Basic oauth proxy for frigate

2024-01-30 22:12:18 -07:00 · 2024-01-30 22:12:18 -07:00 · 932b05a42e
commit 932b05a42e
parent b5cc4d4609
3 changed files with 51 additions and 1 deletions
--- a/machines/storage/s0/home-automation.nix
+++ b/machines/storage/s0/home-automation.nix
@ -1,14 +1,20 @@
 { config, lib, pkgs, ... }:

+let
+  frigateHostname = "frigate.s0";
+  frigatePort = 61617;
+in
 {
  networking.firewall.allowedTCPPorts = [
    # 1883 # mqtt
    55834 # mqtt zigbee frontend
+    frigatePort
+    4180 # oauth proxy
  ];

  services.frigate = {
    enable = true;
-    hostname = "frigate.s0";
+    hostname = frigateHostname;
    settings = {
      mqtt = {
        enabled = true;
@ -73,6 +79,11 @@
  # Coral PCIe driver
  kernel.enableGasketKernelModule = true;

+  # Allow accessing frigate UI on a specific port in addition to by hostname
+  services.nginx.virtualHosts.${frigateHostname} = {
+    listen = [{ addr = "0.0.0.0"; port = frigatePort; } { addr = "0.0.0.0"; port = 80; }];
+  };
+
  services.esphome = {
    enable = true;
    address = "0.0.0.0";
@ -133,4 +144,42 @@
      default_config = { };
    };
  };
+
+  services.oauth2_proxy =
+    let
+      nextcloudServer = "https://neet.cloud/";
+    in
+    {
+      enable = true;
+
+      httpAddress = "http://0.0.0.0:4180";
+
+      nginx.virtualHosts = [
+        frigateHostname
+      ];
+
+      email.domains = [ "*" ];
+
+      cookie.secure = false;
+
+      provider = "nextcloud";
+
+      # redirectURL = "http://s0:4180/oauth2/callback"; # todo forward with nginx?
+      clientID = "4FfhEB2DNzUh6wWhXTjqQQKu3Ibm6TeYpS8TqcHe55PJC1DorE7vBZBELMKDjJ0X";
+      keyFile = "/run/agenix/oauth2-proxy-env";
+
+      loginURL = "${nextcloudServer}/index.php/apps/oauth2/authorize";
+      redeemURL = "${nextcloudServer}/index.php/apps/oauth2/api/v1/token";
+      validateURL = "${nextcloudServer}/ocs/v2.php/cloud/user?format=json";
+
+      # todo --cookie-refresh
+
+      extraConfig = {
+        # cookie-csrf-per-request = true;
+        # cookie-csrf-expire = "5m";
+        # user-id-claim = "preferred_username";
+      };
+    };
+
+  age.secrets.oauth2-proxy-env.file = ../../../secrets/oauth2-proxy-env.age;
 }
--- a/secrets/oauth2-proxy-env.age
+++ b/secrets/oauth2-proxy-env.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -32,6 +32,7 @@ with roles;
  # cloud
  "nextcloud-pw.age".publicKeys = nextcloud;
  "smb-secrets.age".publicKeys = personal ++ media-center;
+  "oauth2-proxy-env.age".publicKeys = server;

  # services
  "searx.age".publicKeys = nobody;