ouranos/ansible/searxng/oauth2-proxy-searxng.cfg.j2

# OAuth2-Proxy Configuration for SearXNG
# Authenticates users via Casdoor OIDC before proxying to SearXNG
# Red Panda Approved

# Provider Configuration (Casdoor OIDC)
provider = "oidc"
provider_display_name = "Casdoor"
oidc_issuer_url = "{{ searxng_oauth2_oidc_issuer_url }}"
client_id = "{{ searxng_oauth2_client_id }}"
client_secret = "{{ searxng_oauth2_client_secret }}"

# Redirect URL after authentication
redirect_url = "{{ searxng_oauth2_redirect_url }}"

# Upstream service (SearXNG on localhost)
upstreams = [
    "http://127.0.0.1:{{ searxng_port }}"
]

# Session/Cookie Configuration
cookie_secret = "{{ searxng_oauth2_cookie_secret }}"
cookie_name = "_oauth2_proxy_searxng"
cookie_secure = true
cookie_httponly = true
cookie_samesite = "lax"
cookie_domains = [
    ".{{ searxng_domain }}"
]

# Authentication settings
email_domains = ["*"]
oidc_email_claim = "email"
oidc_groups_claim = "groups"

# Session settings
session_store_type = "cookie"
cookie_expire = "168h"
cookie_refresh = "1h"

# Request settings - pass user info to SearXNG
pass_access_token = false
pass_authorization_header = false
set_authorization_header = false
set_xauthrequest = true

# Logging
request_logging = true
auth_logging = true
standard_logging = true

# Network settings
http_address = "0.0.0.0:{{ searxng_proxy_port }}"
reverse_proxy = true
real_client_ip_header = "X-Forwarded-For"

# Skip authentication for health check endpoints
skip_auth_routes = [
    "^/healthz$",
    "^/ping$"
]

# OIDC specific settings
skip_provider_button = true
oidc_extra_audiences = []
insecure_oidc_allow_unverified_email = true
cookie_csrf_per_request = true
cookie_csrf_expire = "5m"

# SSL verification (internal Casdoor uses valid certs)
ssl_insecure_skip_verify = false