okk.moe / homelab
🏡 my personal home lab
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

caddy security function

Jen Stehlik ff565301 7ba003e7

+42 -30
+42 -30
modules/caddy.nix
··· 1 - { config, pkgs-stable, ... }: 1 + { 2 + config, 3 + lib, 4 + pkgs-stable, 5 + ... 6 + }: 7 + let 8 + issuer = "https://id.goo.garden"; 9 + 10 + mkCaddySecurity = name: domain: '' 11 + oauth identity provider ${name} { 12 + delay_start 3 13 + realm ${name} 14 + driver generic 15 + client_id {$${lib.toUpper name}_OIDC_CLIENT_ID} 16 + client_secret {$${lib.toUpper name}_OIDC_CLIENT_SECRET} 17 + scopes openid email profile 18 + base_auth_url ${issuer} 19 + metadata_url ${issuer}/.well-known/openid-configuration 20 + } 21 + 22 + authentication portal ${name}_portal { 23 + crypto default token lifetime 3600 24 + enable identity provider ${name} 25 + cookie domain goo.garden 26 + cookie insecure off 27 + trust login redirect uri domain suffix goo.garden path prefix / 28 + transform user { 29 + match realm ${name} 30 + action add role authp/user 31 + } 32 + } 33 + 34 + authorization policy ${name}_policy { 35 + set auth url https://${domain}/oauth2/${name} 36 + allow roles authp/user 37 + validate bearer header 38 + inject headers with claims 39 + } 40 + ''; 41 + in 2 42 { 3 43 services.caddy = { 4 44 enable = true; ··· 15 55 order authorize before basicauth 16 56 17 57 security { 18 - oauth identity provider tasks { 19 - delay_start 3 20 - realm tasks 21 - driver generic 22 - client_id {$TASKS_OIDC_CLIENT_ID} 23 - client_secret {$TASKS_OIDC_CLIENT_SECRET} 24 - scopes openid email profile 25 - base_auth_url https://id.goo.garden 26 - metadata_url https://id.goo.garden/.well-known/openid-configuration 27 - } 28 - 29 - authentication portal tasks_portal { 30 - crypto default token lifetime 3600 31 - enable identity provider tasks 32 - cookie domain goo.garden 33 - cookie insecure off 34 - trust login redirect uri domain suffix goo.garden path prefix / 35 - transform user { 36 - match realm tasks 37 - action add role authp/user 38 - } 39 - } 40 - 41 - authorization policy tasks_policy { 42 - set auth url https://tasks.goo.garden/oauth2/tasks 43 - allow roles authp/user 44 - validate bearer header 45 - inject headers with claims 46 - } 58 + ${mkCaddySecurity "tasks" "tasks.goo.garden"} 47 59 } 48 60 ''; 49 61 logDir = "/mnt/nas/logs/caddy";