From 72e0759fa4ae8aad968725ef798af3e0b6957757 Mon Sep 17 00:00:00 2001
From: "RingOfStorms (Joshua Bell)" <ringofstorms@gmail.com>
Date: Sun, 5 Oct 2025 18:31:37 -0500
Subject: [PATCH] it works!?

---
 hosts/h001/containers/zitadel.md | 43 ++++++++++++++++++++++++++++++++
 hosts/h001/mods/oauth2-proxy.nix | 11 +++++++-
 hosts/h001/mods/trilium.nix      | 19 --------------
 3 files changed, 53 insertions(+), 20 deletions(-)
 create mode 100644 hosts/h001/containers/zitadel.md

diff --git a/hosts/h001/containers/zitadel.md b/hosts/h001/containers/zitadel.md
new file mode 100644
index 0000000..aa24c27
--- /dev/null
+++ b/hosts/h001/containers/zitadel.md
@@ -0,0 +1,43 @@
+Note that in zitadel there are several settings that many of the apps need. Specifically the flat roles complement on tokens
+
+flatRolesClaim , timeout in seconds = 10
+flowType: complement_token
+-> pre user info creation
+-> pre access token creation
+
+```js
+/**
+ * Adds an additional claim in the token with roles in flat format.
+ * 
+ * The role claims of the token look like the following:
+ * 
+ * // added by the code below
+ * "flatRolesClaim": ["test", "role2", ...],
+ * // added automatically
+ * "urn:zitadel:iam:org:project:roles": {
+ *   "test": {
+ *     "201982826478953724": "zitadel.localhost"
+ *   }
+ * }
+ *
+ * Flow: Complement token, Triggers: Pre Userinfo creation, Pre access token creation
+ *
+ * @param ctx
+ * @param api
+ */
+
+function flatRolesClaim(ctx, api) {
+  if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {
+    return;
+  }
+
+  let grants = [];
+  ctx.v1.user.grants.grants.forEach(claim => {
+    claim.roles.forEach(role => {
+        grants.push(role);  
+    })
+  })
+  
+  api.v1.claims.setClaim('flatRolesClaim', grants);
+}
+```
diff --git a/hosts/h001/mods/oauth2-proxy.nix b/hosts/h001/mods/oauth2-proxy.nix
index cbc8826..f39e837 100644
--- a/hosts/h001/mods/oauth2-proxy.nix
+++ b/hosts/h001/mods/oauth2-proxy.nix
@@ -15,9 +15,18 @@
     extraConfig = {
       whitelist-domain = "*.joshuabell.xyz";
       cookie-domain = ".joshuabell.xyz";
+      oidc-groups-claim = "flatRolesClaim";
+      # scope = "openid email profiles";
+
+      # pass-access-token = "true";
+      # set-authorization-header = "true";
+      # pass-user-headers = "true";
+
+      # show-debug-on-error = "true";
+      # errors-to-info-log = "true";
     };
     cookie.refresh = "30m";
-    setXauthrequest = true;
+    # setXauthrequest = true;
   };
 
   services.nginx.virtualHosts."sso-proxy.joshuabell.xyz" = {
diff --git a/hosts/h001/mods/trilium.nix b/hosts/h001/mods/trilium.nix
index ecff3ba..0797cda 100644
--- a/hosts/h001/mods/trilium.nix
+++ b/hosts/h001/mods/trilium.nix
@@ -28,24 +28,5 @@
         };
       };
     };
-
-    # services.nginx = {
-    #   virtualHosts = {
-    #     "trilium" = {
-    #       serverName = "h001.net.joshuabell.xyz";
-    #       listen = [
-    #         {
-    #           port = 9111;
-    #           addr = "0.0.0.0";
-    #         }
-    #       ];
-    #       locations."/" = {
-    #         proxyWebsockets = true;
-    #         recommendedProxySettings = true;
-    #         proxyPass = "http://127.0.0.1:9111";
-    #       };
-    #     };
-    #   };
-    # };
   };
 }