mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

feat: add oauth2 proxy module and simple nginx reverse proxy module

Browse source
This commit is contained in:
oddlama 2023-06-21 23:56:12 +02:00
parent e32d5575b4
commit 609e562bec
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
4 changed files with 249 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

122
modules/extra.nix
View file

@ -1,32 +1,70 @@
{ {
config, config,
lib, lib,
nodePath,
... ...
}: let }: let
inherit inherit
(lib) (lib)
assertMsg assertMsg
filter filter
flip
genAttrs
hasInfix hasInfix
head head
mapAttrs
mapAttrs'
mdDoc mdDoc
mkIf mkIf
mkOption mkOption
nameValuePair
optionals optionals
removeSuffix removeSuffix
types types
; ;
in { in {
options.extra.acme.wildcardDomains = mkOption { options.extra = {
default = []; acme.wildcardDomains = mkOption {
example = ["example.org"]; default = [];
type = types.listOf types.str; example = ["example.org"];
description = mdDoc '' type = types.listOf types.str;
All domains for which a wildcard certificate will be generated. description = mdDoc ''
This will define the given `security.acme.certs` and set `extraDomainNames` correctly, All domains for which a wildcard certificate will be generated.
but does not fill any options such as credentials or dnsProvider. These have to be set This will define the given `security.acme.certs` and set `extraDomainNames` correctly,
individually for each cert by the user or via `security.acme.defaults`. but does not fill any options such as credentials or dnsProvider. These have to be set
''; individually for each cert by the user or via `security.acme.defaults`.
'';
};
nginx.proxiedDomains = mkOption {
default = {};
description = mdDoc "Simplified reverse proxy setup.";
type = types.attrsOf (types.submodule (submod: {
options = {
domain = mkOption {
type = types.str;
description = mdDoc "The public domain for the virtual host.";
};
upstream = mkOption {
type = types.str;
description = mdDoc "The upstream server to which requests are forwarded.";
};
scheme = mkOption {
type = types.str;
default = "http";
description = mdDoc "The scheme to use when connecting to upstream.";
};
useACMEHost = mkOption {
type = types.str;
default = config.lib.extra.matchingWildcardCert submod.config.domain;
description = mdDoc "The acme host certificate to use for the virtual host.";
};
};
}));
};
}; };
config = { config = {
@ -44,31 +82,17 @@ in {
head matchingCerts; head matchingCerts;
}; };
security.acme.certs = lib.genAttrs config.extra.acme.wildcardDomains (domain: { security.acme.certs = genAttrs config.extra.acme.wildcardDomains (domain: {
extraDomainNames = ["*.${domain}"]; extraDomainNames = ["*.${domain}"];
}); });
# Sensible defaults for caddy age.secrets = mkIf config.services.nginx.enable {
services.caddy = mkIf config.services.caddy.enable { "dhparams.pem" = {
extraConfig = '' rekeyFile = nodePath + "/secrets/dhparams.pem.age";
(common) { generator = "dhparams";
encode zstd gzip mode = "440";
group = "nginx";
header { };
# Enable HTTP Strict Transport Security (HSTS)
Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
X-XSS-Protection "1; mode=block"
X-Frame-Options "DENY"
X-Content-Type-Options "nosniff"
# Remove unnecessary information and remove Last-Modified in favor of ETag
-Server
-X-Powered-By
-Last-Modified
}
}
'';
}; };
# Sensible defaults for nginx # Sensible defaults for nginx
@ -86,12 +110,38 @@ in {
error_log syslog:server=unix:/dev/log; error_log syslog:server=unix:/dev/log;
access_log syslog:server=unix:/dev/log; access_log syslog:server=unix:/dev/log;
ssl_ecdh_curve secp384r1; ssl_ecdh_curve secp384r1;
# Enable HTTP Strict Transport Security (HSTS)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
# Minimize information leaked to other domains
add_header Referrer-Policy "origin-when-cross-origin";
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
''; '';
upstreams =
flip mapAttrs config.extra.nginx.proxiedDomains
(name: cfg: {
servers."${cfg.upstream}" = {};
extraConfig = ''
zone ${name} 64k;
keepalive 2;
'';
});
virtualHosts =
flip mapAttrs' config.extra.nginx.proxiedDomains
(name: cfg:
nameValuePair cfg.domain {
forceSSL = true;
inherit (cfg) useACMEHost;
locations."/".proxyPass = "${cfg.scheme}://${name}";
});
}; };
networking.firewall.allowedTCPPorts = networking.firewall.allowedTCPPorts = optionals config.services.nginx.enable [80 443];
optionals
(config.services.caddy.enable || config.services.nginx.enable)
[80 443];
}; };
} }

