works!
This commit is contained in:
parent
8c4a28b66d
commit
167c519a25
GPG key ID:
1FFAC35E1798174F
|
|
@ -19,37 +19,45 @@ with lib; {
|
||||||
default = false;
|
default = false;
|
||||||
type = bool;
|
type = bool;
|
||||||
};
|
};
|
||||||
|
locations = mkOption {
|
||||||
|
type = attrsOf (
|
||||||
|
submodule {
|
||||||
|
config = mkIf config.enableAuthentik {
|
||||||
|
extraConfig = ''
|
||||||
|
auth_request /outpost.goauthentik.io/auth/nginx;
|
||||||
|
error_page 401 = @goauthentik_proxy_signin;
|
||||||
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
|
||||||
|
# translate headers from the outposts back to the actual upstream
|
||||||
|
auth_request_set $authentik_username $upstream_http_x_authentik_username;
|
||||||
|
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
|
||||||
|
auth_request_set $authentik_email $upstream_http_x_authentik_email;
|
||||||
|
auth_request_set $authentik_name $upstream_http_x_authentik_name;
|
||||||
|
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
|
||||||
|
|
||||||
|
proxy_set_header X-authentik-username $authentik_username;
|
||||||
|
proxy_set_header X-authentik-groups $authentik_groups;
|
||||||
|
proxy_set_header X-authentik-email $authentik_email;
|
||||||
|
proxy_set_header X-authentik-name $authentik_name;
|
||||||
|
proxy_set_header X-authentik-uid $authentik_uid;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
||||||
|
);
|
||||||
|
};
|
||||||
};
|
};
|
||||||
config = mkIf config.enableAuthentik {
|
config = mkIf config.enableAuthentik {
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
auth_request /outpost.goauthentik.io/auth/nginx;
|
|
||||||
error_page 401 = @goauthentik_proxy_signin;
|
|
||||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
|
||||||
add_header Set-Cookie $auth_cookie;
|
|
||||||
|
|
||||||
# translate headers from the outposts back to the actual upstream
|
|
||||||
auth_request_set $authentik_username $upstream_http_x_authentik_username;
|
|
||||||
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
|
|
||||||
auth_request_set $authentik_email $upstream_http_x_authentik_email;
|
|
||||||
auth_request_set $authentik_name $upstream_http_x_authentik_name;
|
|
||||||
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
|
|
||||||
|
|
||||||
proxy_set_header X-authentik-username $authentik_username;
|
|
||||||
proxy_set_header X-authentik-groups $authentik_groups;
|
|
||||||
proxy_set_header X-authentik-email $authentik_email;
|
|
||||||
proxy_set_header X-authentik-name $authentik_name;
|
|
||||||
proxy_set_header X-authentik-uid $authentik_uid;
|
|
||||||
|
|
||||||
proxy_redirect http:// $scheme://;
|
|
||||||
|
|
||||||
proxy_buffers 8 16k;
|
proxy_buffers 8 16k;
|
||||||
proxy_buffer_size 32k;
|
proxy_buffer_size 32k;
|
||||||
|
|
||||||
location /outpost.goauthentik.io {
|
location /outpost.goauthentik.io {
|
||||||
proxy_pass http://auth.posixlycorrect.com/outpost.goauthentik.io;
|
proxy_pass http://localhost:9000/outpost.goauthentik.io;
|
||||||
# ensure the host of this vserver matches your external URL you've configured
|
# ensure the host of this vserver matches your external URL you've configured
|
||||||
# in authentik
|
# in authentik
|
||||||
proxy_set_header X-Forwarded-Host $host;
|
proxy_set_header Host $host;
|
||||||
|
proxy_redirect http://localhost:9000 https://auth.posixlycorrect.com;
|
||||||
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||||
add_header Set-Cookie $auth_cookie;
|
add_header Set-Cookie $auth_cookie;
|
||||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
|
|
@ -62,7 +70,7 @@ with lib; {
|
||||||
location @goauthentik_proxy_signin {
|
location @goauthentik_proxy_signin {
|
||||||
internal;
|
internal;
|
||||||
add_header Set-Cookie $auth_cookie;
|
add_header Set-Cookie $auth_cookie;
|
||||||
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
|
return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
|
||||||
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
|
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
|
||||||
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
|
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Reference in a new issue