1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00

feat: use nginx json logs; oauth2-proxy authentication working, groups not yet

This commit is contained in:
oddlama 2023-06-23 00:40:15 +02:00
parent 71dbda6262
commit 1a0378ee5c
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
4 changed files with 31 additions and 48 deletions

View file

@ -159,7 +159,7 @@ kanidm system oauth2 show-basic-secret grafana
# Generate new oauth2 app for proxied webapps # Generate new oauth2 app for proxied webapps
kanidm group create web-sentinel-access kanidm group create web-sentinel-access
kanidm group create web-sentinel-adguardhome-access kanidm group create web-sentinel-adguardhome-access
kanidm system oauth2 create web-sentinel "Web services" https://sentinel.${personalDomain} kanidm system oauth2 create web-sentinel "Web services" https://oauth2.${personalDomain}
kanidm system oauth2 update-scope-map web-sentinel web-sentinel-access openid profile email kanidm system oauth2 update-scope-map web-sentinel web-sentinel-access openid profile email
kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-adguardhome-access access_adguardhome kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-adguardhome-access access_adguardhome
kanidm system oauth2 show-basic-secret web-sentinel kanidm system oauth2 show-basic-secret web-sentinel

View file

@ -7,7 +7,7 @@
extra.oauth2_proxy = { extra.oauth2_proxy = {
enable = true; enable = true;
cookieDomain = config.repo.secrets.local.personalDomain; cookieDomain = config.repo.secrets.local.personalDomain;
authProxyDomain = "sentinel.${config.repo.secrets.local.personalDomain}"; portalDomain = "oauth2.${config.repo.secrets.local.personalDomain}";
}; };
age.secrets.oauth2-proxy-secret = { age.secrets.oauth2-proxy-secret = {
@ -18,7 +18,7 @@
services.oauth2_proxy = { services.oauth2_proxy = {
provider = "oidc"; provider = "oidc";
scope = "openid"; scope = "openid email";
loginURL = "https://${config.proxiedDomains.kanidm}/ui/oauth2"; loginURL = "https://${config.proxiedDomains.kanidm}/ui/oauth2";
redeemURL = "https://${config.proxiedDomains.kanidm}/oauth2/token"; redeemURL = "https://${config.proxiedDomains.kanidm}/oauth2/token";
validateURL = "https://${config.proxiedDomains.kanidm}/oauth2/openid/web-sentinel/userinfo"; validateURL = "https://${config.proxiedDomains.kanidm}/oauth2/openid/web-sentinel/userinfo";

View file

@ -100,8 +100,21 @@ in {
sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL"; sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL";
sslDhparam = config.age.secrets."dhparams.pem".path; sslDhparam = config.age.secrets."dhparams.pem".path;
commonHttpConfig = '' commonHttpConfig = ''
error_log syslog:server=unix:/dev/log; log_format json_combined escape=json '{'
access_log syslog:server=unix:/dev/log; '"time": $msec,'
'"remote_addr":"$remote_addr",'
'"status":$status,'
'"method":"$request_method",'
'"host":"$host",'
'"uri":"$request_uri",'
'"request_size":$request_length,'
'"response_size":$body_bytes_sent,'
'"response_time":$request_time,'
'"referrer":"$http_referer",'
'"user_agent":"$http_user_agent"'
'}';
error_log syslog:server=unix:/dev/log,nohostname;
access_log syslog:server=unix:/dev/log,nohostname json_combined;
ssl_ecdh_curve secp384r1; ssl_ecdh_curve secp384r1;
''; '';
}; };

View file

@ -24,25 +24,12 @@ in {
cookieDomain = mkOption { cookieDomain = mkOption {
type = types.str; type = types.str;
description = mdDoc "The domain under which to store the credetial cookie."; description = mdDoc "The domain under which to store the credential cookie, and to which redirects will be allowed.";
}; };
authProxyDomain = mkOption { portalDomain = mkOption {
type = types.str; type = types.str;
description = mdDoc '' description = mdDoc "A domain on which to setup the oauth2 callback.";
The domain under which to expose the oauth2 proxy.
This must be a subdomain at or below the level of `cookieDomain`.
'';
};
nginx.virtualHosts = mkOption {
default = {};
description =
mdDoc ''
'';
type =
types.attrsOf (types.submodule {
});
}; };
}; };
@ -81,7 +68,7 @@ in {
''; '';
locations."/oauth2/" = { locations."/oauth2/" = {
proxyPass = "https://${cfg.authProxyDomain}"; proxyPass = "http://oauth2_proxy";
extraConfig = '' extraConfig = ''
proxy_set_header X-Scheme $scheme; proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
@ -90,7 +77,7 @@ in {
locations."= /oauth2/auth" = { locations."= /oauth2/auth" = {
proxyPass = proxyPass =
"https://${cfg.authProxyDomain}" "http://oauth2_proxy/oauth2/auth"
+ optionalString (config.oauth2.allowedGroups != []) + optionalString (config.oauth2.allowedGroups != [])
"?allowed_groups=${concatStringsSep "," config.oauth2.allowedGroups}"; "?allowed_groups=${concatStringsSep "," config.oauth2.allowedGroups}";
extraConfig = '' extraConfig = ''
@ -121,8 +108,11 @@ in {
setXauthrequest = true; setXauthrequest = true;
extraConfig = { extraConfig = {
# Enable PKCE
code-challenge-method = "S256";
# Share the cookie with all subpages # Share the cookie with all subpages
whitelist-domain = ".${cfg.cookieDomain}"; whitelist-domain = ".${cfg.cookieDomain}";
redirect-url = "https://${cfg.portalDomain}/oauth2/callback";
set-authorization-header = true; set-authorization-header = true;
pass-access-token = true; pass-access-token = true;
skip-jwt-bearer-tokens = true; skip-jwt-bearer-tokens = true;
@ -134,6 +124,7 @@ in {
systemd.services.oauth2_proxy.serviceConfig = { systemd.services.oauth2_proxy.serviceConfig = {
RuntimeDirectory = "oauth2_proxy"; RuntimeDirectory = "oauth2_proxy";
RuntimeDirectoryMode = "0750"; RuntimeDirectoryMode = "0750";
UMask = "007"; # TODO remove once https://github.com/oauth2-proxy/oauth2-proxy/issues/2141 is fixed
}; };
users.groups.oauth2_proxy.members = ["nginx"]; users.groups.oauth2_proxy.members = ["nginx"];
@ -147,32 +138,11 @@ in {
''; '';
}; };
virtualHosts.${cfg.authProxyDomain} = { virtualHosts.${cfg.portalDomain} = {
forceSSL = true; forceSSL = true;
useACMEHost = config.lib.extra.matchingWildcardCert cfg.authProxyDomain; useACMEHost = config.lib.extra.matchingWildcardCert cfg.portalDomain;
oauth2.enable = true;
locations."/".extraConfig = '' locations."/".proxyPass = "http://oauth2_proxy";
deny all;
return 404;
'';
locations."/oauth2/" = {
proxyPass = "http://oauth2_proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
locations."= /oauth2/auth" = {
proxyPass = "http://oauth2_proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
}; };
}; };
}; };