diff --git a/hosts/sire/guests/ai.nix b/hosts/sire/guests/ai.nix index 8ff2a38..f60302d 100644 --- a/hosts/sire/guests/ai.nix +++ b/hosts/sire/guests/ai.nix @@ -37,13 +37,16 @@ in { DO_NOT_TRACK = "True"; ANONYMIZED_TELEMETRY = "False"; - WEBUI_AUTH = "False"; - ENABLE_SIGNUP = "False"; + ENABLE_COMMUNITY_SHARING = "False"; + ENABLE_ADMIN_EXPORT = "False"; OLLAMA_BASE_URL = "http://localhost:11434"; TRANSFORMERS_CACHE = "/var/lib/open-webui/.cache/huggingface"; + WEBUI_AUTH = "False"; + ENABLE_SIGNUP = "False"; WEBUI_AUTH_TRUSTED_EMAIL_HEADER = "X-Email"; + DEFAULT_USER_ROLE = "user"; }; }; @@ -51,7 +54,7 @@ in { nodes.sentinel = { services.nginx = { upstreams.open-webui = { - servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.open-webui.port}" = {}; + servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.open-webui.port}" = {}; extraConfig = '' zone open-webui 64k; keepalive 2; @@ -63,14 +66,10 @@ in { oauth2 = { enable = true; allowedGroups = ["access_openwebui"]; - X-Email = "\${upstream_http_x_auth_request_email}@${config.repo.secrets.global.domains.personal}"; + X-Email = "\${upstream_http_x_auth_request_preferred_username}@${config.repo.secrets.global.domains.personal}"; }; - # FIXME: refer to lan 192.168... and fd10:: via globals extraConfig = '' - client_max_body_size 512M; - allow 192.168.1.0/24; - allow fd10::/64; - deny all; + client_max_body_size 128M; ''; locations."/" = { proxyPass = "http://open-webui"; diff --git a/modules/oauth2-proxy.nix b/modules/oauth2-proxy.nix index 28c1641..e5b8206 100644 --- a/modules/oauth2-proxy.nix +++ b/modules/oauth2-proxy.nix @@ -53,25 +53,39 @@ in { description = "The variable to set as X-User"; }; }; + options.locations = mkOption { + type = types.attrsOf (types.submodule (locationSubmod: { + options.setOauth2Headers = mkOption { + type = types.bool; + default = true; + description = "Whether to add oauth2 specific headers to this location. Only takes effect is oauth2 is actually enabled on the parent vhost."; + }; + config = mkIf (config.oauth2.enable && locationSubmod.config.setOauth2Headers) { + extraConfig = '' + proxy_set_header X-User $user; + proxy_set_header X-Email $email; + add_header Set-Cookie $auth_cookie; + ''; + }; + })); + }; config = mkIf config.oauth2.enable { extraConfig = '' auth_request /oauth2/auth; error_page 401 = @redirectToAuth2ProxyLogin; + # set variables that can be used in locations..extraConfig # pass information via X-User and X-Email headers to backend, # requires running with --set-xauthrequest flag - auth_request_set $user ${config.oauth2.X-User}; - auth_request_set $email ${config.oauth2.X-Email}; - proxy_set_header X-User $user; - proxy_set_header X-Email $email; - + auth_request_set $user ${config.oauth2.X-User}; + auth_request_set $email ${config.oauth2.X-Email}; # if you enabled --cookie-refresh, this is needed for it to work with auth_request auth_request_set $auth_cookie $upstream_http_set_cookie; - add_header Set-Cookie $auth_cookie; ''; locations."@redirectToAuth2ProxyLogin" = { # FIXME: allow refering to another node for the portaldomain + setOauth2Headers = false; return = "307 https://${cfg.portalDomain}/oauth2/start?rd=$scheme://$host$request_uri"; extraConfig = '' auth_request off; @@ -79,6 +93,7 @@ in { }; locations."= /oauth2/auth" = { + setOauth2Headers = false; proxyPass = "http://oauth2-proxy/oauth2/auth" + optionalString (config.oauth2.allowedGroups != []) @@ -87,10 +102,10 @@ in { auth_request off; internal; - proxy_set_header X-Scheme $scheme; + proxy_set_header X-Scheme $scheme; # nginx auth_request includes headers but not body - proxy_set_header Content-Length ""; - proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_pass_request_body off; ''; }; };