oauth

modules/servers/oauth2-proxy.nix

@@ -0,0 +1,51 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
+  cfg = config.my.servers.oauth2-proxy;
+in
+{
+  options.my.servers.oauth2-proxy = setup.mkOptions "oauth2-proxy" "auth-proxy" 4180;
+  config = lib.mkIf (cfg.enable && config.my.secureHost) {
+    sops.secrets.oauth2-proxy = {
+      sopsFile = ../../secrets/env.yaml;
+      restartUnits = [ "oauth2-proxy.service" ];
+    };
+    services.oauth2-proxy = {
+      inherit (cfg) enable;
+      provider = "keycloak-oidc";
+      clientID = "oauth2-proxy";
+      keyFile = config.sops.secrets.oauth2-proxy.path;
+      oidcIssuerUrl = "https://auth.lebubu.org/realms/homelab";
+      redirectURL = "https://auth-proxy.lebubu.org/oauth2/callback";
+      httpAddress = "${cfg.ip}:${toString cfg.port}";
+      email.domains = [ "*" ];
+      cookie = {
+        name = "_oauth2_proxy";
+        secure = true;
+        expire = "168h";
+        refresh = "1h";
+        domain = ".lebubu.org";
+      };
+      extraConfig = {
+        skip-auth-routes = [
+          "^/ping$"
+        ];
+        set-xauthrequest = true;
+        pass-access-token = true;
+        pass-user-headers = true;
+        request-logging = true;
+        auth-logging = true;
+        session-store-type = "cookie";
+        skip-provider-button = true;
+      };
+    };
+    systemd.services.oauth2-proxy = {
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+    };
+  };
+}