VEGAS: add SSO service

2021-10-16 20:24:30 +02:00 · 2021-10-16 20:24:30 +02:00 · 3c4b8d92b4
commit 3c4b8d92b4
parent 3c15c90258
5 changed files with 70 additions and 0 deletions
--- a/hosts/VEGAS/services/sso/default.nix
+++ b/hosts/VEGAS/services/sso/default.nix
@ -0,0 +1,44 @@
+{ config, lib, pkgs, tools, ... }:
+with tools.nginx;
+let
+  login = "login.${tools.meta.domain}";
+  cfg = config.services.keycloak;
+in
+{
+  imports = [
+    ./identity-management.nix
+  ];
+  age.secrets.keycloak-dbpass = {
+    file = ../../../../secrets/keycloak-dbpass.age;
+    owner = "root";
+    group = "root";
+    mode = "0400";
+  };
+  services.nginx.virtualHosts = { 
+    "${login}" = lib.recursiveUpdate (vhosts.proxy "http://${cfg.bindAddress}:${cfg.httpPort}") {
+      locations."= /".return = "302 /auth/realms/master/account/";
+    };
+    "account.${domain}" = vhosts.redirect "https://${login}/auth/realms/master/account/";
+  };
+  services.keycloak = {
+    enable = true;
+    frontendUrl = "https://${login}/auth";
+    bindAddress = "127.0.0.1";
+    httpPort = "38080";
+    package = pkgs.keycloak.override { jre = pkgs.jdk11_headless; };
+    database = {
+      createLocally = true;
+      type = "postgresql";
+      passwordFile = config.age.secrets.keycloak-dbpass.path;
+    };
+    extraConfig = {
+      "subsystem=undertow" = {
+        "server=default-server" = {
+          "http-listener=default" = {
+            proxy-address-forwarding = true;
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/VEGAS/services/sso/identity-management.nix
+++ b/hosts/VEGAS/services/sso/identity-management.nix
@ -0,0 +1,24 @@
+{ tools, ... }:
+with tools.nginx.vhosts;
+let
+  inherit (tools.meta) domain;
+  front = "ident.${domain}";
+  back = tools.identity.ldap.server.hostname;
+in
+{
+  services.nginx.virtualHosts."${front}" = let
+  in basic // {
+    locations."= /".return = "302 /ipa/ui/";
+    locations."/" = {
+      # HACK: not using proxy_pass here to prevent inclusion of recommended headers
+      extraConfig = ''
+        proxy_pass https://10.10.0.11;
+        proxy_set_header Host ${back};
+        proxy_set_header Referer https://${back}/ipa/ui/;
+        proxy_cookie_domain ${back} ${front};
+        add_header Referer https://${front}/ipa/ui/;
+      '';
+    };
+  };
+}
+
--- a/hosts/VEGAS/system.nix
+++ b/hosts/VEGAS/system.nix
@ -33,6 +33,7 @@
      ./services/nix/nar-serve.nix
      ./services/object-storage
      ./services/openvpn
+      ./services/sso
      ./services/warehouse
      ./services/websites
    ]
--- a/secrets/keycloak-dbpass.age
+++ b/secrets/keycloak-dbpass.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -10,6 +10,7 @@ in with hosts;
  "gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ styx ];
  "hydra-s3.age".publicKeys = max ++ map systemKeys [ styx ];
+  "keycloak-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "matrix-appservice-discord-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "minio-console-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "minio-root-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];