dump

nixos/hosts/traefik/oauth2proxy.nix

@@ -0,0 +1,76 @@
+# /etc/nixos/configuration.nix
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  oauth2ProxyKeyFile = config.sops.secrets."oauth2-proxy-env".path;
+in {
+  services.oauth2-proxy = {
+    enable = true;
+    package = pkgs.oauth2-proxy;
+
+    keyFile = oauth2ProxyKeyFile;
+
+    provider = "keycloak-oidc"; # Use "oidc" for standard OIDC providers like Keycloak
+    oidcIssuerUrl = "https://keycloak.procopius.dk/realms/homelab";
+    clientID = "oauth2-proxy"; # Matches the client ID in Keycloak
+
+    # Public URL for oauth2-proxy itself, where Keycloak redirects back to
+    redirectURL = "https://oauth.procopius.dk/oauth2/callback";
+    upstream = ["static://202"];
+    extraConfig = {
+      code-challenge-method = "S256";
+      # email-domain = "*";
+      auth-logging = true;
+      request-logging = true;
+      whitelist-domain = ".procopius.dk";
+      pass-host-header = true;
+      skip-provider-button = true;
+    };
+
+    # Cookie configuration
+    cookie = {
+      name = "_oauth2_proxy_homelab";
+      domain = ".procopius.dk";
+      secure = true;
+      httpOnly = true;
+      expire = "24h";
+      refresh = "1h";
+    };
+
+    # Listen address for oauth2-proxy internally. Traefik will forward to this.
+    httpAddress = "http://127.0.0.1:4180"; # Ensure this port is not blocked by your firewall internally
+
+    # Reverse proxy settings for headers
+    reverseProxy = true; # Set to true because it's behind Traefik
+
+    # Headers to set for the upstream applications after successful authentication
+    setXauthrequest = true; # Set X-Auth-Request-User, X-Auth-Request-Email etc.
+    passBasicAuth = true; # Pass HTTP Basic Auth headers
+    passHostHeader = true; # Pass the original Host header to the upstream
+
+    # Authorization rules for who can access
+    # You can restrict by email domain (allows everyone from that domain)
+    email.domains = ["*"]; # Allows any authenticated user from Keycloak
+    # Or restrict by specific email addresses (if you want tighter control):
+    # email.addresses = allowedOauth2ProxyEmails;
+
+    # Logging
+    requestLogging = true;
+
+    # Optional: If you use specific scopes for Keycloak (e.g., if you want groups claim)
+    # scope = "openid profile email";
+    # If you specifically added a 'groups' claim in Keycloak:
+    scope = "openid profile email";
+
+    # You can add extra command-line flags here if needed, e.g., for debug logging
+    # extraConfig = {
+    #
+    # };
+  };
+
+  # Expose the internal port for oauth2-proxy if needed for debugging or direct access (less common)
+  networking.firewall.allowedTCPPorts = [4180];
+}