commit 6e3463ab93ac6504569ac115b113532fa7830620
author giolekva <giolekva@gmail.com> Mon Oct 25 20:42:55 2021 +0400
committer giolekva <giolekva@gmail.com> Mon Oct 25 20:42:55 2021 +0400
tree 644c29fb2eacccd5cc25ea6f99db7c01a02166b7
parent 67fb42680f478fb37042a2510f2a6ed6daf005a5

Pihole: put it behind oauth2-proxy

scripts/homelab/installer/pihole-oauth2.cfg

diff --git a/scripts/homelab/installer/pihole-oauth2.cfg b/scripts/homelab/installer/pihole-oauth2.cfg
new file mode 100644
index 0000000..a4ce674
--- /dev/null
+++ b/scripts/homelab/installer/pihole-oauth2.cfg
@@ -0,0 +1,64 @@
+http_address = "0.0.0.0:8080"
+
+reverse_proxy = true
+
+## the OAuth Redirect URL.
+# defaults to the "https://" + requested host header + "/oauth2/callback"
+# redirect_url = "http://pihole.pcloud/oauth2/callback"
+
+upstreams = [
+    "http://pihole-web.app-pihole.svc.cluster.local/"
+]
+
+email_domains = [
+    "*"
+]
+
+logging_filename = ""
+logging_max_size = 100
+logging_max_age = 7
+logging_local_time = true
+logging_compress = false
+standard_logging = true
+standard_logging_format = "[{{.Timestamp}}] [{{.File}}] {{.Message}}"
+request_logging = true
+request_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}"
+auth_logging = true
+auth_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}"
+
+pass_basic_auth = true
+pass_user_headers = true
+pass_host_header = true
+
+## The OAuth Client ID, Secret
+client_id = "pihole"
+client_secret = "1QpkwzJoZVlgjTnzfhhF3UfmVDVuKQQEWx4Qu3Oi9RM="
+
+## Pass OAuth Access token to upstream via "X-Forwarded-Access-Token"
+pass_access_token = false
+
+## Cookie Settings
+## Name     - the cookie name
+## Secret   - the seed string for secure cookies; should be 16, 24, or 32 bytes
+##            for use with an AES cipher when cookie_refresh or pass_access_token
+##            is set
+## Domain   - (optional) cookie domain to force cookies to (ie: .yourcompany.com)
+## Expire   - (duration) expire timeframe for cookie
+## Refresh  - (duration) refresh the cookie when duration has elapsed after cookie was initially set.
+##            Should be less than cookie_expire; set to 0 to disable.
+##            On refresh, OAuth token is re-validated.
+##            (ie: 1h means tokens are refreshed on request 1hr+ after it was set)
+## Secure   - secure cookies are only sent by the browser of a HTTPS connection (recommended)
+## HttpOnly - httponly cookies are not readable by javascript (recommended)
+cookie_name = "_oauth2_proxy_pihole"
+cookie_secret = "123456789012345678901234567890--"
+cookie_domains = "pihole.pcloud"
+cookie_expire = "168h"
+cookie_refresh = "100h"
+cookie_secure = true
+cookie_httponly = true
+
+provider = "oidc"
+oidc_issuer_url = "https://hydra.lekva.me/"
+provider_display_name = "PCloud OIDC Provider"
+profile_url = "https://accounts-ui.lekva.me"