From 932b05a42ef3a3e86b44a0890c76312604cd47aa Mon Sep 17 00:00:00 2001
From: Zuckerberg <zuckerberg@neet.dev>
Date: Tue, 30 Jan 2024 22:12:18 -0700
Subject: [PATCH] Basic oauth proxy for frigate

---
 machines/storage/s0/home-automation.nix |  51 +++++++++++++++++++++++-
 secrets/oauth2-proxy-env.age            | Bin 722 -> 797 bytes
 secrets/secrets.nix                     |   1 +
 3 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/machines/storage/s0/home-automation.nix b/machines/storage/s0/home-automation.nix
index e2dd499..d5f8431 100644
--- a/machines/storage/s0/home-automation.nix
+++ b/machines/storage/s0/home-automation.nix
@@ -1,14 +1,20 @@
 { config, lib, pkgs, ... }:
 
+let
+  frigateHostname = "frigate.s0";
+  frigatePort = 61617;
+in
 {
   networking.firewall.allowedTCPPorts = [
     # 1883 # mqtt
     55834 # mqtt zigbee frontend
+    frigatePort
+    4180 # oauth proxy
   ];
 
   services.frigate = {
     enable = true;
-    hostname = "frigate.s0";
+    hostname = frigateHostname;
     settings = {
       mqtt = {
         enabled = true;
@@ -73,6 +79,11 @@
   # Coral PCIe driver
   kernel.enableGasketKernelModule = true;
 
+  # Allow accessing frigate UI on a specific port in addition to by hostname
+  services.nginx.virtualHosts.${frigateHostname} = {
+    listen = [{ addr = "0.0.0.0"; port = frigatePort; } { addr = "0.0.0.0"; port = 80; }];
+  };
+
   services.esphome = {
     enable = true;
     address = "0.0.0.0";
@@ -133,4 +144,42 @@
       default_config = { };
     };
   };
+
+  services.oauth2_proxy =
+    let
+      nextcloudServer = "https://neet.cloud/";
+    in
+    {
+      enable = true;
+
+      httpAddress = "http://0.0.0.0:4180";
+
+      nginx.virtualHosts = [
+        frigateHostname
+      ];
+
+      email.domains = [ "*" ];
+
+      cookie.secure = false;
+
+      provider = "nextcloud";
+
+      # redirectURL = "http://s0:4180/oauth2/callback"; # todo forward with nginx?
+      clientID = "4FfhEB2DNzUh6wWhXTjqQQKu3Ibm6TeYpS8TqcHe55PJC1DorE7vBZBELMKDjJ0X";
+      keyFile = "/run/agenix/oauth2-proxy-env";
+
+      loginURL = "${nextcloudServer}/index.php/apps/oauth2/authorize";
+      redeemURL = "${nextcloudServer}/index.php/apps/oauth2/api/v1/token";
+      validateURL = "${nextcloudServer}/ocs/v2.php/cloud/user?format=json";
+
+      # todo --cookie-refresh
+
+      extraConfig = {
+        # cookie-csrf-per-request = true;
+        # cookie-csrf-expire = "5m";
+        # user-id-claim = "preferred_username";
+      };
+    };
+
+  age.secrets.oauth2-proxy-env.file = ../../../secrets/oauth2-proxy-env.age;
 }
diff --git a/secrets/oauth2-proxy-env.age b/secrets/oauth2-proxy-env.age
index 86725cc2c8f42170733a60fa8a5d78ba993f7844..bb975be549313bf9305f45318329994bc8ef4784 100644
GIT binary patch
delta 727
zcmcb_I+tyNPJNMMnNxX1wsxt7zh_9MkG6h}Yhi_tL8OP1mt$~<V{xv&f3aaoXh~qO
zCs(>hxUpMegh^FqqNi6`NTpwBkw=klk&{zsZg^=<W<*7~d2m`@hFe~GHkYoQLUD11
zZfc5=si~o*f|+B8k$$>DVP-{?V|lSlu8~=!hnH7yiCcbguw{0reo$yyPPRe0L5e|e
zQc<A4xodhlS5lH!l!<YafmddPV?|Pci-l{RQ(A~qK(UXfu~(|UTd{Ltq<fZuOK_US
z#E;_PftKE0rim4SPAMf$Wj@+&VV;IQ#wmer;l4Sgg#kXMuFj^8NyU}<VUB@Z9{z3x
z-X^)eS*`}Th821Fj+r6BC4pff-X8g;{$61b#o0;OS<a5xK90qc;~B;4Q}QaylByD2
zgTwq>LW~On^0HGrgPrxYOAX7jQltD+B8}aPN_>+Oy}|;yLX4_Xjr<ccjf*O?lOxjH
zbIr}X^-ar7Ewqh_9UY4cTr;A~^>ed*ynRDKp;W1uo#^5mteakxnpm8wV4kbsSX>-z
z;aKOO;O7|SX<?^OXI#%^oKsTf>FE+0P!U;Ko@E@GRplF%>QWwTT53_4Um9f^W|3u>
z<x`yR>yu|<VP<J&l9&^a9GqR{oof*2Th67ctE=E$XqawXlIY}GVd!0uks0aamKx}o
zT45QM=313x8RZ!692sJ4lAUU*@5|+SbRJ8Dc%^pi2itk=UmWWH?@MWTGqLV+_~yGm
z^i=mMo0e~2o@?`XWnn}A2E{hjMM-t0W<|bdH+@{_S+q$jB<!&NZua+Kp0l0YALv;f
zPyODvu0U2QeMS7?&olF%uG!zuC9~#!@u4o=&H2}sRW=;mel_>CbE|#BuKPm1xpV&I
zbaU#*`%n4s_+G3qYiJM0f334$+z-CsJpKF;pYmn~y;;rwD}wVH4;-lF%D%hxn4ZGB
PEK70rzaLB=@*e~MG8zqv

