modules: services: nginx: nginx-sso verbose logs

For some reason it still doesn't appear in the systemd log...
modules: services: nginx: add SSO
2021-08-30 17:38:25 +02:00 · 2021-08-30 17:36:39 +02:00 · 2021-08-30 17:36:39 +02:00 · 2021-08-30 17:36:39 +02:00 · 2021-08-30 15:35:00 +02:00
8 changed files with 171 additions and 4 deletions
--- a/machines/porthos/services.nix
+++ b/machines/porthos/services.nix
@ -90,6 +90,9 @@ in
      enable = true;
      password = my.secrets.nextcloud.password;
    };
+    nginx = {
+      enable = true;
+    };
    # The whole *arr software suite
    pirate.enable = true;
    # Podcast automatic downloader
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@ -34,6 +34,10 @@ let
        '';
      };

+      sso = {
+        enable = mkEnableOption "SSO authentication";
+      };
+
      extraConfig = mkOption {
        type = types.attrs; # FIXME: forward type of virtualHosts
        example = litteralExample ''
@ -54,10 +58,7 @@ let
 in
 {
  options.my.services.nginx = with lib; {
-    enable =
-      mkEnableOption "Nginx, activates when `virtualHosts` is not empty" // {
-        default = builtins.length cfg.virtualHosts != 0;
-      };
+    enable = mkEnableOption "Nginx";

    monitoring = {
      enable = my.mkDisableOption "monitoring through grafana and prometheus";
@ -92,6 +93,22 @@ in
        List of virtual hosts to set-up using default settings.
      '';
    };
+
+    sso = {
+      subdomain = mkOption {
+        type = types.str;
+        default = "login";
+        example = "auth";
+        description = "Which subdomain, to use for SSO.";
+      };
+
+      port = mkOption {
+        type = types.port;
+        default = 8082;
+        example = 8080;
+        description = "Port to use for internal webui.";
+      };
+    };
  };

  config = lib.mkIf cfg.enable {
@ -173,12 +190,134 @@ in
              })
              # VHost specific configuration
              args.extraConfig
+              # SSO configuration
+              (lib.optionalAttrs args.sso.enable {
+                extraConfig = (args.extraConfig.extraConfig or "") + ''
+                  error_page 401 = @error401;
+                '';
+
+                locations."@error401".return = ''
+                  302 https://${cfg.sso.subdomain}.${config.networking.domain}/login?go=$scheme://$http_host$request_uri
+                '';
+
+                locations."/" = {
+                  extraConfig =
+                    (args.extraConfig.locations."/".extraConfig or "") + ''
+                      # Use SSO
+                      auth_request /sso-auth;
+
+                      # Set username through header
+                      auth_request_set $username $upstream_http_x_username;
+                      proxy_set_header X-User $username;
+
+                      # Renew SSO cookie on request
+                      auth_request_set $cookie $upstream_http_set_cookie;
+                      add_header Set-Cookie $cookie;
+                    '';
+                };
+
+                locations."/sso-auth" = {
+                  proxyPass = "http://localhost:${toString cfg.sso.port}/auth";
+                  extraConfig = ''
+                    # Do not allow requests from outside
+                    internal;
+
+                    # Do not forward the request body
+                    proxy_pass_request_body off;
+                    proxy_set_header Content-Length "";
+
+                    # Set X-Application according to subdomain for matching
+                    proxy_set_header X-Application "${subdomain}";
+
+                    # Set origin URI for matching
+                    proxy_set_header X-Origin-URI $request_uri;
+                  '';
+                };
+              })
            ])
          );
        in
        lib.my.genAttrs' cfg.virtualHosts mkVHost;
+
+      sso = {
+        enable = true;
+
+        configuration = {
+          listen = {
+            addr = "127.0.0.1";
+            inherit (cfg.sso) port;
+          };
+
+          audit_log = {
+            target = [
+              "fd://stdout"
+            ];
+            events = [
+              "access_denied"
+              "login_success"
+              "login_failure"
+              "logout"
+              "validate"
+            ];
+            headers = [
+              "x-origin-uri"
+              "x-application"
+            ];
+          };
+
+          cookie = {
+            domain = ".${config.networking.domain}";
+            secure = true;
+            authentication_key = config.my.secrets.sso.auth_key;
+          };
+
+          login = {
+            title = "Ambroisie's SSO";
+            default_method = "simple";
+            hide_mfa_field = false;
+            names = {
+              simple = "Username / Password";
+            };
+          };
+
+          providers = {
+            simple =
+              let
+                applyUsers = lib.flip lib.mapAttrs config.my.secrets.sso.users;
+              in
+              {
+                users = applyUsers (_: v: v.passwordHash);
+
+                mfa = applyUsers (_: v: [{
+                  provider = "totp";
+                  attributes = {
+                    secret = v.totpSecret;
+                  };
+                }]);
+
+                inherit (config.my.secrets.sso) groups;
+              };
+          };
+
+          acl = {
+            rule_sets = [
+              {
+                rules = [{ field = "x-application"; present = true; }];
+                allow = [ "@root" ];
+              }
+            ];
+          };
+        };
+      };
    };

