pin all leading edge apps to their own nixpkgs so they can update independently

2025-10-07 19:22:43 -05:00 · 2025-10-07 19:22:43 -05:00 · 3a0b2e754d
commit 3a0b2e754d
parent b89d0a67fa
8 changed files with 431 additions and 315 deletions
--- a/hosts/h001/mods/oauth2-proxy.nix
+++ b/hosts/h001/mods/oauth2-proxy.nix
@ -1,40 +1,56 @@
-{ upkgs, config, ... }:
 {
-  services.oauth2-proxy = {
-    enable = true;
-    httpAddress = "http://127.0.0.1:4180";
-    package = upkgs.oauth2-proxy;
-    provider = "oidc";
-    reverseProxy = true;
-    redirectURL = "https://sso-proxy.joshuabell.xyz/oauth2/callback";
-    validateURL = "https://sso.joshuabell.xyz/oauth2/";
-    oidcIssuerUrl = "https://sso.joshuabell.xyz";
-    keyFile = config.age.secrets.oauth2_proxy_key_file.path;
-    nginx.domain = "sso-proxy.joshuabell.xyz";
-    email.domains = [ "*" ];
-    extraConfig = {
-      whitelist-domain = "*.joshuabell.xyz";
-      cookie-domain = ".joshuabell.xyz";
-      oidc-groups-claim = "flatRolesClaim";
-      # scope = "openid email profiles";
-
-      # pass-access-token = "true";
-      # set-authorization-header = "true";
-      # pass-user-headers = "true";
-
-      # show-debug-on-error = "true";
-      # errors-to-info-log = "true";
-    };
-    cookie.refresh = "30m";
-    # setXauthrequest = true;
+  inputs,
+  config,
+  ...
+}:
+let
+  declaration = "services/security/oauth2-proxy.nix";
+  nixpkgs = inputs.open-webui-nixpkgs;
+  pkgs = import nixpkgs {
+    system = "x86_64-linux";
+    config.allowUnfree = true;
  };
+in
+{
+  disabledModules = [ declaration ];
+  imports = [ "${nixpkgs}/nixos/modules/${declaration}" ];
+  config = {
+    services.oauth2-proxy = {
+      enable = true;
+      httpAddress = "http://127.0.0.1:4180";
+      package = pkgs.oauth2-proxy;
+      provider = "oidc";
+      reverseProxy = true;
+      redirectURL = "https://sso-proxy.joshuabell.xyz/oauth2/callback";
+      validateURL = "https://sso.joshuabell.xyz/oauth2/";
+      oidcIssuerUrl = "https://sso.joshuabell.xyz";
+      keyFile = config.age.secrets.oauth2_proxy_key_file.path;
+      nginx.domain = "sso-proxy.joshuabell.xyz";
+      email.domains = [ "*" ];
+      extraConfig = {
+        whitelist-domain = "*.joshuabell.xyz";
+        cookie-domain = ".joshuabell.xyz";
+        oidc-groups-claim = "flatRolesClaim";
+        # scope = "openid email profiles";

-  services.nginx.virtualHosts."sso-proxy.joshuabell.xyz" = {
-    locations = {
-      "/" = {
-        proxyWebsockets = true;
-        recommendedProxySettings = true;
-        proxyPass = "http://127.0.0.1:4180";
+        # pass-access-token = "true";
+        # set-authorization-header = "true";
+        # pass-user-headers = "true";
+
+        # show-debug-on-error = "true";
+        # errors-to-info-log = "true";
+      };
+      cookie.refresh = "30m";
+      # setXauthrequest = true;
+    };
+
+    services.nginx.virtualHosts."sso-proxy.joshuabell.xyz" = {
+      locations = {
+        "/" = {
+          proxyWebsockets = true;
+          recommendedProxySettings = true;
+          proxyPass = "http://127.0.0.1:4180";
+        };
      };
    };
  };