diff --git a/hosts/sentinel/caddy.nix b/hosts/sentinel/caddy.nix deleted file mode 100644 index b6fba7e..0000000 --- a/hosts/sentinel/caddy.nix +++ /dev/null @@ -1,75 +0,0 @@ -{ - config, - pkgs, - ... -}: { - users.groups.acme.members = ["caddy"]; - - age.secrets.caddy-env = { - rekeyFile = ./secrets/caddy-env.age; - mode = "440"; - group = "caddy"; - }; - - services.caddy = let - proxyAuthDomain = "sentinel.${config.repo.secrets.local.personalDomain}"; - in { - enable = true; - package = pkgs.caddy.withPackages { - plugins = [ - { - name = "github.com/greenpau/caddy-security"; - version = "v1.1.18"; - } - ]; - vendorHash = "sha256-RqSXQihtY5+ACaMo7bLdhu1A+qcraexb1W/Ia+aUF1k"; - }; - - virtualHosts.${proxyAuthDomain} = { - useACMEHost = config.lib.extra.matchingWildcardCert proxyAuthDomain; - extraConfig = '' - import common - authenticate with myportal - ''; - }; - - globalConfig = '' - order authenticate before respond - order authorize before basicauth - - security { - oauth identity provider kanidm { - realm kanidm - driver generic - client_id web-sentinel - client_secret {env.KANIDM_CLIENT_SECRET} - scopes openid email profile - base_auth_url https://${config.proxiedDomains.kanidm}/ui/oauth2 - metadata_url https://${config.proxiedDomains.kanidm}/oauth2/openid/sentinel/.well-known/openid-configuration - } - - authentication portal myportal { - enable identity provider kanidm - cookie domain ${config.repo.secrets.local.personalDomain} - ui { - links { - "My Identity" "/whoami" icon "las la-user" - } - } - - transform user { - match realm kanidm - action add role authp/user - } - - #transform user { - # match realm kanidm - # match scope read:access_aguardhome - # action add role authp/admin - #} - } - ''; - }; - - systemd.services.caddy.serviceConfig.environmentFile = config.age.secrets.caddy-env.path; -} diff --git a/hosts/sentinel/default.nix b/hosts/sentinel/default.nix index 776caba..db339c2 100644 --- a/hosts/sentinel/default.nix +++ b/hosts/sentinel/default.nix @@ -14,9 +14,12 @@ ./net.nix ./acme.nix - ./caddy.nix + ./oauth2.nix ]; + users.groups.acme.members = ["nginx"]; + services.nginx.enable = true; + extra.promtail = { enable = true; proxy = "sentinel"; diff --git a/hosts/sentinel/oauth2.nix b/hosts/sentinel/oauth2.nix new file mode 100644 index 0000000..649c067 --- /dev/null +++ b/hosts/sentinel/oauth2.nix @@ -0,0 +1,33 @@ +{ + lib, + config, + pkgs, + ... +}: { + extra.oauth2_proxy = { + enable = true; + cookieDomain = config.repo.secrets.local.personalDomain; + authProxyDomain = "sentinel.${config.repo.secrets.local.personalDomain}"; + }; + + age.secrets.oauth2-proxy-secret = { + rekeyFile = ./secrets/oauth2-proxy-secret.age; + mode = "440"; + group = "oauth2_proxy"; + }; + + services.oauth2_proxy = { + # TODO cookie refresh + provider = "oidc"; + scope = "openid"; + loginURL = "https://${config.proxiedDomains.kanidm}/ui/oauth2"; + redeemURL = "https://${config.proxiedDomains.kanidm}/oauth2/token"; + validateURL = "https://${config.proxiedDomains.kanidm}/oauth2/openid/web-sentinel/userinfo"; + clientID = "web-sentinel"; + keyFile = config.age.secrets.oauth2-proxy-secret.path; + + email.domains = ["*"]; + + extraConfig.skip-provider-button = true; + }; +} diff --git a/hosts/sentinel/secrets/caddy-env.age b/hosts/sentinel/secrets/caddy-env.age deleted file mode 100644 index e778980..0000000 Binary files a/hosts/sentinel/secrets/caddy-env.age and /dev/null differ diff --git a/hosts/sentinel/secrets/dhparams.pem.age b/hosts/sentinel/secrets/dhparams.pem.age new file mode 100644 index 0000000..4062e46 Binary files /dev/null and b/hosts/sentinel/secrets/dhparams.pem.age differ diff --git a/hosts/sentinel/secrets/oauth2-proxy-secret.age b/hosts/sentinel/secrets/oauth2-proxy-secret.age new file mode 100644 index 0000000..4b09340 Binary files /dev/null and b/hosts/sentinel/secrets/oauth2-proxy-secret.age differ