From c9cf97e6502a518f97cb2aaf63df23324dc6667c Mon Sep 17 00:00:00 2001
From: Yorick van Pelt <yorick@yorickvanpelt.nl>
Date: Sat, 8 Jun 2024 11:02:15 +0200
Subject: [PATCH] update oauth2 stuff

---
 nixos/machines/frumar/default.nix   | 19 +++++++++++--------
 nixos/machines/frumar/paperless.nix |  4 +++-
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/nixos/machines/frumar/default.nix b/nixos/machines/frumar/default.nix
index 0d39244..ac1e43f 100644
--- a/nixos/machines/frumar/default.nix
+++ b/nixos/machines/frumar/default.nix
@@ -56,18 +56,12 @@
       "fooocus.yori.cc" = sslForward "http://192.168.2.135:7860" {}; 
       "priv.yori.cc" = let
         oauth2Block = ''
-          auth_request /oauth2/auth;
-          error_page 401 = /oauth2/sign_in;
-  
           # pass information via X-User and X-Email headers to backend,
           # requires running with --set-xauthrequest flag
-          auth_request_set $user   $upstream_http_x_auth_request_user;
-          auth_request_set $email  $upstream_http_x_auth_request_email;
           proxy_set_header X-User  $user;
           proxy_set_header X-Email $email;
   
           # if you enabled --cookie-refresh, this is needed for it to work with auth_request
-          auth_request_set $auth_cookie $upstream_http_set_cookie;
           add_header Set-Cookie $auth_cookie;
         '';
         proxyOauth2 = proxyPass: {
@@ -77,14 +71,23 @@
       in {
         onlySSL = true;
         useACMEHost = "wildcard.yori.cc";
-        # TODO remove dashy
-        locations."/".proxyPass = "http://127.0.0.1:4000";
+        locations."/".root = pkgs.writeTextDir "index.html" ''
+          <!DOCTYPE HTML>
+          <ul>
+          <li><a href="/paperless/">paperless</a>
+          <li><a href="/sonarr/">sonarr</a>
+          <li><a href="/radarr/">radarr</a>
+          <li><a href="/oauth2/sign_out?rd=/">sign out</a>
+          </ul>
+        '';
         locations."/sonarr" = proxyOauth2 "http://127.0.0.1:8989";
         locations."/radarr" = proxyOauth2 "http://127.0.0.1:7878";
         locations."/marvin-tracker/" = {
           proxyPass = "http://[::1]:4001/";
+          extraConfig = "auth_request off;";
           # handles auth using arg
         };
+        locations."/oauth2/".extraConfig = "auth_request off;"; # todo upstream?
         locations."/paperless/" = proxyOauth2 "http://127.0.0.1:${toString config.services.paperless.port}/";
         locations."/media/" = {
           root = "/var/mediashare";
diff --git a/nixos/machines/frumar/paperless.nix b/nixos/machines/frumar/paperless.nix
index 2a19f4a..4d38baa 100644
--- a/nixos/machines/frumar/paperless.nix
+++ b/nixos/machines/frumar/paperless.nix
@@ -44,10 +44,12 @@ in {
     # todo: back up this dir
     services.paperless.enable = true;
     services.paperless.settings = {
-      # todo: PAPERLESS_ENABLE_HTTP_REMOTE_USER, PAPERLESS_LOGOUT_REDIRECT_URL
       PAPERLESS_URL = "https://priv.yori.cc";
       PAPERLESS_FORCE_SCRIPT_NAME = "/paperless";
       PAPERLESS_STATIC_URL = "/paperless/static/";
+      PAPERLESS_ENABLE_HTTP_REMOTE_USER = "true";
+      PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_X_EMAIL";
+      PAPERLESS_LOGOUT_REDIRECT_URL = "/oauth2/sign_out?rd=/";
     };
     users.users.paperless.extraGroups = [ "ads1600w" ];
   };