Configuring vouch-proxy or oauth2_proxy_nginx.nix

Hello so I have what I think should be a simple enough issue. However I can find no examples of this being done. Which is very frustrating. I am in essence attempting to follow Enforce Google Authentication for Any Application with nginx and Vouch Proxy | by Benjamin Foote | lasso | Medium and nixify the process.
I’m attempting to deploy to a remote-system. That will host a site and when people go to it, I want to deal with authentication by redirecting them to likely google authentication stuff.

To do so I tried initially to se if I could find any examples of people using vouch-proxy with nix/nixOS, So I could learn from those examples. I found none but maybe if anyone can point me to a configuration that does that would great. I then thought ok maybe I can use oauth2_proxy_nginx.nix instead. nixpkgs/oauth2_proxy_nginx.nix at 06db2e2197401b74fcf82d4e84be15b0b5851c7b · NixOS/nixpkgs · GitHub

However once again I have been unable to find any examples. It may just be I’m terrible at finding/researching any actually implementations. It might be that there aren’t many. It might be that I’m just terrible at understanding what I’m looking at and how to configure it should be obvious. But if anyone on here knows how to configure those or can point me towards an example of a system configured with them so I can see how to do it. I would greatly appreciate it.

Thanks you for the help if you can offer it. Undoubtedly this will be easy. But its hard to see that when you don’t know how to do it. So help is greatly appreciated.

Hey, I’m using vouch-proxy together with kanidm. Maybe my config, that I want to upstream eventually, will help you?

{ config, pkgs, lib, ... }: { =
      vouchConfig = {
        vouch = {
          # testing = true;
          listen = "[::1]";
          port = 30746;

          # TODO this allows everybody that can authenticate to kanidm, so no
          # further scoping possible atm.
          allowAllUsers = true;
          cookie.domain = "";

          jwt.secret = "redacted, don't know where I got this from";
        oauth =
            kanidmOrigin =;
          rec {
            provider = "oidc";
            client_id = "gollum";
            # oauth2_rs_basic_secret from `kanidm system oauth2 get gollum`
            client_secret = "redacted";
            auth_url = "${kanidmOrigin}/ui/oauth2";
            token_url = "${kanidmOrigin}/oauth2/token";
            user_info_url = "${kanidmOrigin}/oauth2/openid/${client_id}/userinfo";
            scopes = [ "login" ];
            callback_url = "";
            code_challenge_method = "S256";
      description = "Vouch-proxy";
      after = [ "" ];
      wantedBy = [ "" ];
      serviceConfig = {
        ExecStart =
            ${pkgs.vouch-proxy}/bin/vouch-proxy \
              -config ${(pkgs.formats.yaml {}).generate "config.yml" vouchConfig}
        Restart = "on-failure";
        RestartSec = 5;
        WorkingDirectory = "/var/lib/vouch-proxy";
        StateDirectory = "vouch-proxy";
        RuntimeDirectory = "vouch-proxy";
        User = "vouch-proxy";
        Group = "vouch-proxy";
        StartLimitBurst = 3;

  users.users.vouch-proxy = {
    isSystemUser = true;
    group = "vouch-proxy";
  users.groups.vouch-proxy = { };

  services.nginx = {
    enable = true;
    virtualHosts."" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://[::1]:${toString 30746}/";
        extraConfig = ''
          proxy_set_header Host $host;
          add_header Access-Control-Allow-Origin;



This is exceedingly useful thank you.

You’re welcome! Btw as you asked, I didn’t find any NixOS specific examples either, so I had to piece it together by myself. Eventually we’re going to need a module in Nixpkgs for vouch-proxy.

1 Like