working caddy config

2026-01-10 17:34:05 -05:00 · 2025-12-05 10:04:29 -05:00 · 2025-12-05 10:04:29 -05:00 · 3639db543b
commit 3639db543b
parent ae3e294a81
3 changed files with 59 additions and 5 deletions
--- a/flake.lock
+++ b/flake.lock
@ -188,11 +188,11 @@
        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
-        "lastModified": 1764617867,
-        "narHash": "sha256-iigvIg3I5B4yNCuTshSZ13lpN6Y973n9QRxqFGLq2Yo=",
+        "lastModified": 1764948094,
+        "narHash": "sha256-66yY6CKIS25j7cTee6026EhVKO+pYbnNgPfs0G5zTeI=",
        "ref": "refs/heads/master",
-        "rev": "ea12e57e4185cb3673e3dcb7e7dbc0ef386a3ec3",
-        "revCount": 156,
+        "rev": "92745016fdc46be533e390743af7dc91ca322ec8",
+        "revCount": 158,
        "type": "git",
        "url": "ssh://git@github.com/TheWanderingCrow/nix-secrets"
      },
--- a/hosts/nixos/HandlerOne/default.nix
+++ b/hosts/nixos/HandlerOne/default.nix
@ -83,6 +83,17 @@
    };
  };

+  sops = {
+    secrets = {
+      "caddy/oidc/client" = { };
+      "caddy/oidc/secret" = { };
+    };
+    templates."caddyserver-env".content = ''
+      POCKETID_CLIENT_ID=${config.sops.placeholder."caddy/oidc/client"}
+      POCKETID_CLIENT_SECRET=${config.sops.placeholder."caddy/oidc/secret"}
+    '';
+  };
+
  services.caddy = {
    email = "infrastructure@wanderingcrow.net";
    acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
@ -90,5 +101,38 @@
      plugins = [ "github.com/greenpau/caddy-security@v1.1.31" ];
      hash = "sha256-65Z20N16/jHOtVb85HLx0z4nHEuG9POEV7D5QXOGYQM=";
    };
+    environmentFile = config.sops.templates."caddyserver-env".path;
+    globalConfig = ''
+      order authenticate before respond
+      security {
+        oauth identity provider generic {
+          delay_start 3
+          realm generic
+          driver generic
+          client_id {env.POCKETID_CLIENT_ID}
+          client_secret {env.POCKETID_CLIENT_SECRET}
+          scopes openid email profile groups
+          base_auth_url https://auth.wanderingcrow.net
+          metadata_url https://auth.wanderingcrow.net/.well-known/openid-configuration
+        }
+
+        authentication portal myportal {
+          crypto default token lifetime 3600
+          enable identity provider generic
+          cookie insecure off
+
+          transform user {
+            match realm generic
+            action add role user
+          }
+        }
+
+        authorization policy mypolicy {
+          set auth url /caddy-security/oauth2/generic
+          allow roles frigate
+          inject headers with claims
+        }
+      }
+    '';
  };
 }
--- a/modules/services/frigate/default.nix
+++ b/modules/services/frigate/default.nix
@ -247,7 +247,17 @@ in
  services.caddy = {
    enable = true;
    virtualHosts."frigate.wanderingcrow.net".extraConfig = ''
-      reverse_proxy http://10.88.0.10:8971
+      @auth {
+        path /caddy-security/*
+      }
+
+      route @auth {
+        authenticate with myportal
+      }
+      route /* {
+        authorize with mypolicy
+        reverse_proxy http://10.88.0.10:8971
+      }
    '';
  };
 }