2
modules/microvms.nix
View file

@ -318,7 +318,7 @@ in {
}; };
zfs = { zfs = {
enable = mkEnableOption (mdDoc "Enable persistent data on separate zfs dataset"); enable = mkEnableOption (mdDoc "persistent data on separate zfs dataset");
pool = mkOption { pool = mkOption {
type = types.str; type = types.str;

161
modules/oauth2-proxy.nix Normal file
View file

@ -0,0 +1,161 @@
{
lib,
config,
pkgs,
...
}: let
inherit
(lib)
concatStringsSep
flip
mapAttrs
mdDoc
mkEnableOption
mkIf
mkOption
optionalString
types
;
cfg = config.extra.oauth2_proxy;
in {
options.extra.oauth2_proxy = {
enable = mkEnableOption (mdDoc "oauth2 proxy");
cookieDomain = mkOption {
type = types.str;
description = mdDoc "The domain under which to store the credetial cookie.";
};
authProxyDomain = mkOption {
type = types.str;
description = mdDoc ''
The domain under which to expose the oauth2 proxy.
This must be a subdomain at or below the level of `cookieDomain`.
'';
};
nginx.virtualHosts = mkOption {
default = {};
description = mdDoc ''
Access to all virtualHostst that have an entry here will be put behind
the oauth2 proxy, requiring authentication before users can access the resource.
Also set `allowedGroups` for granuar access control.
'';
type = types.attrsOf (types.submodule {
options.allowedGroups = mkOption {
type = types.listOf types.str;
default = [];
description = mdDoc ''
A list of groups that are allowed to access this resource, or the
empty list to allow any authenticated client.
'';
};
});
};
};
config = mkIf cfg.enable {
services.oauth2_proxy = {
enable = true;
cookie.secure = true;
cookie.httpOnly = false;
reverseProxy = true;
httpAddress = "unix:///run/oauth2_proxy/oauth2_proxy.sock";
# Share the cookie with all subpages
extraConfig.whitelist-domain = ".${cfg.cookieDomain}";
setXauthrequest = true;
};
systemd.services.oauth2_proxy.serviceConfig = {
RuntimeDirectory = "oauth2_proxy";
RuntimeDirectoryMode = "0750";
};
users.groups.oauth2_proxy.members = ["nginx"];
services.nginx = {
upstreams.oauth2_proxy = {
servers."unix:/run/oauth2_proxy/oauth2_proxy.sock" = {};
extraConfig = ''
zone oauth2_proxy 64k;
keepalive 2;
'';
};
virtualHosts =
{
${cfg.authProxyDomain} = {
forceSSL = true;
useACMEHost = config.lib.extra.matchingWildcardCert cfg.authProxyDomain;
locations."/".extraConfig = ''
deny all;
return 404;
'';
locations."/oauth2/" = {
proxyPass = "http://oauth2_proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
locations."= /oauth2/auth" = {
proxyPass = "http://oauth2_proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
};
}
// flip mapAttrs cfg.nginx.virtualHosts
(vhost: vhostCfg: let
authQuery =
optionalString (vhostCfg.allowedGroups != [])
"?allowed_groups=${concatStringsSep "," vhostCfg.allowedGroups}";
in {
locations."/".extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
'';
locations."/oauth2/" = {
proxyPass = "https://${cfg.authProxyDomain}";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
locations."= /oauth2/auth" = {
proxyPass = "https://${cfg.authProxyDomain}${authQuery}";
extraConfig = ''
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
});
};
};
}

2
modules/promtail.nix
View file

@ -18,7 +18,7 @@
cfg = config.extra.promtail; cfg = config.extra.promtail;
in { in {
options.extra.promtail = { options.extra.promtail = {
enable = mkEnableOption (mdDoc "Enable promtail to push logs to a loki instance."); enable = mkEnableOption (mdDoc "promtail to push logs to a loki instance.");
proxy = mkOption { proxy = mkOption {
type = types.str; type = types.str;
description = mdDoc "The node name of the proxy server which provides the https loki api endpoint."; description = mdDoc "The node name of the proxy server which provides the https loki api endpoint.";