From c174f625c8601da1cd6a9db97d8109c2e4b0f14c Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Thu, 6 Feb 2025 00:06:42 +0100
Subject: [PATCH 1/2] Add matrix-authentication-service package to matrix host

---
 config/hosts/matrix/matrix-synapse.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix
index 7f339bf..8d74f50 100644
--- a/config/hosts/matrix/matrix-synapse.nix
+++ b/config/hosts/matrix/matrix-synapse.nix
@@ -1,5 +1,9 @@
-{ ... }:
+{ pkgs, ... }:
 {
+  environment.systemPackages = with pkgs; [
+    matrix-authentication-service
+    syn2mas
+  ];
   services.matrix-synapse = {
     enable = true;
     settings = {

From e484360f9177e4b86ddc013753d776fd119a04fb Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Tue, 11 Feb 2025 18:24:45 +0100
Subject: [PATCH 2/2] Use the X-Forwarded-* headers for keycloak instead of
 Forwarded

This also explicitly sets X-Forwarded-Proto to https which fixes
the warning "Non-secure context detected; cookies are not secured,
and will not be available in cross-origin POST requests" which
prevented the user account management page to load.
---
 config/hosts/keycloak/keycloak.nix |  2 +-
 config/hosts/keycloak/nginx.nix    | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/config/hosts/keycloak/keycloak.nix b/config/hosts/keycloak/keycloak.nix
index e8e38c3..2ae957b 100644
--- a/config/hosts/keycloak/keycloak.nix
+++ b/config/hosts/keycloak/keycloak.nix
@@ -5,7 +5,7 @@
     settings = {
       hostname = "https://id.nekover.se";
       hostname-admin = "https://keycloak-admin.nekover.se";
-      proxy-headers = "forwarded";
+      proxy-headers = "xforwarded";
       http-enabled = true;
       http-host = "127.0.0.1";
       http-port = 8080;
diff --git a/config/hosts/keycloak/nginx.nix b/config/hosts/keycloak/nginx.nix
index 0c83ea0..c82597d 100644
--- a/config/hosts/keycloak/nginx.nix
+++ b/config/hosts/keycloak/nginx.nix
@@ -41,6 +41,13 @@
           proxy_buffer_size 128k;
           proxy_buffers 8 128k;
 
+          proxy_set_header Host $host;
+          proxy_set_header X-Forwarded-Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Port 443;
+          # This is https in any case.
+          proxy_set_header X-Forwarded-Proto https;
           # Hide the X-Forwarded header.
           proxy_hide_header X-Forwarded;
           # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
@@ -96,6 +103,13 @@
           proxy_buffer_size 128k;
           proxy_buffers 8 128k;
 
+          proxy_set_header Host $host;
+          proxy_set_header X-Forwarded-Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Port 443;
+          # This is https in any case.
+          proxy_set_header X-Forwarded-Proto https;
           # Hide the X-Forwarded header.
           proxy_hide_header X-Forwarded;
           # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that