privatevoid.net/depot
1
1
Fork 0
Code Issues 23 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

VEGAS: add oauth2_proxy

Browse source
This commit is contained in:
Max Headroom 2021-10-16 19:39:49 +02:00
parent 0ad3c2b5ab
commit 3e0135d471
4 changed files with 56 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

54
hosts/VEGAS/modules/oauth2-proxy/default.nix Normal file
View file

@ -0,0 +1,54 @@
{ config, lib, pkgs, tools, ... }:
let
inherit (tools.meta) domain;
login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}";
cfg = config.services.oauth2_proxy;
in
{
age.secrets.oauth2_proxy-secrets = {
file = ../../../../secrets/oauth2_proxy-secrets.age;
owner = "root";
group = "root";
mode = "0400";
};
services.oauth2_proxy = {
enable = true;
approvalPrompt = "auto";
provider = "keycloak";
scope = "openid";
clientID = "net.privatevoid.admin-interfaces1";
keyFile = config.age.secrets.oauth2_proxy-secrets.path;
loginURL = login "auth";
redeemURL = login "token";
validateURL = login "userinfo";
cookie = {
secure = true;
domain = ".${domain}";
};
email.domains = [ domain ];
extraConfig = {
keycloak-group = "/admins";
skip-provider-button = true;
};
};
services.nginx.virtualHosts = lib.genAttrs cfg.nginx.virtualHosts (vhost: {
# apply protection to the whole vhost, not just /
extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
'';
locations."/oauth2/".extraConfig = "auth_request off;";
locations."/oauth2/auth".extraConfig = "auth_request off;";
});
}

1
hosts/VEGAS/system.nix
View file

@ -9,6 +9,7 @@
# Plumbing # Plumbing
./modules/database ./modules/database
./modules/nginx ./modules/nginx
./modules/oauth2-proxy
inputs.agenix.nixosModules.age inputs.agenix.nixosModules.age
] ]
# TODO: fix users # TODO: fix users

BIN
secrets/oauth2_proxy-secrets.age Normal file
View file

Binary file not shown.

1
secrets/secrets.nix
View file

@ -7,4 +7,5 @@ in with hosts;
"hydra-s3.age".publicKeys = max ++ map systemKeys [ styx ]; "hydra-s3.age".publicKeys = max ++ map systemKeys [ styx ];
"hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ styx ]; "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ styx ];
"gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ git ]; "gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ git ];
"oauth2_proxy-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
} }