mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat: promote oauth proxy config to a nginx virtualHosts option

Browse source
This commit is contained in:
oddlama 2023-06-22 02:55:22 +02:00
parent a092a5a846
commit 71dbda6262
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
8 changed files with 136 additions and 98 deletions
Download patch file Download diff file Expand all files Collapse all files

12
hosts/sentinel/oauth2.nix
View file

@ -17,7 +17,6 @@
};
services.oauth2_proxy = {
# TODO cookie refresh
provider = "oidc";
scope = "openid";
loginURL = "https://${config.proxiedDomains.kanidm}/ui/oauth2";
@ -25,9 +24,16 @@
validateURL = "https://${config.proxiedDomains.kanidm}/oauth2/openid/web-sentinel/userinfo";
clientID = "web-sentinel";
keyFile = config.age.secrets.oauth2-proxy-secret.path;
email.domains = ["*"];
extraConfig.skip-provider-button = true;
extraConfig = {
# TODO good idea? would fail when offline
# TODO autorestart after 30 minutes, infinite times.
oidc-issuer-url = "https://${config.proxiedDomains.kanidm}/oauth2/openid/web-sentinel";
skip-provider-button = true;
# TODO away
show-debug-on-error = true;
};
};
}

BIN
hosts/sentinel/secrets/oauth2-proxy-secret.age
View file

Binary file not shown.

5
hosts/ward/microvms/adguardhome/default.nix
View file

@ -24,7 +24,6 @@ in {
nodes.sentinel = {
proxiedDomains.adguard = adguardhomeDomain;
extra.oauth2_proxy.nginx.virtualHosts."${adguardhomeDomain}".allowedGroups = ["adguardhome"];
services.nginx = {
upstreams.adguardhome = {
servers."${config.services.adguardhome.settings.bind_host}:${toString config.services.adguardhome.settings.bind_port}" = {};
@ -36,8 +35,10 @@ in {
virtualHosts.${adguardhomeDomain} = {
forceSSL = true;
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert adguardhomeDomain;
oauth2.enable = true;
oauth2.allowedGroups = ["adguardhome"];
locations."/" = {
proxyPass = "https://adguardhome";
proxyPass = "http://adguardhome";
proxyWebsockets = true;
};
};

2
hosts/ward/microvms/grafana/default.nix
View file

@ -54,7 +54,7 @@ in {
forceSSL = true;
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert grafanaDomain;
locations."/" = {
proxyPass = "https://grafana";
proxyPass = "http://grafana";
proxyWebsockets = true;
};
};

4
hosts/ward/microvms/loki/default.nix
View file

@ -45,7 +45,7 @@ in {
forceSSL = true;
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert lokiDomain;
locations."/" = {
proxyPass = "https://loki";
proxyPass = "http://loki";
proxyWebsockets = true;
extraConfig = ''
auth_basic "Authentication required";
@ -58,7 +58,7 @@ in {
'';
};
locations."= /ready" = {
proxyPass = "https://loki";
proxyPass = "http://loki";
extraConfig = ''
auth_basic off;
access_log off;

BIN
hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age
View file

Binary file not shown.