From f3dfe561ad6e0b2d915b37cbe0123c607f7db47f Mon Sep 17 00:00:00 2001
From: soraefir <soraefir+git@helcel>
Date: Sat, 9 May 2026 12:38:04 +0200
Subject: [PATCH] add plugin

---
 modules/server/containers/defs/etherpad.nix | 36 ++++++---------------
 1 file changed, 10 insertions(+), 26 deletions(-)

diff --git a/modules/server/containers/defs/etherpad.nix b/modules/server/containers/defs/etherpad.nix
index d1b54d4..169b9f3 100644
--- a/modules/server/containers/defs/etherpad.nix
+++ b/modules/server/containers/defs/etherpad.nix
@@ -1,6 +1,9 @@
 { config, containerCfg, pkgs, lib, builder, name,... }:
 let 
   serverCfg = config.syscfg.server;
+  etherpad_exe = pkgs.etherpad-lite.override {
+    plugins = [ pkgs.nodePackages.ep_proxy_auth ]; # Ensure this is in your nixpkgs
+  };
   settings = pkgs.writeTextDir"etc/etherpad/settings.json" (builtins.toJSON {
     title= "\${TITLE:Etherpad}";
     showRecentPads = "\${SHOW_RECENT_PADS:true}";
@@ -53,40 +56,18 @@ let
     minify = "\${MINIFY:true}";
     requireAuthentication = "\${REQUIRE_AUTHENTICATION:true}";
     requireAuthorization = "\${REQUIRE_AUTHORIZATION:false}";
-    trustProxy = "\${TRUST_PROXY:false}";
+    trustProxy = "\${TRUST_PROXY:true}";
+    ep_headerauth.username_header = "X-authentik-username";
     socketTransportProtocols = ["websocket" "polling"];
     socketIo.maxHttpBufferSize = "\${SOCKETIO_MAX_HTTP_BUFFER_SIZE:1000000}";
-
-
-    
     indentationOnNewLine = true;
-    exposeVersion = "\${EXPOSE_VERSION:false}";
 
     loglevel = "\${LOGLEVEL:INFO}";
     lowerCasePadIds = "\${LOWER_CASE_PAD_IDS:true}";
-    sso = {
-      issuer = "\${SSO_ISSUER:http://localhost:9001}";
-      clients = [
-        {
-          client_id = "\${ADMIN_CLIENT:admin_client}";
-          client_secret = "\${ADMIN_SECRET:admin}";
-          grant_types = ["authorization_code"];
-          response_types = ["code"];
-          redirect_uris = ["\${ADMIN_REDIRECT:http://localhost:9001/admin/}"];
-        }
-        {
-          client_id = "\${USER_CLIENT:user_client}";
-          client_secret = "\${USER_SECRET:user}";
-          grant_types = ["authorization_code"];
-          response_types = ["code"];
-          redirect_uris = ["\${USER_REDIRECT:http://localhost:9001/}"];
-        }
-      ];
-    };
   });
   image = pkgs.dockerTools.streamLayeredImage {
     name = "etherpad";
-    tag = pkgs.etherpad-lite.version;
+    tag = etherpad_exe.version;
     contents = with pkgs;[cacert tzdata bash coreutils curl settings ];
     fakeRootCommands = ''
       mkdir -p ./var/lib/etherpad
@@ -95,7 +76,7 @@ let
       chmod 1777 ./tmp
     '';
     config = {
-      Cmd = [ "${pkgs.etherpad-lite}/bin/etherpad-lite" "--settings" "/etc/etherpad/settings.json" ];
+      Cmd = [ "${etherpad_exe}/bin/etherpad-lite" "--settings" "/etc/etherpad/settings.json" ];
       User = "1000:1000";
       WorkingDir = "/var/lib/etherpad";
       ExposedPorts = { "${toString containerCfg.port}/tcp" = {}; };
@@ -140,6 +121,9 @@ in {
         PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
         SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
       };
+      extraLabels = {
+        "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "authentik";
+      };
       overrides = {
         volumes = [
           "${serverCfg.configPath}/etherpad/data:/opt/etherpad-lite/var"