mirror of
https://github.com/oddlama/nix-config.git
synced 2025-10-11 07:10:39 +02:00
chore: remove old nginx and oauth2-proxy config for sentinel
This commit is contained in:
oddlama
parent
9e4f8dcf0d
commit
1e6927a434
3 changed files with 3 additions and 146 deletions
|
|
@ -34,6 +34,9 @@ in {
|
|||
}
|
||||
'';
|
||||
|
||||
# TODO move subconfigs to the relevant hosts instead.
|
||||
# -> have something like merged config nodes.<name>....
|
||||
|
||||
virtualHosts.${authDomain} = {
|
||||
useACMEHost = config.lib.extra.matchingWildcardCert authDomain;
|
||||
extraConfig = ''
|
||||
|
|
|
|||
|
|
@ -1,89 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
nodes,
|
||||
...
|
||||
}: let
|
||||
inherit (config.repo.secrets.local) acme personalDomain;
|
||||
in {
|
||||
users.groups.acme.members = ["nginx"];
|
||||
|
||||
rekey.secrets."dhparams.pem" = {
|
||||
file = ./secrets/dhparams.pem.age;
|
||||
mode = "440";
|
||||
group = "nginx";
|
||||
};
|
||||
|
||||
services.nginx = let
|
||||
authDomain = nodes.ward-nginx.config.services.kanidm.serverSettings.domain;
|
||||
authPort = lib.last (lib.splitString ":" nodes.ward-nginx.config.services.kanidm.serverSettings.bindaddress);
|
||||
grafanaDomain = nodes.ward-test.config.services.grafana.settings.server.domain;
|
||||
grafanaPort = toString nodes.ward-test.config.services.grafana.settings.server.http_port;
|
||||
lokiDomain = "loki.${personalDomain}";
|
||||
lokiPort = toString nodes.ward-loki.config.services.loki.settings.server.http_port;
|
||||
in {
|
||||
enable = true;
|
||||
|
||||
# TODO move subconfigs to the relevant hosts instead.
|
||||
# -> have something like merged config nodes.<name>....
|
||||
|
||||
upstreams.kanidm = {
|
||||
servers."${nodes.ward-nginx.config.extra.wireguard.proxy-sentinel.ipv4}:${authPort}" = {};
|
||||
extraConfig = ''
|
||||
zone kanidm 64k;
|
||||
keepalive 2;
|
||||
'';
|
||||
};
|
||||
virtualHosts.${authDomain} = {
|
||||
forceSSL = true;
|
||||
useACMEHost = config.lib.extra.matchingWildcardCert authDomain;
|
||||
locations."/".proxyPass = "https://kanidm";
|
||||
# Allow using self-signed certs to satisfy kanidm's requirement
|
||||
# for TLS connections. (This is over wireguard anyway)
|
||||
# TODO can we get rid of this?
|
||||
extraConfig = ''
|
||||
proxy_ssl_verify off;
|
||||
'';
|
||||
};
|
||||
|
||||
upstreams.grafana = {
|
||||
servers."${nodes.ward-test.config.extra.wireguard.proxy-sentinel.ipv4}:${grafanaPort}" = {};
|
||||
extraConfig = ''
|
||||
zone grafana 64k;
|
||||
keepalive 2;
|
||||
'';
|
||||
};
|
||||
virtualHosts.${grafanaDomain} = {
|
||||
forceSSL = true;
|
||||
useACMEHost = config.lib.extra.matchingWildcardCert grafanaDomain;
|
||||
locations."/".proxyPass = "http://grafana";
|
||||
};
|
||||
|
||||
upstreams.loki = {
|
||||
servers."${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${lokiPort}" = {};
|
||||
extraConfig = ''
|
||||
zone loki 64k;
|
||||
keepalive 2;
|
||||
'';
|
||||
};
|
||||
virtualHosts.${lokiDomain} = {
|
||||
forceSSL = true;
|
||||
useACMEHost = config.lib.extra.matchingWildcardCert lokiDomain;
|
||||
locations."/" = {
|
||||
proxyPass = "http://loki";
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
access_log off;
|
||||
'';
|
||||
};
|
||||
locations."/ready" = {
|
||||
proxyPass = "http://loki";
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
auth_request off;
|
||||
access_log off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,57 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
nodes,
|
||||
...
|
||||
}: let
|
||||
inherit (config.repo.secrets.local) acme personalDomain;
|
||||
authDomain = "auth.${personalDomain}";
|
||||
in {
|
||||
networking.domain = personalDomain;
|
||||
|
||||
# Contains OAUTH2_PROXY_CLIENT_SECRET=...
|
||||
#rekey.secrets.grafana-secret-key = {
|
||||
# file = ./secrets/oauth2-proxy-client-secret.age;
|
||||
# mode = "440";
|
||||
# group = "oauth2_proxy";
|
||||
#};
|
||||
|
||||
services.oauth2_proxy = {
|
||||
enable = true;
|
||||
cookie.secure = true;
|
||||
cookie.httpOnly = false;
|
||||
email.domains = ["*"];
|
||||
provider = "oidc";
|
||||
scope = "openid email";
|
||||
loginURL = "https://${authDomain}/ui/oauth2";
|
||||
redeemURL = "https://${authDomain}/oauth2/token";
|
||||
validateURL = "https://${authDomain}/oauth2/openid/grafana/userinfo";
|
||||
clientID = "oauth2-proxy";
|
||||
clientSecret = "";
|
||||
#keyFile = config.rekey.secrets.oauth2-proxy-client-secret.path;
|
||||
reverseProxy = true;
|
||||
extraConfig.skip-provider-button = true;
|
||||
setXauthrequest = true;
|
||||
};
|
||||
|
||||
# Apply oauth by default to all locations
|
||||
services.nginx.virtualHosts = lib.genAttrs config.services.oauth2_proxy.nginx.virtualHosts (_: {
|
||||
extraConfig = ''
|
||||
auth_request /oauth2/auth;
|
||||
error_page 401 = /oauth2/sign_in;
|
||||
|
||||
# pass information via X-User and X-Email headers to backend,
|
||||
# requires running with --set-xauthrequest flag
|
||||
auth_request_set $user $upstream_http_x_auth_request_user;
|
||||
auth_request_set $email $upstream_http_x_auth_request_email;
|
||||
proxy_set_header X-User $user;
|
||||
proxy_set_header X-Email $email;
|
||||
|
||||
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
'';
|
||||
locations."/oauth2/".extraConfig = "auth_request off;";
|
||||
locations."/oauth2/auth".extraConfig = "auth_request off;";
|
||||
});
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue