working caddy config

flake.lock

@@ -188,11 +188,11 @@
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1764617867,
+        "lastModified": 1764948094,
-        "narHash": "sha256-iigvIg3I5B4yNCuTshSZ13lpN6Y973n9QRxqFGLq2Yo=",
+        "narHash": "sha256-66yY6CKIS25j7cTee6026EhVKO+pYbnNgPfs0G5zTeI=",
         "ref": "refs/heads/master",
-        "rev": "ea12e57e4185cb3673e3dcb7e7dbc0ef386a3ec3",
+        "rev": "92745016fdc46be533e390743af7dc91ca322ec8",
-        "revCount": 156,
+        "revCount": 158,
         "type": "git",
         "url": "ssh://git@github.com/TheWanderingCrow/nix-secrets"
       },

hosts/nixos/HandlerOne/default.nix

@@ -83,6 +83,17 @@
     };
   };
 
+  sops = {
+    secrets = {
+      "caddy/oidc/client" = { };
+      "caddy/oidc/secret" = { };
+    };
+    templates."caddyserver-env".content = ''
+      POCKETID_CLIENT_ID=${config.sops.placeholder."caddy/oidc/client"}
+      POCKETID_CLIENT_SECRET=${config.sops.placeholder."caddy/oidc/secret"}
+    '';
+  };
+
   services.caddy = {
     email = "infrastructure@wanderingcrow.net";
     acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
@@ -90,5 +101,38 @@
       plugins = [ "github.com/greenpau/caddy-security@v1.1.31" ];
       hash = "sha256-65Z20N16/jHOtVb85HLx0z4nHEuG9POEV7D5QXOGYQM=";
     };
+    environmentFile = config.sops.templates."caddyserver-env".path;
+    globalConfig = ''
+      order authenticate before respond
+      security {
+        oauth identity provider generic {
+          delay_start 3
+          realm generic
+          driver generic
+          client_id {env.POCKETID_CLIENT_ID}
+          client_secret {env.POCKETID_CLIENT_SECRET}
+          scopes openid email profile groups
+          base_auth_url https://auth.wanderingcrow.net
+          metadata_url https://auth.wanderingcrow.net/.well-known/openid-configuration
+        }
+
+        authentication portal myportal {
+          crypto default token lifetime 3600
+          enable identity provider generic
+          cookie insecure off
+
+          transform user {
+            match realm generic
+            action add role user
+          }
+        }
+
+        authorization policy mypolicy {
+          set auth url /caddy-security/oauth2/generic
+          allow roles frigate
+          inject headers with claims
+        }
+      }
+    '';
   };
 }

modules/services/frigate/default.nix

@@ -247,7 +247,17 @@ in
   services.caddy = {
     enable = true;
     virtualHosts."frigate.wanderingcrow.net".extraConfig = ''
-      reverse_proxy http://10.88.0.10:8971
+      @auth {
+        path /caddy-security/*
+      }
+
+      route @auth {
+        authenticate with myportal
+      }
+      route /* {
+        authorize with mypolicy
+        reverse_proxy http://10.88.0.10:8971
+      }
     '';
   };
 }