delta 651
zcmbQsc8PU@PQ9s%ccOWybAC#cPi2UwlXsd^X_0G0RI#^NzP@`}W_o&6dQqa2Nn}`N
zHdm-$a(<$zerZltXtI8iQ-Mo(aD;zYQlhbbenpf^io2m%x{J4AVrqI=IhU@TLUD11
zZfc5=si~o*f|+B8k$$>@SGJ!|a9}}cx^}jQrCWrHzMGT3iCbZDepaGIaBhIBK}Csc
zS!hY6c6o*?SA~ypP_c`DS++s2VTyaEWon>NfpK0&reD5sx?5tASEX-yhOd5dPN|{i
z#E;_PUg?RJ$szhBrq0FX6}jF%mIi5oSy=@sj^)l#x&GyjSsqc@+Lk^p9<G60j=8}m
z>Hgu)&P5e&u9d-AZpjfr2A-LTM&SWDX<>$0K4$(Q<v~%UMnxu*;~B;4osB~xJ&XME
z1Kpf*O-#dcyiCjeJe^Xbsyuv4eU07C3%w2VB0_z<{oJy-f(%2;j9l}5lKpcdliiX7
zy)%+hT&j#iEy|3-(oNlxowEEgLj6KY%5suHp_FG@m8l!1<*b`tl$uzas-ULeSZr+U
z<C>sQS75B}m0ZH*=u+?K?rG{DVV)6OQtpxyWMo)r9+;e)TdwU`>fxB??rr86YFt!h
zS>Ya>ADm%qRu#yltE;P!R_<#S<ZND)l2aaF5}6(D=@gljVIG+h6`bVmnc-0qp>G-P
zmRsiT=<UfB(q<<1BJ6vrQ}+WoVVPSe7g~PhTCuF)!7Z&;=k@>NJ}JJJYO!B)VC5EW
z*;!1<BD_q0uNtosJ;@pO+J-AajqOv|qCLOA{@ZRJYih^k7F*c$OTp@dov{P6s27Lf
nElxIFKmI8Rr@LNlWWRoWZP|u*LN(uy8~gcB*=V(@i^mcGrqbd!

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 635068c..700652c 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -32,6 +32,7 @@ with roles;
   # cloud
   "nextcloud-pw.age".publicKeys = nextcloud;
   "smb-secrets.age".publicKeys = personal ++ media-center;
+  "oauth2-proxy-env.age".publicKeys = server;
 
   # services
   "searx.age".publicKeys = nobody;