retry

2025-08-20 11:41:30 +02:00 · 2025-08-20 11:41:30 +02:00 · 3e7d55f5b9
commit 3e7d55f5b9
parent 4bbb51ef42
13 changed files with 150 additions and 93 deletions
--- a/fili/services/auth/kanidm.nix
+++ b/fili/services/auth/kanidm.nix
@ -1,9 +1,11 @@
-{pkgs, config, ...}: let
+{ pkgs, config, ... }:
+let
  lib = pkgs.lib;
  domain = "auth.donsz.nl";
  port = 3013;
  backupsDir = "/var/lib/kanidm/backup";
-in {
+in
+{
  services.kanidm.enableServer = true;
  services.kanidm.package = pkgs.kanidm_1_6;
  services.kanidm.serverSettings = {
@ -26,12 +28,11 @@ in {
      mkdir -p "${backupsDir}"
    '';
    serviceConfig = {
-      SupplementaryGroups =
-        [ config.security.acme.certs.${domain}.group ];
+      SupplementaryGroups = [ config.security.acme.certs.${domain}.group ];
    };
  };

-  environment.systemPackages = [pkgs.kanidm];
+  environment.systemPackages = [ pkgs.kanidm ];

  services.nginx.virtualHosts.${domain} = {
    forceSSL = true;
--- a/fili/services/auth/oauth2-proxy.nix
+++ b/fili/services/auth/oauth2-proxy.nix
@ -1,45 +1,50 @@
-{pkgs, config, ...}: {
+{ pkgs, config, ... }:
+{
  sops.secrets.oauth2-proxy = {
    sopsFile = ../../../secrets/oauth2-proxy.env;
  };

  services.oauth2-proxy =
    let
-      auth = import ../../lib/auth.nix { baseUrl = "https://auth.donsz.nl"; clientId = "homeserver"; };
-    in {
-    enable = true;
+      auth = import ../../lib/auth.nix {
+        baseUrl = "https://auth.donsz.nl";
+        clientId = "homeserver";
+      };
+    in
+    {
+      enable = true;

-    provider = "oidc";
-    clientID = "${auth.clientId}";
-    oidcIssuerUrl = auth.oidcIssuerUri;
+      provider = "oidc";
+      clientID = "${auth.clientId}";
+      oidcIssuerUrl = auth.oidcIssuerUri;

-    proxyPrefix = "/oauth2";
-    reverseProxy = true;
+      proxyPrefix = "/oauth2";
+      reverseProxy = true;

-    keyFile = config.sops.secrets.oauth2-proxy.path;
+      keyFile = config.sops.secrets.oauth2-proxy.path;

-    loginURL = auth.apiAuthUrl;
-    redeemURL = auth.tokenUrl;
-    validateURL = auth.rfc7662TokenIntrospectionUrl;
-    profileURL = auth.oidcUserInfo;
+      loginURL = auth.apiAuthUrl;
+      redeemURL = auth.tokenUrl;
+      validateURL = auth.rfc7662TokenIntrospectionUrl;
+      profileURL = auth.oidcUserInfo;

-    scope = "openid profile email";
+      scope = "openid profile email";

-    email.domains = [ "*" ];
+      email.domains = [ "*" ];

-    cookie = {
-      domain = "donsz.nl";
-      refresh = "1h";
-      secure = true;
+      cookie = {
+        domain = "donsz.nl";
+        refresh = "1h";
+        secure = true;
+      };
+
+      extraConfig = {
+        whitelist-domain = [ "*.donsz.nl" ];
+      };
+
+      nginx.domain = "oauth2.donsz.nl";
    };

-    extraConfig = {
-      whitelist-domain = ["*.donsz.nl"];
-    };
-
-    nginx.domain = "oauth2.donsz.nl";
-  };
-
  services.nginx.virtualHosts."oauth2.donsz.nl" = {
    forceSSL = true;
    http2 = true;