forked from hacc/haccfiles
wink: init oauth2-proxy configuration.
Since there was a desire for some kind of authentication in front of wink, here is a barebones config using oauth2-proxy. It is as yet untested, since I didn't want to deploy things right now / fiddle with the keycloak settings. See the comments in the documentation for what must still be done to make this work. I acknowledge that I said I wouldn't do this, but no one else seems to care.
This commit is contained in:
parent
3f5369da14
commit
8f64bcff7d
1 changed files with 26 additions and 1 deletions
|
@ -48,5 +48,30 @@
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.oauth2_proxy =
|
||||||
|
let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect";
|
||||||
|
in {
|
||||||
|
enable = true;
|
||||||
|
nginx.virtualHosts = [ "wink.hacc.space" ];
|
||||||
|
|
||||||
|
# for the keycloak side of the configuration, see the documentation at
|
||||||
|
# https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider
|
||||||
|
provider = "keycloak";
|
||||||
|
clientID = ""; # TODO
|
||||||
|
loginURL = "${keycloakurl}/auth";
|
||||||
|
redeemURL = "${keycloakurl}/token";
|
||||||
|
profileURL = "${keycloakurl}/userinfo";
|
||||||
|
validateURL = "${keycloakurl}/userinfo";
|
||||||
|
|
||||||
|
# must contain OAUTH2_PROXY_COOKIE_SECRET and OAUTH2_PROXY_CLIENT_SECRET
|
||||||
|
keyFile = "/var/lib/oauth2_proxy/secrets";
|
||||||
|
|
||||||
|
extraConfig = {
|
||||||
|
# log format (default would also log ip addresses / users)
|
||||||
|
auth_logging_format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}";
|
||||||
|
allowed_group = "hacc";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue