aboutsummaryrefslogtreecommitdiff
path: root/lib/nginx/default.nix
blob: 3fdb697392f1d2c0a3db67e877d1a9ad46acfdd4 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

{ lib }:

{
  proxyDomain = cert: proxyPass: {
    addSSL = true;
    useACMEHost = cert;
    locations."/" = {
      inherit proxyPass;
      proxyWebsockets = true;
      extraConfig = ''
        proxy_pass_header Authorization;
      '';
    };
  };

  proxyDomainAuth = cert: proxyPass: {
    addSSL = true;
    useACMEHost = cert;
    locations."/" = {
      inherit proxyPass;
      proxyWebsockets = true;
      extraConfig = ''
        auth_request     /outpost.goauthentik.io/auth/nginx;
        error_page       401 = @goauthentik_proxy_signin;
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header       Set-Cookie $auth_cookie;

        # translate headers from the outposts back to the actual upstream
        auth_request_set $authentik_username $upstream_http_x_authentik_username;
        auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
        auth_request_set $authentik_email $upstream_http_x_authentik_email;
        auth_request_set $authentik_name $upstream_http_x_authentik_name;
        auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

        proxy_set_header X-authentik-username $authentik_username;
        proxy_set_header X-authentik-groups $authentik_groups;
        proxy_set_header X-authentik-email $authentik_email;
        proxy_set_header X-authentik-name $authentik_name;
        proxy_set_header X-authentik-uid $authentik_uid;
      '';
    };

    locations."/outpost.goauthentik.io" = {
      proxyPass = "https://auth.vapor.systems/outpost.goauthentik.io";
      proxyWebsockets = true;
      extraConfig = ''
        proxy_ssl_server_name on;

        proxy_set_header        Host $host;
        proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
        add_header              Set-Cookie $auth_cookie;
        auth_request_set        $auth_cookie $upstream_http_set_cookie;
        proxy_pass_request_body off;
        proxy_set_header        Content-Length "";
      '';
    };

    locations."@goauthentik_proxy_signin" = {
      extraConfig = ''
        internal;
        add_header Set-Cookie $auth_cookie;
        return 302 /outpost.goauthentik.io/start?rd=$request_uri;
      '';
    };
  };
}
generated by cgit v1.2.3 (git 2.46.0) at 2026-02-15 20:47:03 +0000