wink: init oauth2-proxy configuration.

Since there was a desire for some kind of authentication in front of wink,
here is a barebones config using oauth2-proxy. It is as yet untested, since
I didn't want to deploy things right now / fiddle with the keycloak settings.

See the comments in the documentation for what must still be done to make
this work.

I acknowledge that I said I wouldn't do this, but no one else seems to care.
This commit is contained in:
stuebinm 2021-03-13 14:54:12 +01:00
parent 3f5369da14
commit 8f64bcff7d
No known key found for this signature in database
GPG key ID: 8FBE8AAD32FA12B7

View file

@ -49,4 +49,29 @@
enableACME = true;
};
services.oauth2_proxy =
let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect";
in {
enable = true;
nginx.virtualHosts = [ "wink.hacc.space" ];
# for the keycloak side of the configuration, see the documentation at
# https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider
provider = "keycloak";
clientID = ""; # TODO
loginURL = "${keycloakurl}/auth";
redeemURL = "${keycloakurl}/token";
profileURL = "${keycloakurl}/userinfo";
validateURL = "${keycloakurl}/userinfo";
# must contain OAUTH2_PROXY_COOKIE_SECRET and OAUTH2_PROXY_CLIENT_SECRET
keyFile = "/var/lib/oauth2_proxy/secrets";
extraConfig = {
# log format (default would also log ip addresses / users)
auth_logging_format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}";
allowed_group = "hacc";
};
};
}