modules: services: nginx: nginx-sso verbose logs

For some reason it still doesn't appear in the systemd log...
modules: services: nginx: add SSO
2021-08-30 17:38:25 +02:00 · 2021-08-30 17:36:39 +02:00 · 2021-08-30 17:36:39 +02:00 · 2021-08-30 17:36:39 +02:00 · 2021-08-30 15:35:00 +02:00
8 changed files with 171 additions and 4 deletions
--- a/machines/porthos/services.nix
+++ b/machines/porthos/services.nix
@ -90,6 +90,9 @@ in
      enable = true;
      password = my.secrets.nextcloud.password;
    };
    nginx = {
      enable = true;
    };
    # The whole *arr software suite
    pirate.enable = true;
    # Podcast automatic downloader
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@ -34,6 +34,10 @@ let
        '';
      };
      sso = {
        enable = mkEnableOption "SSO authentication";
      };
      extraConfig = mkOption {
        type = types.attrs; # FIXME: forward type of virtualHosts
        example = litteralExample ''
@ -54,10 +58,7 @@ let
 in
 {
  options.my.services.nginx = with lib; {
-    enable =
+    enable = mkEnableOption "Nginx";
      mkEnableOption "Nginx, activates when `virtualHosts` is not empty" // {
        default = builtins.length cfg.virtualHosts != 0;
      };
    monitoring = {
      enable = my.mkDisableOption "monitoring through grafana and prometheus";
@ -92,6 +93,22 @@ in
        List of virtual hosts to set-up using default settings.
      '';
    };
    sso = {
      subdomain = mkOption {
        type = types.str;
        default = "login";
        example = "auth";
        description = "Which subdomain, to use for SSO.";
      };
      port = mkOption {
        type = types.port;
        default = 8082;
        example = 8080;
        description = "Port to use for internal webui.";
      };
    };
  };
  config = lib.mkIf cfg.enable {
@ -173,12 +190,134 @@ in
              })
              # VHost specific configuration
              args.extraConfig
              # SSO configuration
              (lib.optionalAttrs args.sso.enable {
                extraConfig = (args.extraConfig.extraConfig or "") + ''
                  error_page 401 = @error401;
                '';
                locations."@error401".return = ''
                  302 https://${cfg.sso.subdomain}.${config.networking.domain}/login?go=$scheme://$http_host$request_uri
                '';
                locations."/" = {
                  extraConfig =
                    (args.extraConfig.locations."/".extraConfig or "") + ''
                      # Use SSO
                      auth_request /sso-auth;
                      # Set username through header
                      auth_request_set $username $upstream_http_x_username;
                      proxy_set_header X-User $username;
                      # Renew SSO cookie on request
                      auth_request_set $cookie $upstream_http_set_cookie;
                      add_header Set-Cookie $cookie;
                    '';
                };
                locations."/sso-auth" = {
                  proxyPass = "http://localhost:${toString cfg.sso.port}/auth";
                  extraConfig = ''
                    # Do not allow requests from outside
                    internal;
                    # Do not forward the request body
                    proxy_pass_request_body off;
                    proxy_set_header Content-Length "";
                    # Set X-Application according to subdomain for matching
                    proxy_set_header X-Application "${subdomain}";
                    # Set origin URI for matching
                    proxy_set_header X-Origin-URI $request_uri;
                  '';
                };
              })
            ])
          );
        in
        lib.my.genAttrs' cfg.virtualHosts mkVHost;
      sso = {
        enable = true;
        configuration = {
          listen = {
            addr = "127.0.0.1";
            inherit (cfg.sso) port;
          };
          audit_log = {
            target = [
              "fd://stdout"
            ];
            events = [
              "access_denied"
              "login_success"
              "login_failure"
              "logout"
              "validate"
            ];
            headers = [
              "x-origin-uri"
              "x-application"
            ];
          };
          cookie = {
            domain = ".${config.networking.domain}";
            secure = true;
            authentication_key = config.my.secrets.sso.auth_key;
          };
          login = {
            title = "Ambroisie's SSO";
            default_method = "simple";
            hide_mfa_field = false;
            names = {
              simple = "Username / Password";
            };
          };
          providers = {
            simple =
              let
                applyUsers = lib.flip lib.mapAttrs config.my.secrets.sso.users;
              in
              {
                users = applyUsers (_: v: v.passwordHash);
                mfa = applyUsers (_: v: [{
                  provider = "totp";
                  attributes = {
                    secret = v.totpSecret;
                  };
                }]);
                inherit (config.my.secrets.sso) groups;
              };
          };
          acl = {
            rule_sets = [
              {
                rules = [{ field = "x-application"; present = true; }];
                allow = [ "@root" ];
              }
            ];
          };
        };
      };
    };
    my.services.nginx.virtualHosts = [
      {
        subdomain = "login";
        inherit (cfg.sso) port;
      }
    ];
    networking.firewall.allowedTCPPorts = [ 80 443 ];
    # Nginx needs to be able to read the certificates
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -20,6 +20,7 @@ throwOnCanary {
          int
          str
          (attrsOf valueType)
          (listOf valueType)
        ];
      in
      valueType;
@ -57,6 +58,8 @@ throwOnCanary {
    podgrab.password = fileContents ./podgrab/password.txt;
    sso = import ./sso { inherit lib; };
    transmission.password = fileContents ./transmission/password.txt;
    users = {
--- a/secrets/sso/.gitattributes
+++ b/secrets/sso/.gitattributes
@ -0,0 +1 @@
 /default.nix filter diff
--- a/secrets/sso/ambroisie/password-hash.txt
+++ b/secrets/sso/ambroisie/password-hash.txt
--- a/secrets/sso/ambroisie/totp-secret.txt
+++ b/secrets/sso/ambroisie/totp-secret.txt
--- a/secrets/sso/auth-key.txt
+++ b/secrets/sso/auth-key.txt
--- a/secrets/sso/default.nix
+++ b/secrets/sso/default.nix
@ -0,0 +1,21 @@
 { lib }:
 let
  inherit (lib) fileContents;
  importUser = (user: {
    # bcrypt hashed: `htpasswd -BnC 10 ""`
    passwordHash = fileContents (./. + "/${user}/password-hash.txt");
    # base32 encoded: `printf '<secret>' | base32  | tr -d =`
    totpSecret = fileContents (./. + "/${user}/totp-secret.txt");
  });
 in
 {
  auth_key = fileContents ./auth-key.txt;
  users = lib.flip lib.genAttrs importUser [
    "ambroisie"
  ];
  groups = {
    root = [ "ambroisie" ];
  };
 }
Author	SHA1	Message	Date
Bruno BELANYI	78064bb2a1	modules: services: nginx: nginx-sso verbose logs All checks were successful continuous-integration/drone/push Build is passing Details For some reason it still doesn't appear in the systemd log...	2021-08-30 17:38:25 +02:00
Bruno BELANYI	70af0ba99a	modules: services: nginx: add SSO	2021-08-30 17:36:39 +02:00
Bruno BELANYI	dc2a3610a6	modules: services: nginx: enable explicitly	2021-08-30 17:36:39 +02:00
Bruno BELANYI	894b571745	secrets: add sso	2021-08-30 17:36:39 +02:00
Bruno BELANYI	2049e7a2c5	secrets: allow lists in types	2021-08-30 15:35:00 +02:00