mirror of
https://git.sr.ht/~rouven/nixos-config
synced 2025-05-15 00:31:07 +02:00
29 lines
1.1 KiB
Nix
29 lines
1.1 KiB
Nix
{ ... }:
|
|
let
|
|
domain = "adguard.vpn.rfive.de";
|
|
port = 3000;
|
|
in
|
|
{
|
|
networking.firewall.allowedTCPPorts = [ 53 ];
|
|
networking.firewall.allowedUDPPorts = [ 53 ];
|
|
services.adguardhome = {
|
|
enable = true;
|
|
settings = {
|
|
dns.bind_hosts = [ "192.168.42.2" ];
|
|
http.address = "127.0.0.1:${toString port}";
|
|
};
|
|
};
|
|
services.caddy.virtualHosts."${domain}".extraConfig = ''
|
|
# for some reason this only works with http and not with https so we send every request through our wireguard tunnel
|
|
reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000
|
|
|
|
# forward authentication to authentik
|
|
forward_auth http://nuc.vpn.rfive.de:9000 {
|
|
uri /outpost.goauthentik.io/auth/caddy
|
|
|
|
# capitalization of the headers is important, otherwise they will be empty
|
|
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
|
|
}
|
|
reverse_proxy 127.0.0.1:${toString port}
|
|
'';
|
|
}
|