";
     };
+    "traefik/oauth2-plugin-secret" = {
+      restartUnits = [ "podman-traefik.service" ];
+      mode = "0400";
+    };
   };
 
   sops.templates."traefik/oauth2-config.yaml".content = ''
-    experimental:
-      plugins:
-        traefik-oidc-auth:
-          moduleName: "github.com/sevensolutions/traefik-oidc-auth"
-          version: "v0.11.0"
-
     http:
       middlewares:
         oidc-auth:
           plugin:
             traefik-oidc-auth:
+              Secret: "${config.sops.placeholder."traefik/oauth2-plugin-secret"}"
+              CallbackUri: "https://auth.blazestar.net/oidc/callback"
               Provider:
                 Url: "https://auth.blazestar.net/"
                 ClientId: "3e3f7d9a-a684-4412-866c-ea7281954a9f"

system/hosts/mcp/containers/traefik/traefik.yaml

@@ -37,3 +37,11 @@ metrics:
     addEntryPointsLabels: true
     addServicesLabels: true
     entryPoint: "metrics"
+
+# Plugins must be defined in static config
+experimental:
+  plugins:
+    traefik-oidc-auth:
+      moduleName: "github.com/sevensolutions/traefik-oidc-auth"
+      version: "v0.11.0"
+