1
0
Fork 0

fix vaultwarden sign up process without verifying email

This commit is contained in:
ibizaman 2023-02-19 20:12:03 -08:00
parent fefed81c17
commit 615bbe2bee
3 changed files with 14 additions and 11 deletions

View file

@ -174,6 +174,7 @@ let
{
username = k;
enabled = true;
emailVerified = true;
inherit (config) email firstName lastName;
} // optionalAttrs (config ? "groups") {

View file

@ -9,6 +9,8 @@
, keycloakDomain ? domain
, realm
, allowed_roles ? []
, skip_auth_routes ? []
, api_routes ? []
, ingress
, egress
@ -35,8 +37,6 @@ rec {
, HaproxyService
}:
let
formatted_allowed_roles = builtins.toJSON (concatStringsSep ", " allowed_roles);
config = pkgs.writeText "${serviceName}.cfg" (''
provider = "keycloak-oidc"
provider_display_name="Keycloak"
@ -51,19 +51,20 @@ rec {
oidc_issuer_url = "https://${keycloakSubdomain}.${keycloakDomain}/realms/${realm}"
email_domains = [ "*" ]
allowed_roles = ${formatted_allowed_roles}
# skip_auth_routes = [ "^/api" ]
allowed_roles = ${builtins.toJSON allowed_roles}
skip_auth_routes = ${builtins.toJSON skip_auth_routes}
api_routes = ${builtins.toJSON api_routes}
reverse_proxy = "true"
# trusted_ips = "@"
skip_provider_button = "true"
pass_authorization_header = true
pass_access_token = true
pass_user_headers = true
set_authorization_header = true
set_xauthrequest = true
# pass_authorization_header = true
# pass_access_token = true
# pass_user_headers = true
# set_authorization_header = true
# set_xauthrequest = true
'' + (if !debug then "" else ''
auth_logging = "true"
request_logging = "true"

View file

@ -5,8 +5,8 @@
{ serviceName ? "Vaultwarden"
, subdomain ? "vaultwarden"
, ingress ? 18005
, signupsAllowed ? false
, signupsVerify ? true
, signupsAllowed ? true # signups allowed since we're behind SSO
, signupsVerify ? false
, user ? "vaultwarden"
, group ? "vaultwarden"
@ -189,6 +189,7 @@ rec {
egress = [ "http://127.0.0.1:${toString serviceIngress}" ];
realm = sso.realm;
allowed_roles = [ "user" "/admin|admin" ];
skip_auth_routes = [ "^/api" ];
inherit metricsPort;
keys = {
cookieSecret = "${serviceName}_oauth2proxy_cookiesecret";