fix vaultwarden sign up process without verifying email
This commit is contained in:
parent
fefed81c17
commit
615bbe2bee
3 changed files with 14 additions and 11 deletions
|
@ -174,6 +174,7 @@ let
|
|||
{
|
||||
username = k;
|
||||
enabled = true;
|
||||
emailVerified = true;
|
||||
|
||||
inherit (config) email firstName lastName;
|
||||
} // optionalAttrs (config ? "groups") {
|
||||
|
|
|
@ -9,6 +9,8 @@
|
|||
, keycloakDomain ? domain
|
||||
, realm
|
||||
, allowed_roles ? []
|
||||
, skip_auth_routes ? []
|
||||
, api_routes ? []
|
||||
|
||||
, ingress
|
||||
, egress
|
||||
|
@ -35,8 +37,6 @@ rec {
|
|||
, HaproxyService
|
||||
}:
|
||||
let
|
||||
formatted_allowed_roles = builtins.toJSON (concatStringsSep ", " allowed_roles);
|
||||
|
||||
config = pkgs.writeText "${serviceName}.cfg" (''
|
||||
provider = "keycloak-oidc"
|
||||
provider_display_name="Keycloak"
|
||||
|
@ -51,19 +51,20 @@ rec {
|
|||
oidc_issuer_url = "https://${keycloakSubdomain}.${keycloakDomain}/realms/${realm}"
|
||||
|
||||
email_domains = [ "*" ]
|
||||
allowed_roles = ${formatted_allowed_roles}
|
||||
# skip_auth_routes = [ "^/api" ]
|
||||
allowed_roles = ${builtins.toJSON allowed_roles}
|
||||
skip_auth_routes = ${builtins.toJSON skip_auth_routes}
|
||||
api_routes = ${builtins.toJSON api_routes}
|
||||
|
||||
reverse_proxy = "true"
|
||||
# trusted_ips = "@"
|
||||
|
||||
skip_provider_button = "true"
|
||||
|
||||
pass_authorization_header = true
|
||||
pass_access_token = true
|
||||
pass_user_headers = true
|
||||
set_authorization_header = true
|
||||
set_xauthrequest = true
|
||||
# pass_authorization_header = true
|
||||
# pass_access_token = true
|
||||
# pass_user_headers = true
|
||||
# set_authorization_header = true
|
||||
# set_xauthrequest = true
|
||||
'' + (if !debug then "" else ''
|
||||
auth_logging = "true"
|
||||
request_logging = "true"
|
||||
|
|
|
@ -5,8 +5,8 @@
|
|||
{ serviceName ? "Vaultwarden"
|
||||
, subdomain ? "vaultwarden"
|
||||
, ingress ? 18005
|
||||
, signupsAllowed ? false
|
||||
, signupsVerify ? true
|
||||
, signupsAllowed ? true # signups allowed since we're behind SSO
|
||||
, signupsVerify ? false
|
||||
|
||||
, user ? "vaultwarden"
|
||||
, group ? "vaultwarden"
|
||||
|
@ -189,6 +189,7 @@ rec {
|
|||
egress = [ "http://127.0.0.1:${toString serviceIngress}" ];
|
||||
realm = sso.realm;
|
||||
allowed_roles = [ "user" "/admin|admin" ];
|
||||
skip_auth_routes = [ "^/api" ];
|
||||
inherit metricsPort;
|
||||
keys = {
|
||||
cookieSecret = "${serviceName}_oauth2proxy_cookiesecret";
|
||||
|
|
Loading…
Reference in a new issue