+    my.services.nginx.virtualHosts = [
+      {
+        subdomain = "login";
+        inherit (cfg.sso) port;
+      }
+    ];
+
    networking.firewall.allowedTCPPorts = [ 80 443 ];

    # Nginx needs to be able to read the certificates
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -20,6 +20,7 @@ throwOnCanary {
          int
          str
          (attrsOf valueType)
+          (listOf valueType)
        ];
      in
      valueType;
@ -57,6 +58,8 @@ throwOnCanary {

    podgrab.password = fileContents ./podgrab/password.txt;

+    sso = import ./sso { inherit lib; };
+
    transmission.password = fileContents ./transmission/password.txt;

    users = {
--- a/secrets/sso/.gitattributes
+++ b/secrets/sso/.gitattributes
@ -0,0 +1 @@
+/default.nix filter diff
--- a/secrets/sso/ambroisie/password-hash.txt
+++ b/secrets/sso/ambroisie/password-hash.txt
--- a/secrets/sso/ambroisie/totp-secret.txt
+++ b/secrets/sso/ambroisie/totp-secret.txt
--- a/secrets/sso/auth-key.txt
+++ b/secrets/sso/auth-key.txt
--- a/secrets/sso/default.nix
+++ b/secrets/sso/default.nix
@ -0,0 +1,21 @@
+{ lib }:
+let
+  inherit (lib) fileContents;
+  importUser = (user: {
+    # bcrypt hashed: `htpasswd -BnC 10 ""`
+    passwordHash = fileContents (./. + "/${user}/password-hash.txt");
+    # base32 encoded: `printf '<secret>' | base32  | tr -d =`
+    totpSecret = fileContents (./. + "/${user}/totp-secret.txt");
+  });
+in
+{
+  auth_key = fileContents ./auth-key.txt;
+
+  users = lib.flip lib.genAttrs importUser [
+    "ambroisie"
+  ];
+
+  groups = {
+    root = [ "ambroisie" ];
+  };
+}
Author	SHA1	Message	Date
Bruno BELANYI	78064bb2a1	modules: services: nginx: nginx-sso verbose logs All checks were successful continuous-integration/drone/push Build is passing Details For some reason it still doesn't appear in the systemd log...	2021-08-30 17:38:25 +02:00
Bruno BELANYI	70af0ba99a	modules: services: nginx: add SSO	2021-08-30 17:36:39 +02:00
Bruno BELANYI	dc2a3610a6	modules: services: nginx: enable explicitly	2021-08-30 17:36:39 +02:00
Bruno BELANYI	894b571745	secrets: add sso	2021-08-30 17:36:39 +02:00
Bruno BELANYI	2049e7a2c5	secrets: allow lists in types	2021-08-30 15:35:00 +02:00