{ config, lib, pkgs, ... }:
let
hostCfg = config.hosts.plover;
cfg = hostCfg.services.vouch-proxy;
inherit (config.services.vouch-proxy.instances."${vouchDomain}") settings;
vouchDomain = "vouch.${config.networking.domain}";
authDomain = config.services.kanidm.serverSettings.domain;
in
{
options.hosts.plover.services.vouch-proxy.enable =
lib.mkEnableOption "Vouch proxy setup";
config = lib.mkIf cfg.enable (lib.mkMerge [
{
sops.secrets =
let
vouchPermissions = rec {
owner = "vouch-proxy";
group = owner;
mode = "0400";
};
in
lib.private.getSecrets ../../secrets/secrets.yaml {
"vouch-proxy/jwt/secret" = vouchPermissions;
"vouch-proxy/client/secret" = vouchPermissions;
};
services.vouch-proxy = {
enable = true;
instances."${vouchDomain}".settings = {
vouch = {
listen = "127.0.0.1";
port = 19900;
domains = [ "foodogsquared.one" ];
jwt.secret._secret = config.sops.secrets."vouch-proxy/jwt/secret".path;
};
oauth = rec {
provider = "oidc";
client_id = "vouch";
client_secret._secret = config.sops.secrets."vouch-proxy/client/secret".path;
code_challenge_method = "S256";
auth_url = "https://${authDomain}/ui/oauth2";
token_url = "https://${authDomain}/oauth2/token";
user_info_url = "https://${authDomain}/oauth2/openid/${client_id}/userinfo";
scopes = [ "openid" "email" "profile" ];
callback_url = "https://${vouchDomain}/auth";
};
};
};
}
(lib.mkIf hostCfg.services.reverse-proxy.enable {
services.nginx.virtualHosts."${vouchDomain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
kTLS = true;
locations."/" = {
proxyPass = "http://vouch-proxy";
extraConfig = ''
proxy_set_header Host ${vouchDomain};
proxy_set_header X-Forwarded-Proto https;
'';
};
};
services.nginx.upstreams."vouch-proxy" = {
extraConfig = ''
zone services;
'';
servers = {
"${settings.vouch.listen}:${builtins.toString settings.vouch.port}" = { };
};
};
})
]);
}