foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-02-07 06:19:00 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

hosts/plover/services/vouch-proxy: format and update settings

Browse Source
This commit is contained in:
Gabriel Arazas 2024-10-20 18:22:32 +08:00
parent 493d241073
commit a042399386
No known key found for this signature in database
GPG Key ID: 62104B43D00AA360
1 changed files with 25 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
configs/nixos/plover/modules/services/vouch-proxy.nix
View File

@ -8,26 +8,21 @@ let
inherit (config.networking) domain;
vouchDomain = "vouch.${config.networking.domain}";
authDomain = config.services.kanidm.serverSettings.domain;
in
{
in {
options.hosts.plover.services.vouch-proxy.enable =
lib.mkEnableOption "Vouch proxy setup";
config = lib.mkIf cfg.enable (lib.mkMerge [
{
state.ports = {
"vouch-proxy-${domain}".value = 19900;
};
state.ports = { "vouch-proxy-${domain}".value = 19900; };
sops.secrets =
let
sops.secrets = let
vouchPermissions = rec {
owner = "vouch-proxy";
group = owner;
mode = "0400";
};
in
foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
in foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
"vouch-proxy/domains/${domain}/jwt-secret" = vouchPermissions;
"vouch-proxy/domains/${domain}/client-secret" = vouchPermissions;
};
@ -40,20 +35,23 @@ in
port = config.state.ports."vouch-proxy-${domain}".value;
domains = [ "foodogsquared.one" ];
jwt.secret._secret = config.sops.secrets."vouch-proxy/domains/${domain}/jwt-secret".path;
jwt.secret._secret =
config.sops.secrets."vouch-proxy/domains/${domain}/jwt-secret".path;
cookie.secure = true;
};
oauth = rec {
oauth = let authSubpath = path: "https://${authDomain}/${path}";
in rec {
provider = "oidc";
client_id = "vouch";
client_secret._secret = config.sops.secrets."vouch-proxy/domains/${domain}/client-secret".path;
client_secret._secret =
config.sops.secrets."vouch-proxy/domains/${domain}/client-secret".path;
code_challenge_method = "S256";
auth_url = "https://${authDomain}/ui/oauth2";
token_url = "https://${authDomain}/oauth2/token";
user_info_url = "https://${authDomain}/oauth2/openid/${client_id}/userinfo";
auth_url = authSubpath "ui/oauth2";
token_url = authSubpath "oauth2/token";
user_info_url = authSubpath "oauth2/openid/${client_id}/userinfo";
scopes = [ "openid" "email" "profile" ];
callback_url = "https://${vouchDomain}/auth";
callback_url = authSubpath "auth";
};
};
};
@ -76,10 +74,12 @@ in
services.nginx.upstreams."vouch-proxy" = {
extraConfig = ''
zone services;
zone vouch-proxy 64k;
keepalive 2;
'';
servers = {
"${settings.vouch.listen}:${builtins.toString settings.vouch.port}" = { };
"${settings.vouch.listen}:${builtins.toString settings.vouch.port}" =
{ };
};
};
})