rspamd: authenticate via sso

This commit is contained in:
Rouven Seifert 2024-05-24 00:22:19 +02:00
parent 7372df381d
commit 16f3500f09
2 changed files with 15 additions and 1 deletions

View file

@ -7,7 +7,7 @@
postfix.enable = true; postfix.enable = true;
locals = { locals = {
"worker-controller.inc".text = '' "worker-controller.inc".text = ''
password = "$2$g1jh7t5cxschj11set5wksd656ixd5ie$cgwrj53hfb87xndqbh5r3ow9qfi1ejii8dxok1ihbnhamccn1rxy"; secure_ip = "0.0.0.0/0";
''; '';
"redis.conf".text = '' "redis.conf".text = ''
read_servers = "/run/redis-rspamd/redis.sock"; read_servers = "/run/redis-rspamd/redis.sock";
@ -39,6 +39,18 @@
}; };
}; };
caddy.virtualHosts."rspamd.${config.networking.domain}".extraConfig = '' caddy.virtualHosts."rspamd.${config.networking.domain}".extraConfig = ''
# for some reason this only works with http and not with https so we send every request through our wireguard tunnel
reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000
# forward authentication to authentik
forward_auth http://nuc.vpn.rfive.de:9000 {
uri /outpost.goauthentik.io/auth/caddy
# capitalization of the headers is important, otherwise they will be empty
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
}
reverse_proxy 127.0.0.1:11334 reverse_proxy 127.0.0.1:11334
''; '';
}; };

View file

@ -20,4 +20,6 @@ in
services.caddy.virtualHosts."${domain}".extraConfig = '' services.caddy.virtualHosts."${domain}".extraConfig = ''
reverse_proxy localhost:9000 reverse_proxy localhost:9000
''; '';
# open the firewall for proxy auth
networking.firewall.allowedTCPPorts = [ 9000 ];
} }