commit 6a81acc1af7b76c9dd5692fb2c97dd69e8646dfe
parent 1251539ef82116f9fbdb4cccfcf44142bf33ab99
Author: mtmn <miro@haravara.org>
Date: Sun, 17 May 2026 16:37:10 +0200
fix: add trusted proxy ips to oauth2-proxy
Diffstat:
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/modules/services/oauth2-proxy.nix b/modules/services/oauth2-proxy.nix
@@ -31,6 +31,7 @@ in {
config = lib.mkIf cfg.enable {
services.oauth2-proxy = {
enable = true;
+ trustedProxyIP = ["127.0.0.1" "::1"];
provider = "oidc";
clientID = "caddy-proxy";
inherit (cfg) clientSecretFile;
@@ -45,12 +46,10 @@ in {
scope = "openid email profile";
email.domains = ["*"];
extraConfig = {
- oidc-issuer-url = cfg.oidcIssuer;
insecure-oidc-skip-issuer-verification = "true";
code-challenge-method = "S256";
whitelist-domain = lib.concatStringsSep "," cfg.cookieDomains;
http-address = "127.0.0.1:4180";
- reverse-proxy = "true";
set-xauthrequest = "true";
pass-user-headers = "true";
insecure-oidc-allow-unverified-email = "true";
@@ -60,6 +59,8 @@ in {
cookie-expire = "24h";
cookie-refresh = "0h";
};
+ reverseProxy = true;
+ oidcIssuerUrl = cfg.oidcIssuer;
};
services.caddy.virtualHosts = lib.genAttrs cfg.domains (_: {