nixos-config/hosts/plover/modules/services/vouch-proxy.nix

{ config, lib, pkgs, ... }:

let
  inherit (config.services.vouch-proxy.instances."${vouchDomain}") settings;
  vouchDomain = "vouch.${config.networking.domain}";
  authDomain = config.services.kanidm.serverSettings.domain;
in
{
  sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
    "vouch-proxy/jwt/secret" = { };
    "vouch-proxy/client/secret" = { };
  };

  services.vouch-proxy = {
    enable = true;
    instances."${vouchDomain}".settings = {
      vouch = {
        listen = "127.0.0.1";
        port = 19900;

        domains = [ "foodogsquared.one" ];
        jwt.secret._secret = config.sops.secrets."vouch-proxy/jwt/secret".path;
      };

      oauth = rec {
        provider = "oidc";
        client_id = "vouch";
        client_secret._secret = config.sops.secrets."vouch-proxy/client/secret".path;
        code_challenge_method = "S256";
        auth_url = "${authDomain}/ui/oauth2";
        token_url = "${authDomain}/oauth2/token";
        user_info_url = "${authDomain}/oauth2/openid/${client_id}/userinfo";
        scopes = [ "login" "email" ];
        callback_url = "https://${vouchDomain}/auth";
      };
    };
  };

  services.nginx.virtualHosts."${vouchDomain}" = {
    forceSSL = true;
    enableACME = true;
    acmeRoot = null;
    kTLS = true;
    locations."/" = {
      proxyPass = "http://vouch-proxy";
      extraConfig = ''
        proxy_set_header  Host  ${vouchDomain};
        proxy_set_header  X-Forwarded-Proto https;
      '';
    };
  };

  services.nginx.upstreams."vouch-proxy" = {
    extraConfig = ''
      zone apps;
    '';
    servers = {
      "${settings.vouch.listen}:${builtins.toString settings.vouch.port}" = { };
    };
  };
}
hosts/plover: init Vouch proxy server 2023-10-07 19:28:14 +00:00			`{ config, lib, pkgs, ... }:`

			`let`
services/vouch-proxy: restructure for multiple instances This resolves some cases where the admin does not have all of their users within the protected domain and some in others. 2023-10-09 12:43:13 +00:00			`inherit (config.services.vouch-proxy.instances."${vouchDomain}") settings;`
hosts/plover: init Vouch proxy server 2023-10-07 19:28:14 +00:00			`vouchDomain = "vouch.${config.networking.domain}";`
			`authDomain = config.services.kanidm.serverSettings.domain;`
			`in`
			`{`
			`sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {`
			`"vouch-proxy/jwt/secret" = { };`
			`"vouch-proxy/client/secret" = { };`
			`};`

			`services.vouch-proxy = {`
			`enable = true;`
services/vouch-proxy: restructure for multiple instances This resolves some cases where the admin does not have all of their users within the protected domain and some in others. 2023-10-09 12:43:13 +00:00			`instances."${vouchDomain}".settings = {`
hosts/plover: init Vouch proxy server 2023-10-07 19:28:14 +00:00			`vouch = {`
			`listen = "127.0.0.1";`
			`port = 19900;`

			`domains = [ "foodogsquared.one" ];`
			`jwt.secret._secret = config.sops.secrets."vouch-proxy/jwt/secret".path;`
			`};`

			`oauth = rec {`
			`provider = "oidc";`
hosts/plover: update Vouch proxy config 2023-10-09 12:26:11 +00:00			`client_id = "vouch";`
hosts/plover: init Vouch proxy server 2023-10-07 19:28:14 +00:00			`client_secret._secret = config.sops.secrets."vouch-proxy/client/secret".path;`
hosts/plover: update Vouch proxy config 2023-10-09 12:26:11 +00:00			`code_challenge_method = "S256";`
hosts/plover: init Vouch proxy server 2023-10-07 19:28:14 +00:00			`auth_url = "${authDomain}/ui/oauth2";`
			`token_url = "${authDomain}/oauth2/token";`
			`user_info_url = "${authDomain}/oauth2/openid/${client_id}/userinfo";`
hosts/plover: update Vouch proxy config 2023-10-09 12:26:11 +00:00			`scopes = [ "login" "email" ];`
hosts/plover: init Vouch proxy server 2023-10-07 19:28:14 +00:00			`callback_url = "https://${vouchDomain}/auth";`
			`};`
			`};`
			`};`

			`services.nginx.virtualHosts."${vouchDomain}" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`acmeRoot = null;`
			`kTLS = true;`
			`locations."/" = {`
hosts/plover: properly add nginx upstreams Even though this is unlikely to be scaled further, we're just being good sysadmins (or at least roleplaying as one). 2023-10-13 08:48:02 +00:00			`proxyPass = "http://vouch-proxy";`
hosts/plover: init Vouch proxy server 2023-10-07 19:28:14 +00:00			`extraConfig = ''`
			`proxy_set_header Host ${vouchDomain};`
			`proxy_set_header X-Forwarded-Proto https;`
			`'';`
			`};`
			`};`
hosts/plover: properly add nginx upstreams Even though this is unlikely to be scaled further, we're just being good sysadmins (or at least roleplaying as one). 2023-10-13 08:48:02 +00:00
			`services.nginx.upstreams."vouch-proxy" = {`
			`extraConfig = ''`
			`zone apps;`
			`'';`
			`servers = {`
			`"${settings.vouch.listen}:${builtins.toString settings.vouch.port}" = { };`
			`};`
			`};`
hosts/plover: init Vouch proxy server 2023-10-07 19:28:14 +00:00			`}`