homelab/nixos/hosts/traefik/configuration/middlewares.nix

let
  internalNetwork = "192.168.1.0/24";
in {
  internal-whitelist = {
    ipWhiteList.sourceRange = [internalNetwork];
  };

  auth-headers = {
    headers = {
      sslRedirect = true;
      stsSeconds = 315360000;
      browserXssFilter = true;
      contentTypeNosniff = true;
      forceSTSHeader = true;
      sslHost = "procopius.dk";
      stsIncludeSubdomains = true;
      stsPreload = true;
      frameDeny = true;
    };
  };

  oauth-auth = {
    forwardAuth = {
      address = "http://localhost:4180/";
      trustForwardHeader = true;
      authResponseHeaders = [
        "Authorization"
        "X-Auth-Request-Access-Token"
        "X-Auth-Request-User"
        "X-Auth-Request-Email"
        "X-Auth-Request-Preferred-Username" # Recommended
        "X-Auth-Request-Access-Token" # If you want to pass the token
        "X-Auth-Request-Groups" # If you configured a mapper in Keycloak to emit groups
      ];
    };
  };

  restrict-admin = {
    forwardAuth = {
      address = "http://localhost:4180/oauth2/auth?allowed_groups=role:admin";
    };
  };
}