fix: correctly set X-User and X-Email headers on oauth2-proxy

hosts/sire/guests/ai.nix

@@ -37,13 +37,16 @@ in {
       DO_NOT_TRACK = "True";
       ANONYMIZED_TELEMETRY = "False";
 
-      WEBUI_AUTH = "False";
+      ENABLE_COMMUNITY_SHARING = "False";
-      ENABLE_SIGNUP = "False";
+      ENABLE_ADMIN_EXPORT = "False";
 
       OLLAMA_BASE_URL = "http://localhost:11434";
       TRANSFORMERS_CACHE = "/var/lib/open-webui/.cache/huggingface";
 
+      WEBUI_AUTH = "False";
+      ENABLE_SIGNUP = "False";
       WEBUI_AUTH_TRUSTED_EMAIL_HEADER = "X-Email";
+      DEFAULT_USER_ROLE = "user";
     };
   };
 
@@ -51,7 +54,7 @@ in {
   nodes.sentinel = {
     services.nginx = {
       upstreams.open-webui = {
-        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.open-webui.port}" = {};
+        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.open-webui.port}" = {};
         extraConfig = ''
           zone open-webui 64k;
           keepalive 2;
@@ -63,14 +66,10 @@ in {
         oauth2 = {
           enable = true;
           allowedGroups = ["access_openwebui"];
-          X-Email = "\${upstream_http_x_auth_request_email}@${config.repo.secrets.global.domains.personal}";
+          X-Email = "\${upstream_http_x_auth_request_preferred_username}@${config.repo.secrets.global.domains.personal}";
         };
-        # FIXME: refer to lan 192.168... and fd10:: via globals
         extraConfig = ''
-          client_max_body_size 512M;
+          client_max_body_size 128M;
-          allow 192.168.1.0/24;
-          allow fd10::/64;
-          deny all;
         '';
         locations."/" = {
           proxyPass = "http://open-webui";

modules/oauth2-proxy.nix

@@ -53,25 +53,39 @@ in {
           description = "The variable to set as X-User";
         };
       };
+      options.locations = mkOption {
+        type = types.attrsOf (types.submodule (locationSubmod: {
+          options.setOauth2Headers = mkOption {
+            type = types.bool;
+            default = true;
+            description = "Whether to add oauth2 specific headers to this location. Only takes effect is oauth2 is actually enabled on the parent vhost.";
+          };
+          config = mkIf (config.oauth2.enable && locationSubmod.config.setOauth2Headers) {
+            extraConfig = ''
+              proxy_set_header X-User  $user;
+              proxy_set_header X-Email $email;
+              add_header Set-Cookie $auth_cookie;
+            '';
+          };
+        }));
+      };
       config = mkIf config.oauth2.enable {
         extraConfig = ''
           auth_request /oauth2/auth;
           error_page 401 = @redirectToAuth2ProxyLogin;
 
+          # set variables that can be used in locations.<name>.extraConfig
           # pass information via X-User and X-Email headers to backend,
           # requires running with --set-xauthrequest flag
           auth_request_set $user  ${config.oauth2.X-User};
           auth_request_set $email ${config.oauth2.X-Email};
-          proxy_set_header X-User  $user;
-          proxy_set_header X-Email $email;
-
           # if you enabled --cookie-refresh, this is needed for it to work with auth_request
           auth_request_set $auth_cookie $upstream_http_set_cookie;
-          add_header Set-Cookie $auth_cookie;
         '';
 
         locations."@redirectToAuth2ProxyLogin" = {
           # FIXME: allow refering to another node for the portaldomain
+          setOauth2Headers = false;
           return = "307 https://${cfg.portalDomain}/oauth2/start?rd=$scheme://$host$request_uri";
           extraConfig = ''
             auth_request off;
@@ -79,6 +93,7 @@ in {
         };
 
         locations."= /oauth2/auth" = {
+          setOauth2Headers = false;
           proxyPass =
             "http://oauth2-proxy/oauth2/auth"
             + optionalString (config.oauth2.allowedGroups != [])