foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-01-31 10:58:02 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

hosts/plover: init Vouch proxy server

Browse Source
This commit is contained in:
Gabriel Arazas 2023-10-08 03:28:14 +08:00
parent 0eadf55fd5
commit 6ec18948b5
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
2 changed files with 55 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
hosts/plover/default.nix
View File

@ -28,6 +28,10 @@ in
# The reverse proxy of choice. # The reverse proxy of choice.
./modules/services/nginx.nix ./modules/services/nginx.nix
# The single-sign on setup.
./modules/services/kanidm.nix
./modules/services/vouch-proxy.nix
# The monitoring stack. # The monitoring stack.
./modules/services/grafana.nix ./modules/services/grafana.nix
@ -39,7 +43,6 @@ in
# configuring it here will make it too big. # configuring it here will make it too big.
./modules/services/atuin.nix ./modules/services/atuin.nix
./modules/services/gitea.nix ./modules/services/gitea.nix
./modules/services/kanidm.nix
./modules/services/vaultwarden.nix ./modules/services/vaultwarden.nix
./modules/services/wireguard.nix ./modules/services/wireguard.nix
./modules/services/wezterm-mux-server.nix ./modules/services/wezterm-mux-server.nix

51
hosts/plover/modules/services/vouch-proxy.nix Normal file
View File

@ -0,0 +1,51 @@
{ config, lib, pkgs, ... }:
let
inherit (config.services.vouch-proxy) settings;
vouchDomain = "vouch.${config.networking.domain}";
authDomain = config.services.kanidm.serverSettings.domain;
in
{
sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
"vouch-proxy/jwt/secret" = { };
"vouch-proxy/client/secret" = { };
};
services.vouch-proxy = {
enable = true;
settings = {
vouch = {
listen = "127.0.0.1";
port = 19900;
domains = [ "foodogsquared.one" ];
jwt.secret._secret = config.sops.secrets."vouch-proxy/jwt/secret".path;
};
oauth = rec {
provider = "oidc";
client_id = "kanidm";
client_secret._secret = config.sops.secrets."vouch-proxy/client/secret".path;
auth_url = "${authDomain}/ui/oauth2";
token_url = "${authDomain}/oauth2/token";
user_info_url = "${authDomain}/oauth2/openid/${client_id}/userinfo";
scopes = [ "login" ];
callback_url = "https://${vouchDomain}/auth";
};
};
};
services.nginx.virtualHosts."${vouchDomain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
kTLS = true;
locations."/" = {
proxyPass = "http://${settings.vouch.listen}:${builtins.toString settings.vouch.port}";
extraConfig = ''
proxy_set_header Host ${vouchDomain};
proxy_set_header X-Forwarded-Proto https;
'';
};
};
}