dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/middleman: Add nginx-sso

Browse Source
This commit is contained in:
Jack O'Sullivan
2022-06-12 00:31:08 +01:00
parent 7e42647288
commit 0b8b6fccc8
6 changed files with 204 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
nixos/boxes/colony/vms/shill/containers/middleman/default.nix
View File

@@ -45,12 +45,60 @@
owner = "acme";
group = "acme";
};
"nginx-sso.yaml" = {
owner = "nginx-sso";
group = "nginx-sso";
};
};
};
firewall = {
tcp.allowed = [ "http" "https" 8448 ];
};
nginx-sso = {
enable = true;
extraConfigFile = config.age.secrets."nginx-sso.yaml".path;
configuration = {
listen = {
addr = "[::]";
port = 8082;
};
login = {
title = "${lib.my.pubDomain} login";
default_redirect = "https://${lib.my.pubDomain}";
default_method = "google_oauth";
names = {
google_oauth = "Google account";
};
};
cookie = {
domain = ".${lib.my.pubDomain}";
secure = true;
};
audit_log = {
targets = [ "fd://stdout" ];
events = [
"access_denied"
"login_success"
"login_failure"
"logout"
#"validate"
];
};
providers = {
google_oauth = {
client_id = "545475967061-cag4g1qf0pk33g3pdbom4v69562vboc8.apps.googleusercontent.com";
redirect_url = "https://sso.${lib.my.pubDomain}/login";
user_id_method = "user-id";
};
};
};
includes = {
endpoint = "http://localhost:8082";
baseURL = "https://sso.${lib.my.pubDomain}";
};
};
};
users = {
@@ -167,7 +215,9 @@
proxy_http_version 1.1;
# proxy headers
proxy_set_header X-Origin-URI $request_uri;
proxy_set_header Host $host;
proxy_set_header X-Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;

28
nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
View File

@@ -6,6 +6,17 @@ let
dualStackListen' = l: map (addr: l // { inherit addr; }) [ "0.0.0.0" "[::]" ];
dualStackListen = ll: flatten (map dualStackListen' ll);
ssoServer = i: {
extraConfig = ''
include /etc/nginx/includes/sso/server-${i}.conf;
'';
};
ssoLoc = i: {
extraConfig = ''
include /etc/nginx/includes/sso/location-${i}.conf;
'';
};
mkWellKnown = type: content: pkgs.writeTextFile {
name = "well-known-${type}";
destination = "/${type}";
@@ -34,6 +45,12 @@ let
};
in
{
my = {
nginx-sso.includes.instances = {
generic = {};
};
};
services.nginx.virtualHosts =
let
hosts = {
@@ -47,7 +64,12 @@ in
];
};
"pass.nul.ie" =
"sso.${lib.my.pubDomain}" = {
locations."/".proxyPass = config.my.nginx-sso.includes.endpoint;
useACMEHost = lib.my.pubDomain;
};
"pass.${lib.my.pubDomain}" =
let
upstream = "http://vaultwarden-ctr.${config.networking.domain}";
in
@@ -79,14 +101,14 @@ in
locations = mkMerge [
{
"/".proxyPass = "http://chatterbox-ctr.${config.networking.domain}:8008";
"= /".return = "301 https://element.nul.ie";
"= /".return = "301 https://element.${lib.my.pubDomain}";
}
wellKnown
];
useACMEHost = lib.my.pubDomain;
};
"element.nul.ie" =
"element.${lib.my.pubDomain}" =
let
headers = ''
add_header X-Frame-Options SAMEORIGIN;