mirror of
https://github.com/Swarsel/.dotfiles.git
synced 2025-12-06 17:17:22 +01:00
107 lines
3.4 KiB
Nix
107 lines
3.4 KiB
Nix
{ lib, config, ... }:
|
|
let
|
|
kanidmDomain = "sso.swarsel.win";
|
|
oauth2ProxyDomain = "soauth.swarsel.win";
|
|
oauth2ProxyPort = 3004;
|
|
in
|
|
{
|
|
options.swarselsystems.modules.server.oauth2Proxy = lib.mkEnableOption "enable oauth2-proxy on server";
|
|
config = lib.mkIf config.swarselsystems.modules.server.oauth2Proxy {
|
|
|
|
sops = {
|
|
secrets = {
|
|
"oauth2-cookie-secret" = { owner = "oauth2-proxy"; group = "oauth2-proxy"; mode = "0440"; };
|
|
"kanidm-oauth2-proxy-client" = { owner = "oauth2-proxy"; group = "oauth2-proxy"; mode = "0440"; };
|
|
};
|
|
|
|
templates = {
|
|
"kanidm-oauth2-proxy-client-env" = {
|
|
content = ''
|
|
OAUTH2_PROXY_CLIENT_SECRET="${config.sops.placeholder.kanidm-oauth2-proxy-client}"
|
|
OAUTH2_PROXY_COOKIE_SECRET=${config.sops.placeholder.oauth2-cookie-secret}
|
|
'';
|
|
owner = "oauth2-proxy";
|
|
group = "oauth2-proxy";
|
|
mode = "0440";
|
|
};
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ oauth2ProxyPort ];
|
|
|
|
services = {
|
|
oauth2-proxy = {
|
|
enable = true;
|
|
cookie = {
|
|
domain = ".swarsel.win";
|
|
secure = true;
|
|
expire = "900m";
|
|
secret = null; # set by service EnvironmentFile
|
|
};
|
|
clientSecret = null; # set by service EnvironmentFile
|
|
reverseProxy = true;
|
|
httpAddress = "0.0.0.0:${builtins.toString oauth2ProxyPort}";
|
|
redirectURL = "https://${oauth2ProxyDomain}/oauth2/callback";
|
|
setXauthrequest = true;
|
|
extraConfig = {
|
|
code-challenge-method = "S256";
|
|
whitelist-domain = ".swarsel.win";
|
|
set-authorization-header = true;
|
|
pass-access-token = true;
|
|
skip-jwt-bearer-tokens = true;
|
|
upstream = "static://202";
|
|
oidc-issuer-url = "https://${kanidmDomain}/oauth2/openid/oauth2-proxy";
|
|
provider-display-name = "Kanidm";
|
|
};
|
|
provider = "oidc";
|
|
scope = "openid email";
|
|
loginURL = "https://${kanidmDomain}/ui/oauth2";
|
|
redeemURL = "https://${kanidmDomain}/oauth2/token";
|
|
validateURL = "https://${kanidmDomain}/oauth2/openid/oauth2-proxy/userinfo";
|
|
clientID = "oauth2-proxy";
|
|
email.domains = [ "*" ];
|
|
};
|
|
};
|
|
|
|
systemd.services = {
|
|
oauth2-proxy = {
|
|
# after = [ "kanidm.service" ];
|
|
serviceConfig = {
|
|
RuntimeDirectory = "oauth2-proxy";
|
|
RuntimeDirectoryMode = "0750";
|
|
UMask = "007"; # TODO remove once https://github.com/oauth2-proxy/oauth2-proxy/issues/2141 is fixed
|
|
RestartSec = "60"; # Retry every minute
|
|
EnvironmentFile = [
|
|
config.sops.templates.kanidm-oauth2-proxy-client-env.path
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
services.nginx = {
|
|
upstreams = {
|
|
oauth2-proxy = {
|
|
servers = {
|
|
"localhost:${builtins.toString oauth2ProxyPort}" = { };
|
|
};
|
|
};
|
|
};
|
|
virtualHosts = {
|
|
"${oauth2ProxyDomain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
acmeRoot = null;
|
|
locations = {
|
|
"/" = {
|
|
proxyPass = "http://oauth2-proxy";
|
|
};
|
|
};
|
|
extraConfig = ''
|
|
proxy_set_header X-Scheme $scheme;
|
|
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|