ambroisie/nix-config
ambroisie/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

modules: services: nginx: allow sso secret files

Browse source 
This is in preparation of the migration to agenix, which does not allow
access to the secrets at build time.
This commit is contained in:
Bruno BELANYI 2021-09-25 13:41:43 +02:00
parent dc5a44ce82
commit c7766afe90
2 changed files with 71 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
machines/porthos/services.nix
View file

@ -109,6 +109,22 @@ in
acme = { acme = {
credentialsFile = builtins.toFile "gandi-key.env" my.secrets.acme.key; credentialsFile = builtins.toFile "gandi-key.env" my.secrets.acme.key;
}; };
sso = {
authKeyFile = secrets."sso/auth-key".path;
users = {
ambroisie = {
passwordHashFile = builtins.toFile
"ambroisie-sso-pass.txt"
my.secrets.sso.ambroisie.passwordHash;
totpSecretFile = builtins.toFile
"ambroisie-sso-totp.txt"
my.secrets.sso.ambroisie.totpSecret;
};
};
groups = {
root = [ "ambroisie" ];
};
};
}; };
paperless = { paperless = {
enable = true; enable = true;

61
modules/services/nginx/default.nix
View file

@ -1,5 +1,5 @@
# A simple abstraction layer for almost all of my services' needs # A simple abstraction layer for almost all of my services' needs
{ config, lib, pkgs, ... }: { config, lib, pkgs, utils, ... }:
let let
cfg = config.my.services.nginx; cfg = config.my.services.nginx;
@ -105,6 +105,14 @@ in
}; };
sso = { sso = {
authKeyFile = mkOption {
type = types.str;
example = "/var/lib/nginx-sso/auth-key.txt";
description = ''
Path to the auth key.
'';
};
subdomain = mkOption { subdomain = mkOption {
type = types.str; type = types.str;
default = "login"; default = "login";
@ -118,6 +126,43 @@ in
example = 8080; example = 8080;
description = "Port to use for internal webui."; description = "Port to use for internal webui.";
}; };
users = mkOption {
type = types.attrsOf (types.submodule {
options = {
passwordHashFile = mkOption {
type = types.str;
example = "/var/lib/nginx-sso/alice/password-hash.txt";
description = "Path to file containing the user's password hash.";
};
totpSecretFile = mkOption {
type = types.str;
example = "/var/lib/nginx-sso/alice/totp-secret.txt";
description = "Path to file containing the user's TOTP secret.";
};
};
});
example = litteralExample ''
{
alice = {
passwordHashFile = "/var/lib/nginx-sso/alice/password-hash.txt";
totpSecretFile = "/var/lib/nginx-sso/alice/totp-secret.txt";
};
}
'';
description = "Definition of users";
};
groups = mkOption {
type = with types; attrsOf (listOf str);
example = litteralExample ''
{
root = [ "alice" ];
users = [ "alice" "bob" ];
}
'';
description = "Groups of users";
};
}; };
}; };
@ -278,7 +323,9 @@ in
cookie = { cookie = {
domain = ".${config.networking.domain}"; domain = ".${config.networking.domain}";
secure = true; secure = true;
authentication_key = config.my.secrets.sso.auth_key; authentication_key = {
_secret = cfg.sso.authKeyFile;
};
}; };
login = { login = {
@ -293,19 +340,21 @@ in
providers = { providers = {
simple = simple =
let let
applyUsers = lib.flip lib.mapAttrs config.my.secrets.sso.users; applyUsers = lib.flip lib.mapAttrs cfg.sso.users;
in in
{ {
users = applyUsers (_: v: v.passwordHash); users = applyUsers (_: v: { _secret = v.passwordHashFile; });
mfa = applyUsers (_: v: [{ mfa = applyUsers (_: v: [{
provider = "totp"; provider = "totp";
attributes = { attributes = {
secret = v.totpSecret; secret = {
_secret = v.totpSecretFile;
};
}; };
}]); }]);
inherit (config.my.secrets.sso) groups; inherit (cfg.sso) groups;
}; };
}; };