retry

fili/services/auth/oauth2-proxy.nix

@@ -1,45 +1,50 @@
-{pkgs, config, ...}: {
+{ pkgs, config, ... }:
+{
   sops.secrets.oauth2-proxy = {
     sopsFile = ../../../secrets/oauth2-proxy.env;
   };
 
   services.oauth2-proxy =
     let
-      auth = import ../../lib/auth.nix { baseUrl = "https://auth.donsz.nl"; clientId = "homeserver"; };
-    in {
-    enable = true;
+      auth = import ../../lib/auth.nix {
+        baseUrl = "https://auth.donsz.nl";
+        clientId = "homeserver";
+      };
+    in
+    {
+      enable = true;
 
-    provider = "oidc";
-    clientID = "${auth.clientId}";
-    oidcIssuerUrl = auth.oidcIssuerUri;
+      provider = "oidc";
+      clientID = "${auth.clientId}";
+      oidcIssuerUrl = auth.oidcIssuerUri;
 
-    proxyPrefix = "/oauth2";
-    reverseProxy = true;
+      proxyPrefix = "/oauth2";
+      reverseProxy = true;
 
-    keyFile = config.sops.secrets.oauth2-proxy.path;
+      keyFile = config.sops.secrets.oauth2-proxy.path;
 
-    loginURL = auth.apiAuthUrl;
-    redeemURL = auth.tokenUrl;
-    validateURL = auth.rfc7662TokenIntrospectionUrl;
-    profileURL = auth.oidcUserInfo;
+      loginURL = auth.apiAuthUrl;
+      redeemURL = auth.tokenUrl;
+      validateURL = auth.rfc7662TokenIntrospectionUrl;
+      profileURL = auth.oidcUserInfo;
 
-    scope = "openid profile email";
+      scope = "openid profile email";
 
-    email.domains = [ "*" ];
+      email.domains = [ "*" ];
 
-    cookie = {
-      domain = "donsz.nl";
-      refresh = "1h";
-      secure = true;
+      cookie = {
+        domain = "donsz.nl";
+        refresh = "1h";
+        secure = true;
+      };
+
+      extraConfig = {
+        whitelist-domain = [ "*.donsz.nl" ];
+      };
+
+      nginx.domain = "oauth2.donsz.nl";
     };
 
-    extraConfig = {
-      whitelist-domain = ["*.donsz.nl"];
-    };
-
-    nginx.domain = "oauth2.donsz.nl";
-  };
-
   services.nginx.virtualHosts."oauth2.donsz.nl" = {
     forceSSL = true;
     http2 = true;