hosts/plover: init Vouch proxy server

2025-01-31 10:58:02 +00:00 · 2023-10-08 03:28:14 +08:00 · 2023-10-08 03:28:14 +08:00 · 6ec18948b5
commit 6ec18948b5
parent 0eadf55fd5
2 changed files with 55 additions and 1 deletions
--- a/hosts/plover/default.nix
+++ b/hosts/plover/default.nix
@ -28,6 +28,10 @@ in
    # The reverse proxy of choice.
    ./modules/services/nginx.nix

+    # The single-sign on setup.
+    ./modules/services/kanidm.nix
+    ./modules/services/vouch-proxy.nix
+
    # The monitoring stack.
    ./modules/services/grafana.nix

@ -39,7 +43,6 @@ in
    # configuring it here will make it too big.
    ./modules/services/atuin.nix
    ./modules/services/gitea.nix
-    ./modules/services/kanidm.nix
    ./modules/services/vaultwarden.nix
    ./modules/services/wireguard.nix
    ./modules/services/wezterm-mux-server.nix
--- a/hosts/plover/modules/services/vouch-proxy.nix
+++ b/hosts/plover/modules/services/vouch-proxy.nix
@ -0,0 +1,51 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (config.services.vouch-proxy) settings;
+  vouchDomain = "vouch.${config.networking.domain}";
+  authDomain = config.services.kanidm.serverSettings.domain;
+in
+{
+  sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
+    "vouch-proxy/jwt/secret" = { };
+    "vouch-proxy/client/secret" = { };
+  };
+
+  services.vouch-proxy = {
+    enable = true;
+    settings = {
+      vouch = {
+        listen = "127.0.0.1";
+        port = 19900;
+
+        domains = [ "foodogsquared.one" ];
+        jwt.secret._secret = config.sops.secrets."vouch-proxy/jwt/secret".path;
+      };
+
+      oauth = rec {
+        provider = "oidc";
+        client_id = "kanidm";
+        client_secret._secret = config.sops.secrets."vouch-proxy/client/secret".path;
+        auth_url = "${authDomain}/ui/oauth2";
+        token_url = "${authDomain}/oauth2/token";
+        user_info_url = "${authDomain}/oauth2/openid/${client_id}/userinfo";
+        scopes = [ "login" ];
+        callback_url = "https://${vouchDomain}/auth";
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."${vouchDomain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    kTLS = true;
+    locations."/" = {
+      proxyPass = "http://${settings.vouch.listen}:${builtins.toString settings.vouch.port}";
+      extraConfig = ''
+        proxy_set_header  Host  ${vouchDomain};
+        proxy_set_header  X-Forwarded-Proto https;
+      '';
+    };
+  };
+}