https://key.lesgrandsvoisins.com/admin/master/console/
https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview/
users.users.oauth2-proxy.extraGroups = [ "nginx" ];
services = {
nginx.enable = true;
oauth2-proxy = {
enable = true;
# Common configuration
provider = "keycloak-oidc"; # or "github", "gitlab", "azure", etc.
email.domains = ["*"]; # restrict to specific email domains
# Client credentials (register your app with the OAuth provider)
clientID = "searfile";
keyFile = "/etc/.secrets/.seafile_oauthproxy_keyfile";
# clientSecret = "your-client-secret";
# Cookie settings
cookie.secret = "NgbKPVOqtJn5bipSRGuR22BwasVS1J5u"; # generate with: openssl rand -base64 32 | head -c 32 | base64
# Additional settingsenvironment.systemPackages = with pkgs; [
# upstream = "http://localhost:1234"; # your backend service
httpAddress = "0.0.0.0:4180"; # where oauth2-proxy listens
reverseProxy = false;
upstream = "file:///var/www/default";
tls = {
enable = true;
certificate = "/var/lib/acme/roses.lgv.info/fullchain.pem";
key = "/var/lib/acme/roses.lgv.info/key.pem";
httpsAddress = ":443";
};
redirectURL = "https://roses.lgv.info/oauth2/callback";
oidcIssuerUrl = "https://key.lesgrandsvoisins.com/realms/master";
# oidcIssuerUrl = "https://key.lesgrandsvoisins.com/realms/master/.well-known/openid-configuration";
extraConfig = {
code-challenge-method="S256";
whitelist-domain="roses.lgv.info";
insecure-oidc-allow-unverified-email="true";
# cookie-domains="roses.lgv.info";
};
};