dump

nixos/hosts/traefik/configuration/middlewares.nix

@@ -1,10 +1,43 @@
-{ lib, config, ... }:
-
 let
   internalNetwork = "192.168.1.0/24";
-in
-{
+in {
   internal-whitelist = {
-    ipWhiteList.sourceRange = [ internalNetwork ];
+    ipWhiteList.sourceRange = [internalNetwork];
+  };
+
+  auth-headers = {
+    headers = {
+      sslRedirect = true;
+      stsSeconds = 315360000;
+      browserXssFilter = true;
+      contentTypeNosniff = true;
+      forceSTSHeader = true;
+      sslHost = "procopius.dk";
+      stsIncludeSubdomains = true;
+      stsPreload = true;
+      frameDeny = true;
+    };
+  };
+
+  oauth-auth = {
+    forwardAuth = {
+      address = "http://localhost:4180/";
+      trustForwardHeader = true;
+      authResponseHeaders = [
+        "Authorization"
+        "X-Auth-Request-Access-Token"
+        "X-Auth-Request-User"
+        "X-Auth-Request-Email"
+        "X-Auth-Request-Preferred-Username" # Recommended
+        "X-Auth-Request-Access-Token" # If you want to pass the token
+        "X-Auth-Request-Groups" # If you configured a mapper in Keycloak to emit groups
+      ];
+    };
+  };
+
+  restrict-admin = {
+    forwardAuth = {
+      address = "http://localhost:4180/oauth2/auth?allowed_groups=role:admin";
+    };
   };
 }