From c7766afe90675ad7ecabd9bba9214633e3e46d4f Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Sat, 25 Sep 2021 13:41:43 +0200 Subject: [PATCH] modules: services: nginx: allow sso secret files This is in preparation of the migration to agenix, which does not allow access to the secrets at build time. --- machines/porthos/services.nix | 16 ++++++++ modules/services/nginx/default.nix | 61 +++++++++++++++++++++++++++--- 2 files changed, 71 insertions(+), 6 deletions(-) diff --git a/machines/porthos/services.nix b/machines/porthos/services.nix index 824265c..02ae69e 100644 --- a/machines/porthos/services.nix +++ b/machines/porthos/services.nix @@ -109,6 +109,22 @@ in acme = { credentialsFile = builtins.toFile "gandi-key.env" my.secrets.acme.key; }; + sso = { + authKeyFile = secrets."sso/auth-key".path; + users = { + ambroisie = { + passwordHashFile = builtins.toFile + "ambroisie-sso-pass.txt" + my.secrets.sso.ambroisie.passwordHash; + totpSecretFile = builtins.toFile + "ambroisie-sso-totp.txt" + my.secrets.sso.ambroisie.totpSecret; + }; + }; + groups = { + root = [ "ambroisie" ]; + }; + }; }; paperless = { enable = true; diff --git a/modules/services/nginx/default.nix b/modules/services/nginx/default.nix index bb773c9..d5d8b31 100644 --- a/modules/services/nginx/default.nix +++ b/modules/services/nginx/default.nix @@ -1,5 +1,5 @@ # A simple abstraction layer for almost all of my services' needs -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, utils, ... }: let cfg = config.my.services.nginx; @@ -105,6 +105,14 @@ in }; sso = { + authKeyFile = mkOption { + type = types.str; + example = "/var/lib/nginx-sso/auth-key.txt"; + description = '' + Path to the auth key. + ''; + }; + subdomain = mkOption { type = types.str; default = "login"; @@ -118,6 +126,43 @@ in example = 8080; description = "Port to use for internal webui."; }; + + users = mkOption { + type = types.attrsOf (types.submodule { + options = { + passwordHashFile = mkOption { + type = types.str; + example = "/var/lib/nginx-sso/alice/password-hash.txt"; + description = "Path to file containing the user's password hash."; + }; + totpSecretFile = mkOption { + type = types.str; + example = "/var/lib/nginx-sso/alice/totp-secret.txt"; + description = "Path to file containing the user's TOTP secret."; + }; + }; + }); + example = litteralExample '' + { + alice = { + passwordHashFile = "/var/lib/nginx-sso/alice/password-hash.txt"; + totpSecretFile = "/var/lib/nginx-sso/alice/totp-secret.txt"; + }; + } + ''; + description = "Definition of users"; + }; + + groups = mkOption { + type = with types; attrsOf (listOf str); + example = litteralExample '' + { + root = [ "alice" ]; + users = [ "alice" "bob" ]; + } + ''; + description = "Groups of users"; + }; }; }; @@ -278,7 +323,9 @@ in cookie = { domain = ".${config.networking.domain}"; secure = true; - authentication_key = config.my.secrets.sso.auth_key; + authentication_key = { + _secret = cfg.sso.authKeyFile; + }; }; login = { @@ -293,19 +340,21 @@ in providers = { simple = let - applyUsers = lib.flip lib.mapAttrs config.my.secrets.sso.users; + applyUsers = lib.flip lib.mapAttrs cfg.sso.users; in { - users = applyUsers (_: v: v.passwordHash); + users = applyUsers (_: v: { _secret = v.passwordHashFile; }); mfa = applyUsers (_: v: [{ provider = "totp"; attributes = { - secret = v.totpSecret; + secret = { + _secret = v.totpSecretFile; + }; }; }]); - inherit (config.my.secrets.sso) groups; + inherit (cfg.sso) groups; }; };