hosting/selfhostblocks
1
0
Fork 0
Code Issues Activity

fix vaultwarden sign up process without verifying email

Browse source
This commit is contained in:
ibizaman 2023-02-19 20:12:03 -08:00
parent fefed81c17
commit 615bbe2bee
3 changed files with 14 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
keycloak-cli-config/configcreator.nix
View file

@ -174,6 +174,7 @@ let
{ {
username = k; username = k;
enabled = true; enabled = true;
emailVerified = true;
inherit (config) email firstName lastName; inherit (config) email firstName lastName;
} // optionalAttrs (config ? "groups") { } // optionalAttrs (config ? "groups") {

19
oauth2-proxy/unit.nix
View file

@ -9,6 +9,8 @@
, keycloakDomain ? domain , keycloakDomain ? domain
, realm , realm
, allowed_roles ? [] , allowed_roles ? []
, skip_auth_routes ? []
, api_routes ? []
, ingress , ingress
, egress , egress
@ -35,8 +37,6 @@ rec {
, HaproxyService , HaproxyService
}: }:
let let
formatted_allowed_roles = builtins.toJSON (concatStringsSep ", " allowed_roles);
config = pkgs.writeText "${serviceName}.cfg" ('' config = pkgs.writeText "${serviceName}.cfg" (''
provider = "keycloak-oidc" provider = "keycloak-oidc"
provider_display_name="Keycloak" provider_display_name="Keycloak"
@ -51,19 +51,20 @@ rec {
oidc_issuer_url = "https://${keycloakSubdomain}.${keycloakDomain}/realms/${realm}" oidc_issuer_url = "https://${keycloakSubdomain}.${keycloakDomain}/realms/${realm}"
email_domains = [ "*" ] email_domains = [ "*" ]
allowed_roles = ${formatted_allowed_roles} allowed_roles = ${builtins.toJSON allowed_roles}
# skip_auth_routes = [ "^/api" ] skip_auth_routes = ${builtins.toJSON skip_auth_routes}
api_routes = ${builtins.toJSON api_routes}
reverse_proxy = "true" reverse_proxy = "true"
# trusted_ips = "@" # trusted_ips = "@"
skip_provider_button = "true" skip_provider_button = "true"
pass_authorization_header = true # pass_authorization_header = true
pass_access_token = true # pass_access_token = true
pass_user_headers = true # pass_user_headers = true
set_authorization_header = true # set_authorization_header = true
set_xauthrequest = true # set_xauthrequest = true
'' + (if !debug then "" else '' '' + (if !debug then "" else ''
auth_logging = "true" auth_logging = "true"
request_logging = "true" request_logging = "true"

5
vaultwarden/default.nix
View file

@ -5,8 +5,8 @@
{ serviceName ? "Vaultwarden" { serviceName ? "Vaultwarden"
, subdomain ? "vaultwarden" , subdomain ? "vaultwarden"
, ingress ? 18005 , ingress ? 18005
, signupsAllowed ? false , signupsAllowed ? true # signups allowed since we're behind SSO
, signupsVerify ? true , signupsVerify ? false
, user ? "vaultwarden" , user ? "vaultwarden"
, group ? "vaultwarden" , group ? "vaultwarden"
@ -189,6 +189,7 @@ rec {
egress = [ "http://127.0.0.1:${toString serviceIngress}" ]; egress = [ "http://127.0.0.1:${toString serviceIngress}" ];
realm = sso.realm; realm = sso.realm;
allowed_roles = [ "user" "/admin|admin" ]; allowed_roles = [ "user" "/admin|admin" ];
skip_auth_routes = [ "^/api" ];
inherit metricsPort; inherit metricsPort;
keys = { keys = {
cookieSecret = "${serviceName}_oauth2proxy_cookiesecret"; cookieSecret = "${serviceName}_oauth2proxy_cookiesecret";