feat: add initial oauth2-proxy and freshrss oidc

2025-12-06 00:57:22 +01:00 · 2025-06-09 21:20:40 +02:00 · 2025-06-09 21:20:40 +02:00 · 7e11641fe7
commit 7e11641fe7
parent 9d10005e35
5 changed files with 1166 additions and 556 deletions
--- a/modules/nixos/server/freshrss.nix
+++ b/modules/nixos/server/freshrss.nix
@ -11,24 +11,91 @@

    users.groups.freshrss = { };

-    sops.secrets.fresh = { owner = "freshrss"; };
+    sops = {
+      secrets = {
+        fresh = { owner = "freshrss"; };
+        "kanidm-freshrss-client" = { owner = "freshrss"; group = "freshrss"; mode = "0440"; };
+        "oidc-crypto-key" = { owner = "freshrss"; group = "freshrss"; mode = "0440"; };
+      };
+
+      #   templates = {
+      #     "freshrss-env" = {
+      #       content = ''
+      #         DATA_PATH=${config.services.freshrss.dataDir}
+      #         OIDC_ENABLED=1
+      #         OIDC_PROVIDER_METADATA_URL=https://sso.swarsel.win/.well-known/openid-configuration
+      #         OIDC_CLIENT_ID=freshrss
+      #         OIDC_CLIENT_SECRET=${config.sops.placeholder.kanidm-freshrss-client}
+      #         OIDC_CLIENT_CRYPTO_KEY=${config.sops.placeholder.oidc-crypto-key}
+      #         OIDC_REMOTE_USER_CLAIM=preferred_username
+      #         OIDC_SCOPES=openid groups email profile
+      #         OIDC_X_FORWARDED_HEADERS=X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto
+      #       '';
+      #       owner = "freshrss";
+      #       group = "freshrss";
+      #       mode = "0440";
+      #     };
+      #   };
+    };

    services.freshrss = {
      enable = true;
      virtualHost = "signpost.swarsel.win";
      baseUrl = "https://signpost.swarsel.win";
-      # authType = "none";
+      authType = "none";
      dataDir = "/Vault/data/tt-rss";
      defaultUser = "Swarsel";
      passwordFile = config.sops.secrets.fresh.path;
    };

+    # systemd.services.freshrss-config.serviceConfig.EnvironmentFile = [
+    #   config.sops.templates.freshrss-env.path
+    # ];
+
    services.nginx = {
      virtualHosts = {
        "signpost.swarsel.win" = {
          enableACME = true;
          forceSSL = true;
          acmeRoot = null;
+          locations = {
+            "/" = {
+              extraConfig = ''
+                auth_request /oauth2/auth;
+                error_page 401 = /oauth2/sign_in;
+
+                # pass information via X-User and X-Email headers to backend,
+                # requires running with --set-xauthrequest flag (done by NixOS)
+                auth_request_set $user   $upstream_http_x_auth_request_preferred_username;
+                # Set the email to our own domain in case user change their mail
+                auth_request_set $email  "''${upstream_http_x_auth_request_preferred_username}@swarsel.win";
+                proxy_set_header X-User  $user;
+                proxy_set_header X-Email $email;
+
+                # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+                auth_request_set $auth_cookie $upstream_http_set_cookie;
+                add_header Set-Cookie $auth_cookie;
+              '';
+            };
+            "/oauth2/" = {
+              proxyPass = "http://oauth2-proxy";
+              extraConfig = ''
+                proxy_set_header X-Scheme                $scheme;
+                proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+              '';
+            };
+            "= /oauth2/auth" = {
+              proxyPass = "http://oauth2-proxy/oauth2/auth";
+              extraConfig = ''
+                internal;
+
+                proxy_set_header X-Scheme         $scheme;
+                # nginx auth_request includes headers but not body
+                proxy_set_header Content-Length   "";
+                proxy_pass_request_body           off;
+              '';
+            };
+          };
        };
      };
    };