From 55fe825a745ecde75ea6433f3ff052839d0c8373 Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 9 Jun 2024 20:46:58 +0200 Subject: [PATCH] feat: open-webui behind oauth2 --- hosts/sire/guests/ai.nix | 11 ++++++++--- modules/oauth2-proxy.nix | 15 +++++++++++++-- secrets/global.nix.age | Bin 2513 -> 2560 bytes 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/hosts/sire/guests/ai.nix b/hosts/sire/guests/ai.nix index e559c56..df732f5 100644 --- a/hosts/sire/guests/ai.nix +++ b/hosts/sire/guests/ai.nix @@ -44,11 +44,13 @@ in { OLLAMA_BASE_URL = "http://localhgost:11434"; TRANSFORMERS_CACHE = "/var/lib/open-webui/.cache/huggingface"; + + WEBUI_AUTH_TRUSTED_EMAIL_HEADER = "X-Email"; }; }; globals.services.open-webui.domain = openWebuiDomain; - nodes.ward-web-proxy = { + nodes.sentinel = { services.nginx = { upstreams.open-webui = { servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.open-webui.port}" = {}; @@ -60,8 +62,11 @@ in { virtualHosts.${openWebuiDomain} = { forceSSL = true; useACMEWildcardHost = true; - oauth2.enable = true; - oauth2.allowedGroups = ["access_openwebui"]; + oauth2 = { + enable = true; + allowedGroups = ["access_openwebui"]; + X-Email = "\${upstream_http_x_auth_request_email}@local"; + }; # FIXME: refer to lan 192.168... and fd10:: via globals extraConfig = '' client_max_body_size 512M; diff --git a/modules/oauth2-proxy.nix b/modules/oauth2-proxy.nix index 55e431e..28c1641 100644 --- a/modules/oauth2-proxy.nix +++ b/modules/oauth2-proxy.nix @@ -42,6 +42,16 @@ in { empty list to allow any authenticated client. ''; }; + X-User = mkOption { + type = types.str; + default = "$upstream_http_x_auth_request_preferred_username"; + description = "The variable to set as X-User"; + }; + X-Email = mkOption { + type = types.str; + default = "$upstream_http_x_auth_request_email"; + description = "The variable to set as X-User"; + }; }; config = mkIf config.oauth2.enable { extraConfig = '' @@ -50,8 +60,8 @@ in { # pass information via X-User and X-Email headers to backend, # requires running with --set-xauthrequest flag - auth_request_set $user $upstream_http_x_auth_request_user; - auth_request_set $email $upstream_http_x_auth_request_email; + auth_request_set $user ${config.oauth2.X-User}; + auth_request_set $email ${config.oauth2.X-Email}; proxy_set_header X-User $user; proxy_set_header X-Email $email; @@ -61,6 +71,7 @@ in { ''; locations."