From 3e0135d4716ca6c4a43f1eefdfd550b3aea0e54c Mon Sep 17 00:00:00 2001 From: Max Date: Sat, 16 Oct 2021 19:39:49 +0200 Subject: [PATCH] VEGAS: add oauth2_proxy --- hosts/VEGAS/modules/oauth2-proxy/default.nix | 54 +++++++++++++++++++ hosts/VEGAS/system.nix | 1 + secrets/oauth2_proxy-secrets.age | Bin 0 -> 630 bytes secrets/secrets.nix | 1 + 4 files changed, 56 insertions(+) create mode 100644 hosts/VEGAS/modules/oauth2-proxy/default.nix create mode 100644 secrets/oauth2_proxy-secrets.age diff --git a/hosts/VEGAS/modules/oauth2-proxy/default.nix b/hosts/VEGAS/modules/oauth2-proxy/default.nix new file mode 100644 index 0000000..edca564 --- /dev/null +++ b/hosts/VEGAS/modules/oauth2-proxy/default.nix @@ -0,0 +1,54 @@ +{ config, lib, pkgs, tools, ... }: +let + inherit (tools.meta) domain; + login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}"; + cfg = config.services.oauth2_proxy; +in +{ + age.secrets.oauth2_proxy-secrets = { + file = ../../../../secrets/oauth2_proxy-secrets.age; + owner = "root"; + group = "root"; + mode = "0400"; + }; + services.oauth2_proxy = { + enable = true; + approvalPrompt = "auto"; + provider = "keycloak"; + scope = "openid"; + clientID = "net.privatevoid.admin-interfaces1"; + keyFile = config.age.secrets.oauth2_proxy-secrets.path; + loginURL = login "auth"; + redeemURL = login "token"; + validateURL = login "userinfo"; + cookie = { + secure = true; + domain = ".${domain}"; + }; + email.domains = [ domain ]; + extraConfig = { + keycloak-group = "/admins"; + skip-provider-button = true; + }; + }; + services.nginx.virtualHosts = lib.genAttrs cfg.nginx.virtualHosts (vhost: { + # apply protection to the whole vhost, not just / + extraConfig = '' + auth_request /oauth2/auth; + error_page 401 = /oauth2/sign_in; + + # pass information via X-User and X-Email headers to backend, + # requires running with --set-xauthrequest flag + auth_request_set $user $upstream_http_x_auth_request_user; + auth_request_set $email $upstream_http_x_auth_request_email; + proxy_set_header X-User $user; + proxy_set_header X-Email $email; + + # if you enabled --cookie-refresh, this is needed for it to work with auth_request + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + ''; + locations."/oauth2/".extraConfig = "auth_request off;"; + locations."/oauth2/auth".extraConfig = "auth_request off;"; + }); +} diff --git a/hosts/VEGAS/system.nix b/hosts/VEGAS/system.nix index a639726..96e13c3 100644 --- a/hosts/VEGAS/system.nix +++ b/hosts/VEGAS/system.nix @@ -9,6 +9,7 @@ # Plumbing ./modules/database ./modules/nginx + ./modules/oauth2-proxy inputs.agenix.nixosModules.age ] # TODO: fix users diff --git a/secrets/oauth2_proxy-secrets.age b/secrets/oauth2_proxy-secrets.age new file mode 100644 index 0000000000000000000000000000000000000000..c61a25a93e16e8c28a182246b3e3848044a25da2 GIT binary patch literal 630 zcmZ9_L1@!Z002;7h!7YuMGbP1h!A4@#P(N!GQAziE>e zM38~oz=OL8x=rW7gBLGec5;V_=v9WyDWV8^n1~bR=1INo{@|&mff_9h^jyz&TH_8d zL){33PQvZBg&I0W5D^L%@&t*|a0zh>YD{DUTJJ^xWn;KzF*6~BvzinkvRcq8M7@CJ z!U_$MLOT>D5`@$>1e;1#*{CH&I3e!h9be2O!!0EdFD6<<1(UJj zb*dc2`G#0=V(DZ}o#t51r}Lr}@6GCVrH^1%6sqwaLxWUx3U_UnXmhoS)ixR>x~xo# zgjY}JlZi@!;mUTCJG$w(obJ$Yh{zOK5C?YI5mZaUyV#ULCYgBAR9luWkyW1O)n+*? z$_^yhir-9R8XVqL)M_DD@dUN%MKZu(9 zv2nQkcK+bw$gwwTpL+K;Pd!=KdU$U8!!Uh))qB5uVR1{kGVpWfBEa{Dl&5o@yNhRU z{2J@cukW58e7xT$eSYut>Whh`&07z)CHrP<;P~hnb7*eu+lX<09l