{ lib, ... }: { proxyDomain = cert: proxyPass: { forceSSL = true; useACMEHost = cert; locations."/" = { inherit proxyPass; proxyWebsockets = true; extraConfig = '' proxy_pass_header Authorization; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; ''; }; }; proxyDomainLocation = cert: proxyPass: location: { forceSSL = true; useACMEHost = cert; locations."${location}" = { inherit proxyPass; proxyWebsockets = true; extraConfig = '' proxy_pass_header Authorization; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; ''; }; }; proxyDomainAuth = cert: proxyPass: { forceSSL = true; useACMEHost = cert; locations."/" = { inherit proxyPass; proxyWebsockets = true; extraConfig = '' auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; ''; }; locations."/outpost.goauthentik.io" = { proxyPass = "https://10.10.0.1:9444/outpost.goauthentik.io"; proxyWebsockets = true; extraConfig = '' proxy_ssl_server_name on; proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; proxy_pass_request_body off; proxy_set_header Content-Length ""; ''; }; locations."@goauthentik_proxy_signin" = { extraConfig = '' internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$request_uri; ''; }; }; proxyDomainGlobalAuth = cert: proxyPass: { forceSSL = true; useACMEHost = cert; locations."/" = { inherit proxyPass; proxyWebsockets = true; extraConfig = '' auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; ''; }; locations."/outpost.goauthentik.io" = { proxyPass = "https://auth.vapor.systems/outpost.goauthentik.io"; proxyWebsockets = true; extraConfig = '' proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; proxy_pass_request_body off; proxy_set_header Content-Length ""; ''; }; locations."@goauthentik_proxy_signin" = { extraConfig = '' internal; add_header Set-Cookie $auth_cookie; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path return 302 https://auth.vapor.systems/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; ''; }; }; domainAuth = cert: { forceSSL = true; useACMEHost = cert; locations."/" = { proxyWebsockets = true; extraConfig = '' auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; ''; }; locations."/outpost.goauthentik.io" = { proxyPass = "https://10.10.0.1:9444/outpost.goauthentik.io"; proxyWebsockets = true; extraConfig = '' proxy_ssl_server_name on; proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; proxy_pass_request_body off; proxy_set_header Content-Length ""; ''; }; locations."@goauthentik_proxy_signin" = { extraConfig = '' internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$request_uri; ''; }; }; }