@redirectToAuth2ProxyLogin" = { + # FIXME: allow refering to another node for the portaldomain return = "307 https://${cfg.portalDomain}/oauth2/start?rd=$scheme://$host$request_uri"; extraConfig = '' auth_request off; diff --git a/secrets/global.nix.age b/secrets/global.nix.age index 693d35bf1627dcfb998368272564ee55eb91c4e7..388b29b16b83ad7a18c67e98f05d0570a69dc300 100644 GIT binary patch delta 2554 zcmV$G*K^2G&pQ`Qg&H(X@6Q#W=?NLQ%*E+b~kP} zNIWTxb7depO(`HFWFRbfGb(f-N?b5+K}`xbZ&qtrb}vC$YfWo1S9VTJ zVlPxo$AXnAKaF={ttNlijIW;HTMH*|GTcrQ;_Vrf-o zF;8a-A;yl-4B&-=-PwQRkj0&H2;ed2pJiT+14~;M=ra~%lB4I`_190Z+{^*kgw}Zu&O=w&w(iKlf?a& zJX+c8-rc=6=y+FJPIw8~jO0I)$vdCmB%FjcbD_UDcWqXHEAzG1pjQ<^)n0SFt&>6f z8JxzvvsY1`!^}&1ipI|9<9)?{{l2ZFA6G?~Zx*9mn!}IMg)=-*$>>V~i zP&;S)$Xgs>I&*v`W(uGxz(b^cW54bgSzGlcPZF2`UuAw6Ta@=To zT)(FWPBd#*;K3f<6fz_$qe_mK}?r?cu5UJ>!S zpMQxL(Vv=II?{_bHQM+W8++?7W9JxLRgmoOzrCdEq#2e^tHBxo0A`UFZuaG8%S=in*tF7`_^a_Z_AFEm>=O%e~_eYD5Hgqq3jH zS7DBWm{AhJ?#drC-by24kaVWBc2$UfVwgsd=~IO>?LzRJ_2dG%W)@oTw!_)nySUhR zF51tnk~%Ue8NVrjG1?CLUVn}@#!IZ&_|+Sq?BUh8L&7$$H&WLpe5L3+wvvEB7*`qc zCj`3~Cc=sD-xs%AVOu-u9t<>}T3M)2*7|}4W4xSkA@iK2dl^H-=JY|=yTw^6W2dKW z&7oJIlXWa16JUL2`jP(H9Dza?k~K#7#gMR^8u>nN>W%dpo}3~U1%Hiy{6Zp=_-xGF z3ZtYcpa{c`&MHp5olUJ_hb-GA&UTWV@v@maVUzjcLe%S-7uvPa-CYM;y!&Ae2d=8l zW0NAbe&=CFs*OVleT`LC$flYl2eK>)e0^@9%0(nZyHsA9H+-}SuyjOFjghkgt{T%B z>?H#HD&IYs>Q8gos(*Y-XK zk^3G$%~|Z=!<1;Oq)yD^p9OcHWo$h=8*S-H!Pv+z^M;JC1AnpcOapt7feW)jnejQN zDtEpN1R)z2O*;y9pOI=hc)24;=Qt@3`y})!;9NWyk4BiN@h{P9n0iqcxG7chWR2}e zXi8*cDwSXtEY+|6CZsV#rH;rm+&hmMNhXAj>;m#rsu`+WqeT}6f6=%4aSG5Mot_N! zmuQu&#+7*wQ;d0Gnn}(zKGl?cfhDZ?M0m zmLs=qT~W6w%3dZN>@Q@pyN@>;K1Pmm-LdwIcUTL4bK?4Fpn@5D6p?}a#p_iX-PDWpqpS9)K8HE#j z^Q~hpC01ITP&xwh@)YL zAo!Vv$1UvjqW_9k5ydu}%nHhOCQQ2Ea3yoMEDS8}gs0GZiN=4&X+JYJ$q{%&Fx0T^ zHS0dw{Y!L$YHXAE`a1v)7v6sy@|34k664p5&2>0TuvYH!sf6 zZ*vBf%rle_4an@LQ+4`+JdT>&6wfF5xI#7GN?6S?Q?-IC3sb+x@xw#e{nnbiBjopX zHwXdvQ)0n6wu<09x*Nl{HEUzu(TdkvoZI%(GGgE2?W*>I<|Cmqk|y?d3eTOQ!