working caddy config

2026-01-10 17:34:05 -05:00 · 2025-12-05 10:04:29 -05:00 · 2025-12-05 10:04:29 -05:00 · 3639db543b
commit 3639db543b
parent ae3e294a81
3 changed files with 59 additions and 5 deletions
--- a/hosts/nixos/HandlerOne/default.nix
+++ b/hosts/nixos/HandlerOne/default.nix
@ -83,6 +83,17 @@
    };
  };

+  sops = {
+    secrets = {
+      "caddy/oidc/client" = { };
+      "caddy/oidc/secret" = { };
+    };
+    templates."caddyserver-env".content = ''
+      POCKETID_CLIENT_ID=${config.sops.placeholder."caddy/oidc/client"}
+      POCKETID_CLIENT_SECRET=${config.sops.placeholder."caddy/oidc/secret"}
+    '';
+  };
+
  services.caddy = {
    email = "infrastructure@wanderingcrow.net";
    acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
@ -90,5 +101,38 @@
      plugins = [ "github.com/greenpau/caddy-security@v1.1.31" ];
      hash = "sha256-65Z20N16/jHOtVb85HLx0z4nHEuG9POEV7D5QXOGYQM=";
    };
+    environmentFile = config.sops.templates."caddyserver-env".path;
+    globalConfig = ''
+      order authenticate before respond
+      security {
+        oauth identity provider generic {
+          delay_start 3
+          realm generic
+          driver generic
+          client_id {env.POCKETID_CLIENT_ID}
+          client_secret {env.POCKETID_CLIENT_SECRET}
+          scopes openid email profile groups
+          base_auth_url https://auth.wanderingcrow.net
+          metadata_url https://auth.wanderingcrow.net/.well-known/openid-configuration
+        }
+
+        authentication portal myportal {
+          crypto default token lifetime 3600
+          enable identity provider generic
+          cookie insecure off
+
+          transform user {
+            match realm generic
+            action add role user
+          }
+        }
+
+        authorization policy mypolicy {
+          set auth url /caddy-security/oauth2/generic
+          allow roles frigate
+          inject headers with claims
+        }
+      }
+    '';
  };
 }