47 lines
926 B
Nix
47 lines
926 B
Nix
{
|
|
config,
|
|
secrets,
|
|
...
|
|
}:
|
|
{
|
|
sops.secrets.oauth2-proxy = {
|
|
sopsFile = "${secrets}/oauth2-proxy.env";
|
|
};
|
|
|
|
services.oauth2-proxy = {
|
|
enable = true;
|
|
|
|
provider = "oidc";
|
|
scope = "openid profile email groups";
|
|
clientID = "38aa51e2-783e-48f0-a4b9-440e269f1217";
|
|
oidcIssuerUrl = "https://auth.donsz.nl";
|
|
reverseProxy = true;
|
|
|
|
proxyPrefix = "/oauth2";
|
|
|
|
keyFile = config.sops.secrets.oauth2-proxy.path;
|
|
|
|
email.domains = [ "*" ];
|
|
|
|
cookie = {
|
|
domain = "donsz.nl";
|
|
refresh = "1h";
|
|
secure = true;
|
|
};
|
|
|
|
extraConfig = {
|
|
whitelist-domain = [ "*.donsz.nl" ];
|
|
insecure-oidc-allow-unverified-email = true;
|
|
};
|
|
|
|
nginx.domain = "oauth2.donsz.nl";
|
|
};
|
|
|
|
services.nginx.virtualHosts."oauth2.donsz.nl" = {
|
|
forceSSL = true;
|
|
http2 = true;
|
|
enableACME = true;
|
|
|
|
locations."/".return = "301 https://oauth2.donsz.nl/oauth2/sign_in";
|
|
};
|
|
}
|