From 289a1e953d8c8592e03bb3dfb653457590521be3 Mon Sep 17 00:00:00 2001
From: Fabian Montero <fabian@posixlycorrect.com>
Date: Sun, 25 Aug 2024 04:38:59 -0600
Subject: [PATCH] pull locations out of extraconfig

---
 sys/srv/authentik.nix | 51 ++++++++++++++++++++++++-------------------
 1 file changed, 29 insertions(+), 22 deletions(-)

diff --git a/sys/srv/authentik.nix b/sys/srv/authentik.nix
index bc7e1e6..43f0bc7 100644
--- a/sys/srv/authentik.nix
+++ b/sys/srv/authentik.nix
@@ -44,28 +44,6 @@ with lib; {
 
                   proxy_buffers 8 16k;
                   proxy_buffer_size 32k;
-
-                  location /outpost.goauthentik.io {
-                    proxy_pass          http://auth.posixlycorrect.com/outpost.goauthentik.io;
-                    # ensure the host of this vserver matches your external URL you've configured
-                    # in authentik
-                    proxy_set_header    X-Forwarded-Host $host;
-                    proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
-                    add_header          Set-Cookie $auth_cookie;
-                    auth_request_set    $auth_cookie $upstream_http_set_cookie;
-
-                    # required for POST requests to work
-                    proxy_pass_request_body off;
-                    proxy_set_header Content-Length "";
-                  }
-
-                  location @goauthentik_proxy_signin {
-                    internal;
-                    add_header Set-Cookie $auth_cookie;
-                    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
-                    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
-                    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
-                  }
                 '';
               };
             }
@@ -76,6 +54,35 @@ with lib; {
 
   config = {
     services = {
+      nginx.virtualHosts."auth.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+        locations = {
+          "/outpost.goauthentik.io" = {
+            proxyPass = "http://auth.posixlycorrect.com/outpost.goauthentik.io";
+            extraConfig = ''
+              # ensure the host of this vserver matches your external URL you've configured
+              # in authentik
+              proxy_set_header    X-Forwarded-Host $host;
+              proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
+              add_header          Set-Cookie $auth_cookie;
+              auth_request_set    $auth_cookie $upstream_http_set_cookie;
+
+              # required for POST requests to work
+              proxy_pass_request_body off;
+              proxy_set_header Content-Length "";
+            '';
+          };
+          "@goauthentik_proxy_signin" = {
+            extraConfig = ''
+              internal;
+              add_header Set-Cookie $auth_cookie;
+              return 302 /outpost.goauthentik.io/start?rd=$request_uri;
+            '';
+          };
+        };
+      };
+
       authentik = {
         enable = true;
         environmentFile = "/var/trust/authentik/authentik-env";