[Unit]
Description=OAuth2 Proxy Server Quadlet
# OAuth2 Proxy requests OIDC configuration after launch, Pocket-ID should be ready
Wants=pocket-id.service
After=pocket-id.service

[Container]
Image=quay.io/oauth2-proxy/oauth2-proxy:v7.13.0
AutoUpdate=registry
ContainerName=oauth2-proxy-server

User=1000:1000

Environment=OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180
Environment=OAUTH2_PROXY_PROVIDER=oidc
Environment=OAUTH2_PROXY_OIDC_ISSUER_URL=https://id.${base_domain}
Environment=OAUTH2_PROXY_EMAIL_DOMAINS=*
Environment=OAUTH2_PROXY_CLIENT_ID=643ae98a-24a1-4c1d-9d0a-a102dd2fe38c
Environment=OAUTH2_PROXY_COOKIE_SECURE=true
Environment=OAUTH2_PROXY_REDIRECT_URL=https://oauth2-proxy.${base_domain}/oauth2/callback
Environment=OAUTH2_PROXY_COOKIE_DOMAINS=.${base_domain}
Environment=OAUTH2_PROXY_WHITELIST_DOMAINS=.${base_domain}
Environment=OAUTH2_PROXY_COOKIE_REFRESH=59m
Environment=OAUTH2_PROXY_COOKIE_EXPIRE=720h
Environment=OAUTH2_PROXY_REVERSE_PROXY=true
Environment=OAUTH2_PROXY_UPSTREAMS=static://202
Environment=OAUTH2_PROXY_SESSION_STORE_TYPE=redis
Environment=OAUTH2_PROXY_REDIS_CONNECTION_URL=redis://oauth2-proxy-redis
Environment=OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS=true
Environment=OAUTH2_PROXY_EXTRA_JWT_ISSUERS=https://id.${base_domain}=6ab0d4e0-db54-4404-ad25-003aa4c9d208
Secret=oauth2-proxy-cookie-secret,type=env,target=OAUTH2_PROXY_COOKIE_SECRET
Secret=oauth2-proxy-client-secret,type=env,target=OAUTH2_PROXY_CLIENT_SECRET

Label="glance.id=oauth2-proxy"
Label="glance.name=OAuth2 Proxy"
Label="glance.icon=di:oauth2-proxy"
Label="glance.description=Identity-Aware Proxy"
Label="glance.hide=false"

Label="traefik.enable=true"
Label="traefik.http.routers.oauth2-proxy.rule=Host(`oauth2-proxy.${base_domain}`)"
Label="traefik.http.services.oauth2-proxy.loadbalancer.server.port=4180"

Pod=oauth2-proxy.pod

[Service]
TimeoutStartSec=900
Restart=always

[Install]
WantedBy=multi-user.target default.target