{ lib, ... }: let domain = "htrad.giugl.io"; network = import ./network.nix; in { services = { radarr = { enable = true; group = "media"; }; nginx.virtualHosts.${domain} = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://localhost:7878"; extraConfig = let realm = "master"; client_id = "radarr"; client_secret = "DCoeN4PwqGrAoG6Mqw73orrUjojJ1fmn"; redirect_uri = "https://${domain}"; in '' access_by_lua_block { local opts = { redirect_uri_path = "/redirect_uri", accept_none_alg = true, discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration", client_id = "${client_id}", client_secret = "${client_secret}", logout_path = "/logout", redirect_after_logout_uri = "https://auth.giugl.io/realms/${realm}/protocol/openid-connect/logout?redirect_uri=${redirect_uri}", redirect_after_logout_with_id_token_hint = false, } -- call introspect for OAuth 2.0 Bearer Access Token validation local res, err = require("resty.openidc").authenticate(opts) if err then ngx.status = 403 ngx.say(err) ngx.exit(ngx.HTTP_FORBIDDEN) end } ''; }; }; }; networking.extraHosts = '' ${network.architect-lan} ${domain} ${network.architect-wg} ${domain} ''; users.groups.media.members = [ "radarr" ]; }