Compare commits

...

5 commits

Author SHA1 Message Date
Bruno BELANYI 78064bb2a1 modules: services: nginx: nginx-sso verbose logs
All checks were successful
continuous-integration/drone/push Build is passing
For some reason it still doesn't appear in the systemd log...
2021-08-30 17:38:25 +02:00
Bruno BELANYI 70af0ba99a modules: services: nginx: add SSO 2021-08-30 17:36:39 +02:00
Bruno BELANYI dc2a3610a6 modules: services: nginx: enable explicitly 2021-08-30 17:36:39 +02:00
Bruno BELANYI 894b571745 secrets: add sso 2021-08-30 17:36:39 +02:00
Bruno BELANYI 2049e7a2c5 secrets: allow lists in types 2021-08-30 15:35:00 +02:00
8 changed files with 171 additions and 4 deletions

View file

@ -90,6 +90,9 @@ in
enable = true; enable = true;
password = my.secrets.nextcloud.password; password = my.secrets.nextcloud.password;
}; };
nginx = {
enable = true;
};
# The whole *arr software suite # The whole *arr software suite
pirate.enable = true; pirate.enable = true;
# Podcast automatic downloader # Podcast automatic downloader

View file

@ -34,6 +34,10 @@ let
''; '';
}; };
sso = {
enable = mkEnableOption "SSO authentication";
};
extraConfig = mkOption { extraConfig = mkOption {
type = types.attrs; # FIXME: forward type of virtualHosts type = types.attrs; # FIXME: forward type of virtualHosts
example = litteralExample '' example = litteralExample ''
@ -54,10 +58,7 @@ let
in in
{ {
options.my.services.nginx = with lib; { options.my.services.nginx = with lib; {
enable = enable = mkEnableOption "Nginx";
mkEnableOption "Nginx, activates when `virtualHosts` is not empty" // {
default = builtins.length cfg.virtualHosts != 0;
};
monitoring = { monitoring = {
enable = my.mkDisableOption "monitoring through grafana and prometheus"; enable = my.mkDisableOption "monitoring through grafana and prometheus";
@ -92,6 +93,22 @@ in
List of virtual hosts to set-up using default settings. List of virtual hosts to set-up using default settings.
''; '';
}; };
sso = {
subdomain = mkOption {
type = types.str;
default = "login";
example = "auth";
description = "Which subdomain, to use for SSO.";
};
port = mkOption {
type = types.port;
default = 8082;
example = 8080;
description = "Port to use for internal webui.";
};
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
@ -173,12 +190,134 @@ in
}) })
# VHost specific configuration # VHost specific configuration
args.extraConfig args.extraConfig
# SSO configuration
(lib.optionalAttrs args.sso.enable {
extraConfig = (args.extraConfig.extraConfig or "") + ''
error_page 401 = @error401;
'';
locations."@error401".return = ''
302 https://${cfg.sso.subdomain}.${config.networking.domain}/login?go=$scheme://$http_host$request_uri
'';
locations."/" = {
extraConfig =
(args.extraConfig.locations."/".extraConfig or "") + ''
# Use SSO
auth_request /sso-auth;
# Set username through header
auth_request_set $username $upstream_http_x_username;
proxy_set_header X-User $username;
# Renew SSO cookie on request
auth_request_set $cookie $upstream_http_set_cookie;
add_header Set-Cookie $cookie;
'';
};
locations."/sso-auth" = {
proxyPass = "http://localhost:${toString cfg.sso.port}/auth";
extraConfig = ''
# Do not allow requests from outside
internal;
# Do not forward the request body
proxy_pass_request_body off;
proxy_set_header Content-Length "";
# Set X-Application according to subdomain for matching
proxy_set_header X-Application "${subdomain}";
# Set origin URI for matching
proxy_set_header X-Origin-URI $request_uri;
'';
};
})
]) ])
); );
in in
lib.my.genAttrs' cfg.virtualHosts mkVHost; lib.my.genAttrs' cfg.virtualHosts mkVHost;
sso = {
enable = true;
configuration = {
listen = {
addr = "127.0.0.1";
inherit (cfg.sso) port;
}; };
audit_log = {
target = [
"fd://stdout"
];
events = [
"access_denied"
"login_success"
"login_failure"
"logout"
"validate"
];
headers = [
"x-origin-uri"
"x-application"
];
};
cookie = {
domain = ".${config.networking.domain}";
secure = true;
authentication_key = config.my.secrets.sso.auth_key;
};
login = {
title = "Ambroisie's SSO";
default_method = "simple";
hide_mfa_field = false;
names = {
simple = "Username / Password";
};
};
providers = {
simple =
let
applyUsers = lib.flip lib.mapAttrs config.my.secrets.sso.users;
in
{
users = applyUsers (_: v: v.passwordHash);
mfa = applyUsers (_: v: [{
provider = "totp";
attributes = {
secret = v.totpSecret;
};
}]);
inherit (config.my.secrets.sso) groups;
};
};
acl = {
rule_sets = [
{
rules = [{ field = "x-application"; present = true; }];
allow = [ "@root" ];
}
];
};
};
};
};
my.services.nginx.virtualHosts = [
{
subdomain = "login";
inherit (cfg.sso) port;
}
];
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
# Nginx needs to be able to read the certificates # Nginx needs to be able to read the certificates

View file

@ -20,6 +20,7 @@ throwOnCanary {
int int
str str
(attrsOf valueType) (attrsOf valueType)
(listOf valueType)
]; ];
in in
valueType; valueType;
@ -57,6 +58,8 @@ throwOnCanary {
podgrab.password = fileContents ./podgrab/password.txt; podgrab.password = fileContents ./podgrab/password.txt;
sso = import ./sso { inherit lib; };
transmission.password = fileContents ./transmission/password.txt; transmission.password = fileContents ./transmission/password.txt;
users = { users = {

1
secrets/sso/.gitattributes vendored Normal file
View file

@ -0,0 +1 @@
/default.nix filter diff

Binary file not shown.

Binary file not shown.

BIN
secrets/sso/auth-key.txt Normal file

Binary file not shown.

21
secrets/sso/default.nix Normal file
View file

@ -0,0 +1,21 @@
{ lib }:
let
inherit (lib) fileContents;
importUser = (user: {
# bcrypt hashed: `htpasswd -BnC 10 ""`
passwordHash = fileContents (./. + "/${user}/password-hash.txt");
# base32 encoded: `printf '<secret>' | base32 | tr -d =`
totpSecret = fileContents (./. + "/${user}/totp-secret.txt");
});
in
{
auth_key = fileContents ./auth-key.txt;
users = lib.flip lib.genAttrs importUser [
"ambroisie"
];
groups = {
root = [ "ambroisie" ];
};
}