migrate media services to pocketid

fili/services/auth/oauth2-proxy.nix

@@ -1,5 +1,4 @@
 {
-  pkgs,
   config,
   secrets,
   ...
@@ -9,47 +8,35 @@
     sopsFile = "${secrets}/oauth2-proxy.env";
   };
 
-  services.oauth2-proxy =
-    let
-      auth = import ../../lib/auth.nix {
-        baseUrl = "https://auth.donsz.nl";
-        clientId = "homeserver";
-      };
-    in
-    {
-      enable = true;
+  services.oauth2-proxy = {
+    enable = true;
 
-      provider = "oidc";
-      clientID = "${auth.clientId}";
-      oidcIssuerUrl = auth.oidcIssuerUri;
+    provider = "oidc";
+    scope = "openid profile email groups";
+    clientID = "38aa51e2-783e-48f0-a4b9-440e269f1217";
+    oidcIssuerUrl = "https://auth.donsz.nl";
+    reverseProxy = true;
 
-      proxyPrefix = "/oauth2";
-      reverseProxy = true;
+    proxyPrefix = "/oauth2";
 
-      keyFile = config.sops.secrets.oauth2-proxy.path;
+    keyFile = config.sops.secrets.oauth2-proxy.path;
 
-      loginURL = auth.apiAuthUrl;
-      redeemURL = auth.tokenUrl;
-      validateURL = auth.rfc7662TokenIntrospectionUrl;
-      profileURL = auth.oidcUserInfo;
+    email.domains = [ "*" ];
 
-      scope = "openid profile email";
-
-      email.domains = [ "*" ];
-
-      cookie = {
-        domain = "donsz.nl";
-        refresh = "1h";
-        secure = true;
-      };
-
-      extraConfig = {
-        whitelist-domain = [ "*.donsz.nl" ];
-      };
-
-      nginx.domain = "oauth2.donsz.nl";
+    cookie = {
+      domain = "donsz.nl";
+      refresh = "1h";
+      secure = true;
     };
 
+    extraConfig = {
+      whitelist-domain = [ "*.donsz.nl" ];
+      insecure-oidc-allow-unverified-email = true;
+    };
+
+    nginx.domain = "oauth2.donsz.nl";
+  };
+
   services.nginx.virtualHosts."oauth2.donsz.nl" = {
     forceSSL = true;
     http2 = true;