update oauth2 stuff

2024-06-08 11:02:15 +02:00 · 2024-06-08 11:02:15 +02:00 · c9cf97e650
parent 4979a04245
commit c9cf97e650
2 changed files with 14 additions and 9 deletions
--- a/nixos/machines/frumar/default.nix
+++ b/nixos/machines/frumar/default.nix
@ -56,18 +56,12 @@
      "fooocus.yori.cc" = sslForward "http://192.168.2.135:7860" {}; 
      "priv.yori.cc" = let
        oauth2Block = ''
-          auth_request /oauth2/auth;
-          error_page 401 = /oauth2/sign_in;
-  
          # pass information via X-User and X-Email headers to backend,
          # requires running with --set-xauthrequest flag
-          auth_request_set $user   $upstream_http_x_auth_request_user;
-          auth_request_set $email  $upstream_http_x_auth_request_email;
          proxy_set_header X-User  $user;
          proxy_set_header X-Email $email;
  
          # if you enabled --cookie-refresh, this is needed for it to work with auth_request
-          auth_request_set $auth_cookie $upstream_http_set_cookie;
          add_header Set-Cookie $auth_cookie;
        '';
        proxyOauth2 = proxyPass: {
@ -77,14 +71,23 @@
      in {
        onlySSL = true;
        useACMEHost = "wildcard.yori.cc";
-        # TODO remove dashy
-        locations."/".proxyPass = "http://127.0.0.1:4000";
+        locations."/".root = pkgs.writeTextDir "index.html" ''
+          <!DOCTYPE HTML>
+          <ul>
+          <li><a href="/paperless/">paperless</a>
+          <li><a href="/sonarr/">sonarr</a>
+          <li><a href="/radarr/">radarr</a>
+          <li><a href="/oauth2/sign_out?rd=/">sign out</a>
+          </ul>
+        '';
        locations."/sonarr" = proxyOauth2 "http://127.0.0.1:8989";
        locations."/radarr" = proxyOauth2 "http://127.0.0.1:7878";
        locations."/marvin-tracker/" = {
          proxyPass = "http://[::1]:4001/";
+          extraConfig = "auth_request off;";
          # handles auth using arg
        };
+        locations."/oauth2/".extraConfig = "auth_request off;"; # todo upstream?
        locations."/paperless/" = proxyOauth2 "http://127.0.0.1:${toString config.services.paperless.port}/";
        locations."/media/" = {
          root = "/var/mediashare";
--- a/nixos/machines/frumar/paperless.nix
+++ b/nixos/machines/frumar/paperless.nix
@ -44,10 +44,12 @@ in {
    # todo: back up this dir
    services.paperless.enable = true;
    services.paperless.settings = {
-      # todo: PAPERLESS_ENABLE_HTTP_REMOTE_USER, PAPERLESS_LOGOUT_REDIRECT_URL
      PAPERLESS_URL = "https://priv.yori.cc";
      PAPERLESS_FORCE_SCRIPT_NAME = "/paperless";
      PAPERLESS_STATIC_URL = "/paperless/static/";
+      PAPERLESS_ENABLE_HTTP_REMOTE_USER = "true";
+      PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_X_EMAIL";
+      PAPERLESS_LOGOUT_REDIRECT_URL = "/oauth2/sign_out?rd=/";
    };
    users.users.paperless.extraGroups = [ "ads1600w" ];
  };