foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-04-24 18:19:11 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

hosts/plover: update Vouch proxy settings and secrets permissions

Browse Source
This commit is contained in:
Gabriel Arazas 2023-10-14 11:26:33 +08:00
parent ac134281f8
commit 0b253e0553
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
hosts/plover/modules/services/vouch-proxy.nix
View File

@ -6,9 +6,15 @@ let
authDomain = config.services.kanidm.serverSettings.domain; authDomain = config.services.kanidm.serverSettings.domain;
in in
{ {
sops.secrets = lib.getSecrets ../../secrets/secrets.yaml { sops.secrets = let
"vouch-proxy/jwt/secret" = { }; vouchPermissions = rec {
"vouch-proxy/client/secret" = { }; owner = "vouch-proxy";
group = owner;
mode = "0400";
};
in lib.getSecrets ../../secrets/secrets.yaml {
"vouch-proxy/jwt/secret" = vouchPermissions;
"vouch-proxy/client/secret" = vouchPermissions;
}; };
services.vouch-proxy = { services.vouch-proxy = {
@ -30,7 +36,7 @@ in
auth_url = "${authDomain}/ui/oauth2"; auth_url = "${authDomain}/ui/oauth2";
token_url = "${authDomain}/oauth2/token"; token_url = "${authDomain}/oauth2/token";
user_info_url = "${authDomain}/oauth2/openid/${client_id}/userinfo"; user_info_url = "${authDomain}/oauth2/openid/${client_id}/userinfo";
scopes = [ "login" "email" ]; scopes = [ "openid" "email" "profile" ];
callback_url = "https://${vouchDomain}/auth"; callback_url = "https://${vouchDomain}/auth";
}; };
}; };