2024-02-11 07:16:25 +00:00
|
|
|
{ config, lib, pkgs, foodogsquaredLib, ... }:
|
2023-10-07 19:28:14 +00:00
|
|
|
|
|
|
|
|
let
|
2023-12-11 08:30:00 +00:00
|
|
|
hostCfg = config.hosts.plover;
|
|
|
|
|
cfg = hostCfg.services.vouch-proxy;
|
|
|
|
|
|
2023-10-09 12:43:13 +00:00
|
|
|
inherit (config.services.vouch-proxy.instances."${vouchDomain}") settings;
|
2024-09-23 11:13:29 +00:00
|
|
|
inherit (config.networking) domain;
|
2023-10-07 19:28:14 +00:00
|
|
|
vouchDomain = "vouch.${config.networking.domain}";
|
|
|
|
|
authDomain = config.services.kanidm.serverSettings.domain;
|
2024-10-20 10:22:32 +00:00
|
|
|
in {
|
2023-12-15 05:27:12 +00:00
|
|
|
options.hosts.plover.services.vouch-proxy.enable =
|
|
|
|
|
lib.mkEnableOption "Vouch proxy setup";
|
2023-10-07 19:28:14 +00:00
|
|
|
|
2023-12-11 08:30:00 +00:00
|
|
|
config = lib.mkIf cfg.enable (lib.mkMerge [
|
|
|
|
|
{
|
2024-10-20 10:22:32 +00:00
|
|
|
state.ports = { "vouch-proxy-${domain}".value = 19900; };
|
2024-09-23 11:13:29 +00:00
|
|
|
|
2024-10-20 10:22:32 +00:00
|
|
|
sops.secrets = let
|
|
|
|
|
vouchPermissions = rec {
|
|
|
|
|
owner = "vouch-proxy";
|
|
|
|
|
group = owner;
|
|
|
|
|
mode = "0400";
|
2023-12-11 08:30:00 +00:00
|
|
|
};
|
2024-10-20 10:22:32 +00:00
|
|
|
in foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
|
|
|
|
|
"vouch-proxy/domains/${domain}/jwt-secret" = vouchPermissions;
|
|
|
|
|
"vouch-proxy/domains/${domain}/client-secret" = vouchPermissions;
|
|
|
|
|
};
|
2023-10-07 19:28:14 +00:00
|
|
|
|
2023-12-11 08:30:00 +00:00
|
|
|
services.vouch-proxy = {
|
|
|
|
|
enable = true;
|
|
|
|
|
instances."${vouchDomain}".settings = {
|
|
|
|
|
vouch = {
|
|
|
|
|
listen = "127.0.0.1";
|
2024-09-23 11:13:29 +00:00
|
|
|
port = config.state.ports."vouch-proxy-${domain}".value;
|
2023-12-11 08:30:00 +00:00
|
|
|
|
|
|
|
|
domains = [ "foodogsquared.one" ];
|
2024-10-20 10:22:32 +00:00
|
|
|
jwt.secret._secret =
|
|
|
|
|
config.sops.secrets."vouch-proxy/domains/${domain}/jwt-secret".path;
|
2024-09-23 11:13:29 +00:00
|
|
|
cookie.secure = true;
|
2023-12-11 08:30:00 +00:00
|
|
|
};
|
|
|
|
|
|
2024-10-20 10:22:32 +00:00
|
|
|
oauth = let authSubpath = path: "https://${authDomain}/${path}";
|
|
|
|
|
in rec {
|
2023-12-11 08:30:00 +00:00
|
|
|
provider = "oidc";
|
|
|
|
|
client_id = "vouch";
|
2024-10-20 10:22:32 +00:00
|
|
|
client_secret._secret =
|
|
|
|
|
config.sops.secrets."vouch-proxy/domains/${domain}/client-secret".path;
|
2023-12-11 08:30:00 +00:00
|
|
|
code_challenge_method = "S256";
|
2024-10-20 10:22:32 +00:00
|
|
|
auth_url = authSubpath "ui/oauth2";
|
|
|
|
|
token_url = authSubpath "oauth2/token";
|
|
|
|
|
user_info_url = authSubpath "oauth2/openid/${client_id}/userinfo";
|
2023-12-11 08:30:00 +00:00
|
|
|
scopes = [ "openid" "email" "profile" ];
|
2024-10-20 10:22:32 +00:00
|
|
|
callback_url = authSubpath "auth";
|
2023-12-11 08:30:00 +00:00
|
|
|
};
|
|
|
|
|
};
|
2023-10-07 19:28:14 +00:00
|
|
|
};
|
2023-12-11 08:30:00 +00:00
|
|
|
}
|
2023-10-07 19:28:14 +00:00
|
|
|
|
2023-12-11 08:30:00 +00:00
|
|
|
(lib.mkIf hostCfg.services.reverse-proxy.enable {
|
|
|
|
|
services.nginx.virtualHosts."${vouchDomain}" = {
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
enableACME = true;
|
|
|
|
|
acmeRoot = null;
|
|
|
|
|
kTLS = true;
|
|
|
|
|
locations."/" = {
|
|
|
|
|
proxyPass = "http://vouch-proxy";
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
proxy_set_header Host ${vouchDomain};
|
|
|
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
2023-10-13 08:48:02 +00:00
|
|
|
|
2023-12-11 08:30:00 +00:00
|
|
|
services.nginx.upstreams."vouch-proxy" = {
|
|
|
|
|
extraConfig = ''
|
2024-10-20 10:22:32 +00:00
|
|
|
zone vouch-proxy 64k;
|
|
|
|
|
keepalive 2;
|
2023-12-11 08:30:00 +00:00
|
|
|
'';
|
|
|
|
|
servers = {
|
2024-10-20 10:22:32 +00:00
|
|
|
"${settings.vouch.listen}:${builtins.toString settings.vouch.port}" =
|
|
|
|
|
{ };
|
2023-12-11 08:30:00 +00:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
})
|
|
|
|
|
]);
|
2023-10-07 19:28:14 +00:00
|
|
|
}
|
