From 47b11c510d0c711738d772786a11ce5aa7124e13 Mon Sep 17 00:00:00 2001
From: Till <till@ktiu.net>
Date: Mon, 13 Oct 2025 16:26:38 +0200
Subject: [PATCH] isolated dex

---
 system/web-server/dex.nix | 54 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 system/web-server/dex.nix

diff --git a/system/web-server/dex.nix b/system/web-server/dex.nix
new file mode 100644
index 0000000..1708e36
--- /dev/null
+++ b/system/web-server/dex.nix
@@ -0,0 +1,54 @@
+{ config, pkgs, ... }:
+
+let
+
+  dex = {
+    hostname = "dex.${config.networking.domain}";
+  };
+
+in {
+
+  services.dex = {
+    enable = true;
+    environmentFile = "/var/custom-access/dex-environemnt";
+    settings = {
+      issuer = "https://${dex.hostname}";
+      storage.type = "sqlite3";
+      web.http = "127.0.0.1:5556";
+      staticClients = [
+        {
+          id = "outline";
+          name = "Outline Client";
+          redirectURIs = [ "https://${outline.hostname}/auth/oidc.callback" ];
+          secretFile = "/var/custom-access/outline-oidc-secret.txt";
+        }
+      ];
+      enablePasswordDB = true;
+      # staticPasswords = [
+      #   {
+      #     email = "till@ktiu.net";
+      #     # gen hash with $ htpasswd -nBC 10 "" | tr -d ':\n'
+      #     hash = "";
+      #     username = "bootstrap-admin";
+      #     # $ uuidgen
+      #     userID = "";
+      #   }
+      # ];
+    };
+  };
+
+  security.acme.certs."${config.networking.domain}".extraDomainNames = [
+    "dex.${config.networking.domain}"
+  ];
+
+  services.nginx.virtualHosts = {
+    "dex.${config.networking.domain}" = {
+      onlySSL = true;
+      useACMEHost = config.networking.domain;
+      locations."/" = {
+        proxyPass = "http://${config.services.dex.settings.web.http}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}