peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

radarr: Use openid.nix template

Browse Source
This commit is contained in:
Giulio De Pasquale 2022-10-28 14:43:55 +02:00
parent 69ffff50e0
commit c9e46ec073
2 changed files with 28 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
hosts/architect/openid.nix Normal file
View File

@ -0,0 +1,25 @@
{
openresty_oidc_block = { realm, client_id, client_secret, redirect_uri }: ''
access_by_lua_block {
local opts = {
redirect_uri_path = "/redirect_uri",
accept_none_alg = true,
discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",
client_id = "${client_id}",
client_secret = "${client_secret}",
logout_path = "/logout",
redirect_after_logout_uri = "https://auth.giugl.io/realms/${realm}/protocol/openid-connect/logout?redirect_uri=${redirect_uri}",
redirect_after_logout_with_id_token_hint = false,
}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").authenticate(opts)
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
}
'';
}

27
hosts/architect/radarr.nix
View File

@ -3,6 +3,7 @@
let
domain = "htrad.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix).openresty_oidc_block;
in {
services = {
radarr = {
@ -15,34 +16,12 @@ in {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:7878";
extraConfig = let
extraConfig = auth_block {
realm = "master";
client_id = "radarr";
client_secret = "DCoeN4PwqGrAoG6Mqw73orrUjojJ1fmn";
redirect_uri = "https://${domain}";
in ''
access_by_lua_block {
local opts = {
redirect_uri_path = "/redirect_uri",
accept_none_alg = true,
discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",
client_id = "${client_id}",
client_secret = "${client_secret}",
logout_path = "/logout",
redirect_after_logout_uri = "https://auth.giugl.io/realms/${realm}/protocol/openid-connect/logout?redirect_uri=${redirect_uri}",
redirect_after_logout_with_id_token_hint = false,
}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").authenticate(opts)
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
}
'';
};
};
};
};