{ config, pkgs, lib, ... }: let beyondspaceDomains = { "inventory.waw.hackerspace.pl" = "https"; "vending.waw.hackerspace.pl" = "https"; "label.waw.hackerspace.pl" = "http"; }; in with lib; { services.oauth2_proxy = { enable = true; provider = "oidc"; keyFile = "/var/beyondspace.secrets"; clientID = "1e0a7ba0-5a15-477a-8d96-690ebbe6e720"; extraConfig = { oidc-issuer-url = "https://sso.hackerspace.pl"; email-domain = "*"; htpasswd-file = "/var/beyondspace.htpasswd"; }; }; services.nginx.commonHttpConfig = '' map $http_host $beyondspace_upstream_proto { hostnames; default http; ${concatStringsSep "\n" (mapAttrsToList (key: value: "${key} ${value};") beyondspaceDomains)} } ''; services.nginx.virtualHosts."beyond.waw.hackerspace.pl" = { forceSSL = true; enableACME = true; serverAliases = attrNames beyondspaceDomains; locations."/oauth2/" = { extraConfig = '' proxy_pass http://127.0.0.1:4180; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; proxy_set_header X-Auth-Request-Redirect $request_uri; ''; }; locations."= /oauth2/auth" = { extraConfig = '' proxy_pass http://127.0.0.1:4180; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; # nginx auth_request includes headers but not body proxy_set_header Content-Length ""; proxy_pass_request_body off; ''; }; locations."/" = { extraConfig = '' auth_request /oauth2/auth; error_page 401 = /oauth2/sign_in; # if you enabled --cookie-refresh, this is needed for it to work with auth_request auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; proxy_pass $beyondspace_upstream_proto://$host$request_uri; ''; }; }; }