it works!?

hosts/h001/containers/zitadel.md

@@ -0,0 +1,43 @@
+Note that in zitadel there are several settings that many of the apps need. Specifically the flat roles complement on tokens
+
+flatRolesClaim , timeout in seconds = 10
+flowType: complement_token
+-> pre user info creation
+-> pre access token creation
+
+```js
+/**
+ * Adds an additional claim in the token with roles in flat format.
+ * 
+ * The role claims of the token look like the following:
+ * 
+ * // added by the code below
+ * "flatRolesClaim": ["test", "role2", ...],
+ * // added automatically
+ * "urn:zitadel:iam:org:project:roles": {
+ *   "test": {
+ *     "201982826478953724": "zitadel.localhost"
+ *   }
+ * }
+ *
+ * Flow: Complement token, Triggers: Pre Userinfo creation, Pre access token creation
+ *
+ * @param ctx
+ * @param api
+ */
+
+function flatRolesClaim(ctx, api) {
+  if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {
+    return;
+  }
+
+  let grants = [];
+  ctx.v1.user.grants.grants.forEach(claim => {
+    claim.roles.forEach(role => {
+        grants.push(role);  
+    })
+  })
+  
+  api.v1.claims.setClaim('flatRolesClaim', grants);
+}
+```

hosts/h001/mods/oauth2-proxy.nix

@@ -15,9 +15,18 @@
     extraConfig = {
       whitelist-domain = "*.joshuabell.xyz";
       cookie-domain = ".joshuabell.xyz";
+      oidc-groups-claim = "flatRolesClaim";
+      # scope = "openid email profiles";
+
+      # pass-access-token = "true";
+      # set-authorization-header = "true";
+      # pass-user-headers = "true";
+
+      # show-debug-on-error = "true";
+      # errors-to-info-log = "true";
     };
     cookie.refresh = "30m";
-    setXauthrequest = true;
+    # setXauthrequest = true;
   };
 
   services.nginx.virtualHosts."sso-proxy.joshuabell.xyz" = {

hosts/h001/mods/trilium.nix

@@ -28,24 +28,5 @@
         };
       };
     };
-
-    # services.nginx = {
-    #   virtualHosts = {
-    #     "trilium" = {
-    #       serverName = "h001.net.joshuabell.xyz";
-    #       listen = [
-    #         {
-    #           port = 9111;
-    #           addr = "0.0.0.0";
-    #         }
-    #       ];
-    #       locations."/" = {
-    #         proxyWebsockets = true;
-    #         recommendedProxySettings = true;
-    #         proxyPass = "http://127.0.0.1:9111";
-    #       };
-    #     };
-    #   };
-    # };
   };
 }