foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-01-31 16:57:55 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
a4177f9382
nixos-config/configs/nixos/plover/modules/services/vouch-proxy.nix
Gabriel Arazas a4177f9382
flake-parts/setups: set separate namespace for custom library 
This at least allows us to make custom environment-specific library sets.
2024-02-11 15:16:25 +08:00

82 lines
2.4 KiB
Nix
Raw Blame History

{ config, lib, pkgs, foodogsquaredLib, ... }:
let
hostCfg = config.hosts.plover;
cfg = hostCfg.services.vouch-proxy;
inherit (config.services.vouch-proxy.instances."${vouchDomain}") settings;
vouchDomain = "vouch.${config.networking.domain}";
authDomain = config.services.kanidm.serverSettings.domain;
in
{
options.hosts.plover.services.vouch-proxy.enable =
lib.mkEnableOption "Vouch proxy setup";
config = lib.mkIf cfg.enable (lib.mkMerge [
{
sops.secrets =
let
vouchPermissions = rec {
owner = "vouch-proxy";
group = owner;
mode = "0400";
};
in
foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
"vouch-proxy/jwt/secret" = vouchPermissions;
"vouch-proxy/client/secret" = vouchPermissions;
};
services.vouch-proxy = {
enable = true;
instances."${vouchDomain}".settings = {
vouch = {
listen = "127.0.0.1";
port = 19900;
domains = [ "foodogsquared.one" ];
jwt.secret._secret = config.sops.secrets."vouch-proxy/jwt/secret".path;
};
oauth = rec {
provider = "oidc";
client_id = "vouch";
client_secret._secret = config.sops.secrets."vouch-proxy/client/secret".path;
code_challenge_method = "S256";
auth_url = "https://${authDomain}/ui/oauth2";
token_url = "https://${authDomain}/oauth2/token";
user_info_url = "https://${authDomain}/oauth2/openid/${client_id}/userinfo";
scopes = [ "openid" "email" "profile" ];
callback_url = "https://${vouchDomain}/auth";
};
};
};
}
(lib.mkIf hostCfg.services.reverse-proxy.enable {
services.nginx.virtualHosts."${vouchDomain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
kTLS = true;
locations."/" = {
proxyPass = "http://vouch-proxy";
extraConfig = ''
proxy_set_header Host ${vouchDomain};
proxy_set_header X-Forwarded-Proto https;
'';
};
};
services.nginx.upstreams."vouch-proxy" = {
extraConfig = ''
zone services;
'';
servers = {
"${settings.vouch.listen}:${builtins.toString settings.vouch.port}" = { };
};
};
})
]);
}
Reference in New Issue View Git Blame Copy Permalink