51 lines
1.6 KiB
Nix
51 lines
1.6 KiB
Nix
{ config, ... }:
|
|
let
|
|
inherit (import ./lib.nix config) mkContainer blazestar havenisms;
|
|
in
|
|
{
|
|
sops.secrets = {
|
|
"oauth2-proxy/cookie-secret" = {
|
|
restartUnits = [ "podman-oauth2-proxy.service" ];
|
|
mode = "0400";
|
|
};
|
|
"oauth2-proxy/client-secret" = {
|
|
restartUnits = [ "podman-oauth2-proxy.service" ];
|
|
mode = "0400";
|
|
};
|
|
};
|
|
|
|
sops.templates."oauth2-proxy.env".content = ''
|
|
OAUTH2_PROXY_HTTP_ADDRESS='0.0.0.0:4180'
|
|
OAUTH2_PROXY_COOKIE_SECRET='${config.sops.placehoder."oauth2-proxy/cookie-secret"}'
|
|
OAUTH2_PROXY_COOKIE_DOMAINS='.${blazestar} .${havenisms}'
|
|
OAUTH2_PROXY_WHITELIST_DOMAINS='.${blazestar} .${havenisms}'
|
|
OAUTH2_PROXY_PROVIDER='oidc'
|
|
OAUTH2_PROXY_CLIENT_ID='oauth2-proxy'
|
|
OAUTH2_PROXY_CLIENT_SECRET='${config.sops.placehoder."oauth2-proxy/client-secret"}'
|
|
OAUTH2_PROXY_EMAIL_DOMAINS='*'
|
|
OAUTH2_PROXY_OIDC_ISSUER_URL='https://auth.${blazestar}/realms/master'
|
|
OAUTH2_PROXY_REDIRECT_URL='https://auth.${blazestar}/oauth2/callback'
|
|
OAUTH2_PROXY_COOKIE_CSRF_PER_REQUEST=true
|
|
OAUTH2_PROXY_COOKIE_CSRF_EXPIRE='5m'
|
|
OAUTH2_PROXY_CUSTOM_TEMPLATES_DIR="/templates"
|
|
OAUTH2_PROXY_REVERSE_PROXY=true
|
|
'';
|
|
|
|
virtualisation.oci-containers.containers.oauth2-proxy = mkContainer {
|
|
image = "quay.io/oauth2-proxy/oauth2-proxy";
|
|
hostName = "oauth";
|
|
domain = blazestar;
|
|
port = "4180";
|
|
homepageOpts = {
|
|
group = "Infra";
|
|
name = "OAuth2-Proxy";
|
|
icon = "oauth2-proxy.png";
|
|
description = "An OAuth2 Reverse Proxy";
|
|
};
|
|
volumes = [
|
|
];
|
|
environment = {
|
|
};
|
|
};
|
|
}
|