feat: open-webui behind oauth2

2025-10-10 14:50:40 +02:00 · 2024-06-09 20:46:58 +02:00 · 2024-06-09 20:46:58 +02:00 · 55fe825a74
commit 55fe825a74
parent 673ea778a0
3 changed files with 21 additions and 5 deletions
--- a/hosts/sire/guests/ai.nix
+++ b/hosts/sire/guests/ai.nix
@ -44,11 +44,13 @@ in {

      OLLAMA_BASE_URL = "http://localhgost:11434";
      TRANSFORMERS_CACHE = "/var/lib/open-webui/.cache/huggingface";
+
+      WEBUI_AUTH_TRUSTED_EMAIL_HEADER = "X-Email";
    };
  };

  globals.services.open-webui.domain = openWebuiDomain;
-  nodes.ward-web-proxy = {
+  nodes.sentinel = {
    services.nginx = {
      upstreams.open-webui = {
        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.open-webui.port}" = {};
@ -60,8 +62,11 @@ in {
      virtualHosts.${openWebuiDomain} = {
        forceSSL = true;
        useACMEWildcardHost = true;
-        oauth2.enable = true;
-        oauth2.allowedGroups = ["access_openwebui"];
+        oauth2 = {
+          enable = true;
+          allowedGroups = ["access_openwebui"];
+          X-Email = "\${upstream_http_x_auth_request_email}@local";
+        };
        # FIXME: refer to lan 192.168... and fd10:: via globals
        extraConfig = ''
          client_max_body_size 512M;
--- a/modules/oauth2-proxy.nix
+++ b/modules/oauth2-proxy.nix
@ -42,6 +42,16 @@ in {
            empty list to allow any authenticated client.
          '';
        };
+        X-User = mkOption {
+          type = types.str;
+          default = "$upstream_http_x_auth_request_preferred_username";
+          description = "The variable to set as X-User";
+        };
+        X-Email = mkOption {
+          type = types.str;
+          default = "$upstream_http_x_auth_request_email";
+          description = "The variable to set as X-User";
+        };
      };
      config = mkIf config.oauth2.enable {
        extraConfig = ''
@ -50,8 +60,8 @@ in {

          # pass information via X-User and X-Email headers to backend,
          # requires running with --set-xauthrequest flag
-          auth_request_set $user   $upstream_http_x_auth_request_user;
-          auth_request_set $email  $upstream_http_x_auth_request_email;
+          auth_request_set $user   ${config.oauth2.X-User};
+          auth_request_set $email  ${config.oauth2.X-Email};
          proxy_set_header X-User  $user;
          proxy_set_header X-Email $email;

@ -61,6 +71,7 @@ in {
        '';

        locations."@redirectToAuth2ProxyLogin" = {
+          # FIXME: allow refering to another node for the portaldomain
          return = "307 https://${cfg.portalDomain}/oauth2/start?rd=$scheme://$host$request_uri";
          extraConfig = ''
            auth_request off;
--- a/secrets/global.nix.age
+++ b/secrets/global.nix.age