mynixos-config/hosts/sentinel/oauth2.nix

{
  config,
  globals,
  nodes,
  ...
}:
{
  meta.oauth2-proxy = {
    enable = true;
    cookieDomain = globals.domains.me;
    portalDomain = "oauth2.${globals.domains.me}";
    # TODO portal redirect to dashboard (in case someone clicks on kanidm "Web services")
  };

  age.secrets.oauth2-cookie-secret = {
    rekeyFile = ./secrets/oauth2-cookie-secret.age;
    mode = "440";
    group = "oauth2-proxy";
  };

  # FIXME: switch to loadcredential + start wrapper.
  # TODO: define nixos option to do this for us, it's recurring. like systemd.services.a.secretEnv = {
  #   ABC = ./path.to.secret.file; # or runtime path.
  # };

  # Mirror the original oauth2 secret, but prepend OAUTH2_PROXY_CLIENT_SECRET=
  # so it can be used as an EnvironmentFile
  age.secrets.oauth2-client-secret = {
    generator.dependencies = [
      nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-web-sentinel
    ];
    generator.script =
      {
        lib,
        decrypt,
        deps,
        ...
      }:
      ''
        echo -n "OAUTH2_PROXY_CLIENT_SECRET="
        ${decrypt} ${lib.escapeShellArg (lib.head deps).file}
      '';
    mode = "440";
    group = "oauth2-proxy";
  };

  services.oauth2-proxy =
    let
      clientId = "web-sentinel";
    in
    {
      provider = "oidc";
      scope = "openid email";
      loginURL = "https://${globals.services.kanidm.domain}/ui/oauth2";
      redeemURL = "https://${globals.services.kanidm.domain}/oauth2/token";
      validateURL = "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}/userinfo";
      clientID = clientId;
      email.domains = [ "*" ];

      extraConfig = {
        oidc-issuer-url = "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}";
        provider-display-name = "Kanidm";
        #skip-provider-button = true;
      };
    };

  systemd.services.oauth2-proxy.serviceConfig.EnvironmentFile = [
    config.age.secrets.oauth2-cookie-secret.path
    config.age.secrets.oauth2-client-secret.path
  ];
}