Use the X-Forwarded-* headers for keycloak instead of Forwarded

This also explicitly sets X-Forwarded-Proto to https which fixes
the warning "Non-secure context detected; cookies are not secured,
and will not be available in cross-origin POST requests" which
prevented the user account management page to load.

config/hosts/keycloak/keycloak.nix

@@ -5,7 +5,7 @@
     settings = {
       hostname = "https://id.nekover.se";
       hostname-admin = "https://keycloak-admin.nekover.se";
-      proxy-headers = "forwarded";
+      proxy-headers = "xforwarded";
       http-enabled = true;
       http-host = "127.0.0.1";
       http-port = 8080;

config/hosts/keycloak/nginx.nix

@@ -41,6 +41,13 @@
           proxy_buffer_size 128k;
           proxy_buffers 8 128k;
 
+          proxy_set_header Host $host;
+          proxy_set_header X-Forwarded-Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Port 443;
+          # This is https in any case.
+          proxy_set_header X-Forwarded-Proto https;
           # Hide the X-Forwarded header.
           proxy_hide_header X-Forwarded;
           # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
@@ -96,6 +103,13 @@
           proxy_buffer_size 128k;
           proxy_buffers 8 128k;
 
+          proxy_set_header Host $host;
+          proxy_set_header X-Forwarded-Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Port 443;
+          # This is https in any case.
+          proxy_set_header X-Forwarded-Proto https;
           # Hide the X-Forwarded header.
           proxy_hide_header X-Forwarded;
           # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that

config/hosts/matrix/matrix-synapse.nix

@@ -1,5 +1,9 @@
-{ ... }:
+{ pkgs, ... }:
 {
+  environment.systemPackages = with pkgs; [
+    matrix-authentication-service
+    syn2mas
+  ];
   services.matrix-synapse = {
     enable = true;
     settings = {