From e4c5f5a6bababe466a09f20a13e0ea05c10bb951 Mon Sep 17 00:00:00 2001
From: stuebinm <stuebinm@disroot.org>
Date: Sat, 13 Mar 2021 14:54:12 +0100
Subject: [PATCH] wink: init oauth2-proxy configuration.

Since there was a desire for some kind of authentication in front of wink,
here is a barebones config using oauth2-proxy. It is as yet untested, since
I didn't want to deploy things right now / fiddle with the keycloak settings.

See the comments in the documentation for what must still be done to make
this work.

I acknowledge that I said I wouldn't do this, but no one else seems to care.
---
 hosts/hainich/services/wink.nix | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/hosts/hainich/services/wink.nix b/hosts/hainich/services/wink.nix
index 5ef3bdb..f279632 100644
--- a/hosts/hainich/services/wink.nix
+++ b/hosts/hainich/services/wink.nix
@@ -48,5 +48,30 @@
     forceSSL = true;
     enableACME = true;
   };
-  
+
+  services.oauth2_proxy =
+    let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect";
+    in {
+    enable = true;
+    nginx.virtualHosts = [ "wink.hacc.space" ];
+
+    # for the keycloak side of the configuration, see the documentation at
+    # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider
+    provider = "keycloak";
+    clientID = ""; # TODO
+    loginURL = "${keycloakurl}/auth";
+    redeemURL = "${keycloakurl}/token";
+    profileURL = "${keycloakurl}/userinfo";
+    validateURL = "${keycloakurl}/userinfo";
+
+    # must contain OAUTH2_PROXY_COOKIE_SECRET and OAUTH2_PROXY_CLIENT_SECRET
+    keyFile = "/var/lib/oauth2_proxy/secrets";
+
+    extraConfig = {
+      # log format (default would also log ip addresses / users)
+      auth_logging_format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}";
+      allowed_group = "hacc";
+    };
+  };
+
 }