pull locations out of extraconfig

2024-08-25 04:38:59 -06:00 · 2024-08-25 04:38:59 -06:00 · 289a1e953d
parent 8c4a28b66d
commit 289a1e953d
1 changed files with 29 additions and 22 deletions
--- a/sys/srv/authentik.nix
+++ b/sys/srv/authentik.nix
@ -44,28 +44,6 @@ with lib; {

                  proxy_buffers 8 16k;
                  proxy_buffer_size 32k;
-
-                  location /outpost.goauthentik.io {
-                    proxy_pass          http://auth.posixlycorrect.com/outpost.goauthentik.io;
-                    # ensure the host of this vserver matches your external URL you've configured
-                    # in authentik
-                    proxy_set_header    X-Forwarded-Host $host;
-                    proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
-                    add_header          Set-Cookie $auth_cookie;
-                    auth_request_set    $auth_cookie $upstream_http_set_cookie;
-
-                    # required for POST requests to work
-                    proxy_pass_request_body off;
-                    proxy_set_header Content-Length "";
-                  }
-
-                  location @goauthentik_proxy_signin {
-                    internal;
-                    add_header Set-Cookie $auth_cookie;
-                    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
-                    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
-                    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
-                  }
                '';
              };
            }
@ -76,6 +54,35 @@ with lib; {

  config = {
    services = {
+      nginx.virtualHosts."auth.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        locations = {
+          "/outpost.goauthentik.io" = {
+            proxyPass = "http://auth.posixlycorrect.com/outpost.goauthentik.io";
+            extraConfig = ''
+              # ensure the host of this vserver matches your external URL you've configured
+              # in authentik
+              proxy_set_header    X-Forwarded-Host $host;
+              proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
+              add_header          Set-Cookie $auth_cookie;
+              auth_request_set    $auth_cookie $upstream_http_set_cookie;
+
+              # required for POST requests to work
+              proxy_pass_request_body off;
+              proxy_set_header Content-Length "";
+            '';
+          };
+          "@goauthentik_proxy_signin" = {
+            extraConfig = ''
+              internal;
+              add_header Set-Cookie $auth_cookie;
+              return 302 /outpost.goauthentik.io/start?rd=$request_uri;
+            '';
+          };
+        };
+      };
+
      authentik = {
        enable = true;
        environmentFile = "/var/trust/authentik/authentik-env";