switch to authentik oidc endpoint

caddy/Caddyfile

@@ -46,4 +46,8 @@ import protected droppy host:8989
 import protected filebrowser host:8002
 import protected jupyter host:9999
 
-import sites/*.caddy
+import sites/root.caddy
+import sites/authentik.caddy
+import sites/ha.caddy
+import sites/geo.caddy
+import sites/test.caddy

caddy/conf/auth.caddy

@@ -2,15 +2,18 @@
 	order authenticate before respond
 	order authorize before reverse_proxy
 	security {
-		oauth identity provider google {
-			realm google
-			driver google
+		oauth identity provider generic {
+			realm generic
+			driver generic
 			client_id {$OAUTH_CLIENT_ID}
 			client_secret {$OAUTH_CLIENT_SECRET}
 			scopes openid email profile
+
+			base_auth_url https://authentik.rik.veenboer.xyz
+			metadata_url http://host:12345/.well-known
 		}
 		authentication portal myportal {
-			enable identity provider google
+			enable identity provider generic
 			cookie domain veenboer.xyz
 			ui {
 				links {
@@ -19,12 +22,12 @@
 			}
 
 			transform user {
-				match realm google
+				match realm generic
 				action add role authp/user
 			}
 
 			transform user {
-				match realm google
+				match realm generic
 
 				# Give this account admin role in the auth portal
 				match email rik.veenboer@gmail.com
@@ -32,7 +35,7 @@
 			}
 		}
 		authorization policy mypolicy {
-			set auth url https://auth.rik.veenboer.xyz/oauth2/google
+			set auth url https://auth.rik.veenboer.xyz/oauth2/generic
 			allow roles authp/admin authp/user
 			validate bearer header
 			inject headers with claims

caddy/conf/layer4.caddy

@@ -1,9 +1,10 @@
-(layer4) {layer4 {
-	:443 {
-		@openvpn openvpn
-		route @openvpn {
-			proxy host:444 # Proxy OpenVPN traffic to its backend
+(layer4) {
+	layer4 {
+		:443 {
+			@openvpn openvpn
+			route @openvpn {
+				proxy host:444 # Proxy OpenVPN traffic to its backend
+			}
 		}
 	}
 }
-}