ambroisie/nix-config
ambroisie/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Compare commits

base: ambroisie:78064bb2a1910c6fbd0956d8e9290ee0fa10621c
Branches Tags
ambroisie:main
ambroisie:add-impermanence
ambroisie:add-nixgl
ambroisie:add-typos-hook
ambroisie:add-bazel-template
ambroisie:nvim-lua-lsp
ambroisie:xdg-nix
ambroisie:export-nixos-homes
ambroisie:add-matrix-bridges
..
compare: ambroisie:7032ddef37fcb244d95894c493cc3586b9c9ceb1
Branches Tags
ambroisie:main
ambroisie:add-impermanence
ambroisie:add-nixgl
ambroisie:add-typos-hook
ambroisie:add-bazel-template
ambroisie:nvim-lua-lsp
ambroisie:xdg-nix
ambroisie:export-nixos-homes
ambroisie:add-matrix-bridges

No commits in common. "78064bb2a1910c6fbd0956d8e9290ee0fa10621c" and "7032ddef37fcb244d95894c493cc3586b9c9ceb1" have entirely different histories.
78064bb2a1 ... 7032ddef37

8 changed files with 4 additions and 171 deletions
Show stats Expand all files Collapse all files

3
machines/porthos/services.nix
View file

@ -90,9 +90,6 @@ in
enable = true;
password = my.secrets.nextcloud.password;
};
nginx = {
enable = true;
};
# The whole *arr software suite
pirate.enable = true;
# Podcast automatic downloader

147
modules/services/nginx.nix
View file

@ -34,10 +34,6 @@ let
'';
};
sso = {
enable = mkEnableOption "SSO authentication";
};
extraConfig = mkOption {
type = types.attrs; # FIXME: forward type of virtualHosts
example = litteralExample ''
@ -58,7 +54,10 @@ let
in
{
options.my.services.nginx = with lib; {
enable = mkEnableOption "Nginx";
enable =
mkEnableOption "Nginx, activates when `virtualHosts` is not empty" // {
default = builtins.length cfg.virtualHosts != 0;
};
monitoring = {
enable = my.mkDisableOption "monitoring through grafana and prometheus";
@ -93,22 +92,6 @@ in
List of virtual hosts to set-up using default settings.
'';
};
sso = {
subdomain = mkOption {
type = types.str;
default = "login";
example = "auth";
description = "Which subdomain, to use for SSO.";
};
port = mkOption {
type = types.port;
default = 8082;
example = 8080;
description = "Port to use for internal webui.";
};
};
};
config = lib.mkIf cfg.enable {
@ -190,134 +173,12 @@ in
})
# VHost specific configuration
args.extraConfig
# SSO configuration
(lib.optionalAttrs args.sso.enable {
extraConfig = (args.extraConfig.extraConfig or "") + ''
error_page 401 = @error401;
'';
locations."@error401".return = ''
302 https://${cfg.sso.subdomain}.${config.networking.domain}/login?go=$scheme://$http_host$request_uri
'';
locations."/" = {
extraConfig =
(args.extraConfig.locations."/".extraConfig or "") + ''
# Use SSO
auth_request /sso-auth;
# Set username through header
auth_request_set $username $upstream_http_x_username;
proxy_set_header X-User $username;
# Renew SSO cookie on request
auth_request_set $cookie $upstream_http_set_cookie;
add_header Set-Cookie $cookie;
'';
};
locations."/sso-auth" = {
proxyPass = "http://localhost:${toString cfg.sso.port}/auth";
extraConfig = ''
# Do not allow requests from outside
internal;
# Do not forward the request body
proxy_pass_request_body off;
proxy_set_header Content-Length "";
# Set X-Application according to subdomain for matching
proxy_set_header X-Application "${subdomain}";
# Set origin URI for matching
proxy_set_header X-Origin-URI $request_uri;
'';
};
})
])
);
in
lib.my.genAttrs' cfg.virtualHosts mkVHost;
sso = {
enable = true;
configuration = {
listen = {
addr = "127.0.0.1";
inherit (cfg.sso) port;
};
audit_log = {
target = [
"fd://stdout"
];
events = [
"access_denied"
"login_success"
"login_failure"
"logout"
"validate"
];
headers = [
"x-origin-uri"
"x-application"
];
};
cookie = {
domain = ".${config.networking.domain}";
secure = true;
authentication_key = config.my.secrets.sso.auth_key;
};
login = {
title = "Ambroisie's SSO";
default_method = "simple";
hide_mfa_field = false;
names = {
simple = "Username / Password";
};
};
providers = {
simple =
let
applyUsers = lib.flip lib.mapAttrs config.my.secrets.sso.users;
in
{
users = applyUsers (_: v: v.passwordHash);
mfa = applyUsers (_: v: [{
provider = "totp";
attributes = {
secret = v.totpSecret;
};
}]);
inherit (config.my.secrets.sso) groups;
};
};
acl = {
rule_sets = [
{
rules = [{ field = "x-application"; present = true; }];
allow = [ "@root" ];
}
];
};
};
};
};
my.services.nginx.virtualHosts = [
{
subdomain = "login";
inherit (cfg.sso) port;
}
];
networking.firewall.allowedTCPPorts = [ 80 443 ];
# Nginx needs to be able to read the certificates

3
secrets/default.nix
View file

@ -20,7 +20,6 @@ throwOnCanary {
int
str
(attrsOf valueType)
(listOf valueType)
];
in
valueType;
@ -58,8 +57,6 @@ throwOnCanary {
podgrab.password = fileContents ./podgrab/password.txt;
sso = import ./sso { inherit lib; };
transmission.password = fileContents ./transmission/password.txt;
users = {

1
secrets/sso/.gitattributes vendored
View file

@ -1 +0,0 @@
/default.nix filter diff

BIN
secrets/sso/ambroisie/password-hash.txt
View file

Binary file not shown.

BIN
secrets/sso/ambroisie/totp-secret.txt
View file

Binary file not shown.

BIN
secrets/sso/auth-key.txt
View file

Binary file not shown.

21
secrets/sso/default.nix
View file

@ -1,21 +0,0 @@
{ lib }:
let
inherit (lib) fileContents;
importUser = (user: {
# bcrypt hashed: `htpasswd -BnC 10 ""`
passwordHash = fileContents (./. + "/${user}/password-hash.txt");
# base32 encoded: `printf '<secret>' | base32 | tr -d =`
totpSecret = fileContents (./. + "/${user}/totp-secret.txt");
});
in
{
auth_key = fileContents ./auth-key.txt;
users = lib.flip lib.genAttrs importUser [
"ambroisie"
];
groups = {
root = [ "ambroisie" ];
};
}