From 0b253e05539561d04c6fd7c96eb76917a26b6562 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Sat, 14 Oct 2023 11:26:33 +0800
Subject: [PATCH] hosts/plover: update Vouch proxy settings and secrets
 permissions

---
 hosts/plover/modules/services/vouch-proxy.nix | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/hosts/plover/modules/services/vouch-proxy.nix b/hosts/plover/modules/services/vouch-proxy.nix
index 6e85f017..abaf73d5 100644
--- a/hosts/plover/modules/services/vouch-proxy.nix
+++ b/hosts/plover/modules/services/vouch-proxy.nix
@@ -6,9 +6,15 @@ let
   authDomain = config.services.kanidm.serverSettings.domain;
 in
 {
-  sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
-    "vouch-proxy/jwt/secret" = { };
-    "vouch-proxy/client/secret" = { };
+  sops.secrets = let
+    vouchPermissions = rec {
+      owner = "vouch-proxy";
+      group = owner;
+      mode = "0400";
+    };
+  in lib.getSecrets ../../secrets/secrets.yaml {
+    "vouch-proxy/jwt/secret" = vouchPermissions;
+    "vouch-proxy/client/secret" = vouchPermissions;
   };
 
   services.vouch-proxy = {
@@ -30,7 +36,7 @@ in
         auth_url = "${authDomain}/ui/oauth2";
         token_url = "${authDomain}/oauth2/token";
         user_info_url = "${authDomain}/oauth2/openid/${client_id}/userinfo";
-        scopes = [ "login" "email" ];
+        scopes = [ "openid" "email" "profile" ];
         callback_url = "https://${vouchDomain}/auth";
       };
     };