radarr: Setup OpenID auth

2022-10-28 14:35:43 +02:00 · 2022-10-28 14:35:43 +02:00 · 69ffff50e0
commit 69ffff50e0
parent c1a2c8238b
1 changed files with 27 additions and 4 deletions
--- a/hosts/architect/radarr.nix
+++ b/hosts/architect/radarr.nix
@ -15,10 +15,33 @@ in {
      enableACME = true;
      locations."/" = {
        proxyPass = "http://localhost:7878";
-        extraConfig = ''
-          allow 10.0.0.0/24;
-          ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
-          deny all;
+        extraConfig = let
+          realm = "master";
+          client_id = "radarr";
+          client_secret = "DCoeN4PwqGrAoG6Mqw73orrUjojJ1fmn";
+          redirect_uri = "https://${domain}";
+        in ''
+          access_by_lua_block {
+            local opts = {
+              redirect_uri_path = "/redirect_uri",
+              accept_none_alg = true,
+              discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",
+              client_id = "${client_id}",
+              client_secret = "${client_secret}",
+              logout_path = "/logout",
+              redirect_after_logout_uri = "https://auth.giugl.io/realms/${realm}/protocol/openid-connect/logout?redirect_uri=${redirect_uri}",
+              redirect_after_logout_with_id_token_hint = false,
+          }
+
+            -- call introspect for OAuth 2.0 Bearer Access Token validation
+            local res, err = require("resty.openidc").authenticate(opts)
+
+            if err then
+              ngx.status = 403
+              ngx.say(err)
+              ngx.exit(ngx.HTTP_FORBIDDEN)
+            end
+          }
        '';
      };
    };