diff --git a/keycloak-cli-config/configcreator.nix b/keycloak-cli-config/configcreator.nix index 27395d2..54b9ad4 100644 --- a/keycloak-cli-config/configcreator.nix +++ b/keycloak-cli-config/configcreator.nix @@ -174,6 +174,7 @@ let { username = k; enabled = true; + emailVerified = true; inherit (config) email firstName lastName; } // optionalAttrs (config ? "groups") { diff --git a/oauth2-proxy/unit.nix b/oauth2-proxy/unit.nix index 7547ade..a55773d 100644 --- a/oauth2-proxy/unit.nix +++ b/oauth2-proxy/unit.nix @@ -9,6 +9,8 @@ , keycloakDomain ? domain , realm , allowed_roles ? [] +, skip_auth_routes ? [] +, api_routes ? [] , ingress , egress @@ -35,8 +37,6 @@ rec { , HaproxyService }: let - formatted_allowed_roles = builtins.toJSON (concatStringsSep ", " allowed_roles); - config = pkgs.writeText "${serviceName}.cfg" ('' provider = "keycloak-oidc" provider_display_name="Keycloak" @@ -51,19 +51,20 @@ rec { oidc_issuer_url = "https://${keycloakSubdomain}.${keycloakDomain}/realms/${realm}" email_domains = [ "*" ] - allowed_roles = ${formatted_allowed_roles} - # skip_auth_routes = [ "^/api" ] + allowed_roles = ${builtins.toJSON allowed_roles} + skip_auth_routes = ${builtins.toJSON skip_auth_routes} + api_routes = ${builtins.toJSON api_routes} reverse_proxy = "true" # trusted_ips = "@" skip_provider_button = "true" - pass_authorization_header = true - pass_access_token = true - pass_user_headers = true - set_authorization_header = true - set_xauthrequest = true + # pass_authorization_header = true + # pass_access_token = true + # pass_user_headers = true + # set_authorization_header = true + # set_xauthrequest = true '' + (if !debug then "" else '' auth_logging = "true" request_logging = "true" diff --git a/vaultwarden/default.nix b/vaultwarden/default.nix index e4feb3b..5c1dacb 100644 --- a/vaultwarden/default.nix +++ b/vaultwarden/default.nix @@ -5,8 +5,8 @@ { serviceName ? "Vaultwarden" , subdomain ? "vaultwarden" , ingress ? 18005 -, signupsAllowed ? false -, signupsVerify ? true +, signupsAllowed ? true # signups allowed since we're behind SSO +, signupsVerify ? false , user ? "vaultwarden" , group ? "vaultwarden" @@ -189,6 +189,7 @@ rec { egress = [ "http://127.0.0.1:${toString serviceIngress}" ]; realm = sso.realm; allowed_roles = [ "user" "/admin|admin" ]; + skip_auth_routes = [ "^/api" ]; inherit metricsPort; keys = { cookieSecret = "${serviceName}_oauth2proxy_cookiesecret";