@-~U Q(5M)5Lxao>V4eHm%RsaA1 delta 2507 zcmV;+2{iVA6wwoqAb)x}Oh#-kcS})pMoD&BR4_s?H%oL>XIW4|Z%9gILQghNaa1>Y zdU{kba|%TR_FQFl0Yc64uVK?*HC zAaH4REpRe5HXwL$Q)M_&AVD!oT3RqSR7gZtc|mkcP)s&iHh(g9HB@;tW>hhESZ!rk zZ&E^KO=>wrY+(vdZZJb)Nla8(ZB9pFb53VYL_u$JH+FMUG-yItMl)`1Ms6!FO-(RD zSxE{lJ|H=LRa7rNWi~Bma%Ew2WeP82O*mChOhHC+Mld-wXjd{yZBlnmRAVr6YD#)| zH+XnXGe>SrRex1*R5?gAPBu_wRCP#tV{N<%AXXisV}FhNZ)cyeuJ zb#^c_dNOZw3N0-yAY(N&LU>U$FH&|_d3R4jMNu+nZdO@ZD?~+Cbz*onN>NHfFEuen zRZ(tl3VG2V*H;OT6M*<3o0hucV1fRz22(4T781A$nSX8MrfB@{*Pmv(Vq(d33eSFE z?fP4~rz;d!>Nn(4OVr=eMdPPnshb7QmHV(dIZG7tMbF6HBtF(b)rdXJ17qNcaAyP8 z;lOxdI_)Dt?&jRFKa;MC0ql3}v=$`>x**cKlx=;*=xYhxLy4S&J@eP5wgpPOos1h=B`wOX4HO3%wH66ngJ$Y5;yJ5 zzqI!!f<$hCrqU%$;k%%T6d-AQu(3x#DzdDPIq9@JQxT88qHTmZZ9Eimf(rL0BJ~=3 zxCDxG*o+*6?lL?L4Sbm&uP%>A1#*eYsE_XX5=M{ z`agiIJQxT)FwvxAI1jo-CZ6~Kj|+g3)v1ZLC<6o8U~!bU%oFX39+aOODtfhszso~9 zm&>Zj90Q(0)PZM|Ir3+za$H72q;X_c)ga`%aB}yAS>UbVDZ+AASv5A2(lBq2^%QCO z5`Udctf++jKFMMRBXwPT;Z&~Cu?dqk{Wo-V)Fg|wMt|9a7_Z$06UMF4^5yEu_|YVi z5~&`^y;HQruLNt6+ta)3=Xkf z4fMr}fell;ixtDSP0qDSWGTQIR(!E z>=~x&L9P7Lr_!8+1?A|`V*UTB;jByKUBlVC^ag)o4J22t%pUQyDfM;#*&fX5Sbqim zQnDHLTH5ii`?KrtjG_&%H}b+moo6326#`$esAb@ArK_00(l^*;%ISj(H&MLNL@k45 z^>HpgdDAwkDkB{E5j)-Q zNt#7j6KJ=~x1>1tj2kQFChmC{bK)A--OBA&{|06Yop^EtAFH~i$KM$c@_!FHRVURQ z^hiXR`T=lfiYZ!lutrgHU6NMhC-z+in6qC2w6W-vv1p3wqiTg=_?aeokoi6 zZo{qWCZU~!kS1cWht}_Os2+%SHfiJKdfBQ|)%u{Nj+)?Djgf=(s=}g8b24^poJ(m` zX(HLiEr1Z&8L+g?mJ2huAb-*&zow;jaza1jY*lkFR1hAiC57on+WfgKbyvPQuiWl+ z>m$rvkDsYF38k!>@}3KPtZ60JEQv1#8QgMVy94QdTB1XV)q%ncAW=k;`@e{lw9~O= z#~HF%YV#q(TTTI8YQ9kMnk3s&9OaQXxPTtLc2X6Qcwv8(cxSg>piQTSXt~<0JVBIEc=M!dopKl(OijX-c^o8 zMGFwBcpaQpcl+z3@<^jveu8*oo|k=slbr>Ys&Dq+dH#kx;AKSY4`@JOI_-JttVWkk z8w-^vmfYYs5+b$(fPWrGxWgtMAm9Jltr#4@5JPE-xSB-0Y-%s%#3M;gjkW8*OJByeV+AkwMC>8?lpg_GWi_1TnPYLXbrUyc{n3SKX{FRS z$f*Yh$+}Rep?^V8?Js&8>>YGYIGx6hEs4pq{dgj0Ip zZZg&`$2(+l^WROj=f`9ZRz+H4GopuvU

u?{`=Tn4% zBJ;kW!(`Q-&C+H#$hd~w-0W`PVnz9*?}43s)KMm&HjDD9VE5xiA@aqR$pYkuy)6X# zBx}Ssxyp=mAkcn8rPdl}j7XX5ZH)l3W9B0b3tz6n)e%pZ;#e#RI93MUd#9A?XGv*{ zWJDrV%o1sy8DaA`B$m!3Pe+2V%RO|OFD%UOLABiI%J@%C1W<7E57&?EV1MgPXQfVM V{Tz>DpUsv8)wKG>97hcFCsL{Yty=&9