From 8f64bcff7d73d4aaf6dbed98133b8c5679e833a0 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Sat, 13 Mar 2021 14:54:12 +0100 Subject: [PATCH] wink: init oauth2-proxy configuration. Since there was a desire for some kind of authentication in front of wink, here is a barebones config using oauth2-proxy. It is as yet untested, since I didn't want to deploy things right now / fiddle with the keycloak settings. See the comments in the documentation for what must still be done to make this work. I acknowledge that I said I wouldn't do this, but no one else seems to care. --- services/wink.nix | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/services/wink.nix b/services/wink.nix index 5ef3bdb..f279632 100644 --- a/services/wink.nix +++ b/services/wink.nix @@ -48,5 +48,30 @@ forceSSL = true; enableACME = true; }; - + + services.oauth2_proxy = + let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect"; + in { + enable = true; + nginx.virtualHosts = [ "wink.hacc.space" ]; + + # for the keycloak side of the configuration, see the documentation at + # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider + provider = "keycloak"; + clientID = ""; # TODO + loginURL = "${keycloakurl}/auth"; + redeemURL = "${keycloakurl}/token"; + profileURL = "${keycloakurl}/userinfo"; + validateURL = "${keycloakurl}/userinfo"; + + # must contain OAUTH2_PROXY_COOKIE_SECRET and OAUTH2_PROXY_CLIENT_SECRET + keyFile = "/var/lib/oauth2_proxy/secrets"; + + extraConfig = { + # log format (default would also log ip addresses / users) + auth_logging_format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}"; + allowed_group = "hacc"; + }; + }; + }