foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-02-12 00:18:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

hosts/plover/services/vouch-proxy: format and update settings

Browse Source
This commit is contained in:
Gabriel Arazas 2024-10-20 18:22:32 +08:00
parent 493d241073
commit a042399386
No known key found for this signature in database
GPG Key ID: 62104B43D00AA360
1 changed files with 25 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
configs/nixos/plover/modules/services/vouch-proxy.nix
View File

@ -8,29 +8,24 @@ let
inherit (config.networking) domain; inherit (config.networking) domain;
vouchDomain = "vouch.${config.networking.domain}"; vouchDomain = "vouch.${config.networking.domain}";
authDomain = config.services.kanidm.serverSettings.domain; authDomain = config.services.kanidm.serverSettings.domain;
in in {
{
options.hosts.plover.services.vouch-proxy.enable = options.hosts.plover.services.vouch-proxy.enable =
lib.mkEnableOption "Vouch proxy setup"; lib.mkEnableOption "Vouch proxy setup";
config = lib.mkIf cfg.enable (lib.mkMerge [ config = lib.mkIf cfg.enable (lib.mkMerge [
{ {
state.ports = { state.ports = { "vouch-proxy-${domain}".value = 19900; };
"vouch-proxy-${domain}".value = 19900;
};
sops.secrets = sops.secrets = let
let vouchPermissions = rec {
vouchPermissions = rec { owner = "vouch-proxy";
owner = "vouch-proxy"; group = owner;
group = owner; mode = "0400";
mode = "0400";
};
in
foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
"vouch-proxy/domains/${domain}/jwt-secret" = vouchPermissions;
"vouch-proxy/domains/${domain}/client-secret" = vouchPermissions;
}; };
in foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
"vouch-proxy/domains/${domain}/jwt-secret" = vouchPermissions;
"vouch-proxy/domains/${domain}/client-secret" = vouchPermissions;
};
services.vouch-proxy = { services.vouch-proxy = {
enable = true; enable = true;
@ -40,20 +35,23 @@ in
port = config.state.ports."vouch-proxy-${domain}".value; port = config.state.ports."vouch-proxy-${domain}".value;
domains = [ "foodogsquared.one" ]; domains = [ "foodogsquared.one" ];
jwt.secret._secret = config.sops.secrets."vouch-proxy/domains/${domain}/jwt-secret".path; jwt.secret._secret =
config.sops.secrets."vouch-proxy/domains/${domain}/jwt-secret".path;
cookie.secure = true; cookie.secure = true;
}; };
oauth = rec { oauth = let authSubpath = path: "https://${authDomain}/${path}";
in rec {
provider = "oidc"; provider = "oidc";
client_id = "vouch"; client_id = "vouch";
client_secret._secret = config.sops.secrets."vouch-proxy/domains/${domain}/client-secret".path; client_secret._secret =
config.sops.secrets."vouch-proxy/domains/${domain}/client-secret".path;
code_challenge_method = "S256"; code_challenge_method = "S256";
auth_url = "https://${authDomain}/ui/oauth2"; auth_url = authSubpath "ui/oauth2";
token_url = "https://${authDomain}/oauth2/token"; token_url = authSubpath "oauth2/token";
user_info_url = "https://${authDomain}/oauth2/openid/${client_id}/userinfo"; user_info_url = authSubpath "oauth2/openid/${client_id}/userinfo";
scopes = [ "openid" "email" "profile" ]; scopes = [ "openid" "email" "profile" ];
callback_url = "https://${vouchDomain}/auth"; callback_url = authSubpath "auth";
}; };
}; };
}; };
@ -76,10 +74,12 @@ in
services.nginx.upstreams."vouch-proxy" = { services.nginx.upstreams."vouch-proxy" = {
extraConfig = '' extraConfig = ''
zone services; zone vouch-proxy 64k;
keepalive 2;
''; '';
servers = { servers = {
"${settings.vouch.listen}:${builtins.toString settings.vouch.port}" = { }; "${settings.vouch.listen}:${builtins.toString settings.vouch.port}" =
{ };
}; };
}; };
}) })