From 5f02889bd052fab79c9a1e3c5191939ced13fbc3 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Wed, 21 Jun 2023 23:57:33 +0200
Subject: [PATCH] feat: remove caddy, enable nginx with oauth2_proxy

---
 hosts/sentinel/caddy.nix                      |  75 ------------------
 hosts/sentinel/default.nix                    |   5 +-
 hosts/sentinel/oauth2.nix                     |  33 ++++++++
 hosts/sentinel/secrets/caddy-env.age          | Bin 495 -> 0 bytes
 hosts/sentinel/secrets/dhparams.pem.age       | Bin 0 -> 1129 bytes
 .../sentinel/secrets/oauth2-proxy-secret.age  | Bin 0 -> 476 bytes
 6 files changed, 37 insertions(+), 76 deletions(-)
 delete mode 100644 hosts/sentinel/caddy.nix
 create mode 100644 hosts/sentinel/oauth2.nix
 delete mode 100644 hosts/sentinel/secrets/caddy-env.age
 create mode 100644 hosts/sentinel/secrets/dhparams.pem.age
 create mode 100644 hosts/sentinel/secrets/oauth2-proxy-secret.age

diff --git a/hosts/sentinel/caddy.nix b/hosts/sentinel/caddy.nix
deleted file mode 100644
index b6fba7e..0000000
--- a/hosts/sentinel/caddy.nix
+++ /dev/null
@@ -1,75 +0,0 @@
-{
-  config,
-  pkgs,
-  ...
-}: {
-  users.groups.acme.members = ["caddy"];
-
-  age.secrets.caddy-env = {
-    rekeyFile = ./secrets/caddy-env.age;
-    mode = "440";
-    group = "caddy";
-  };
-
-  services.caddy = let
-    proxyAuthDomain = "sentinel.${config.repo.secrets.local.personalDomain}";
-  in {
-    enable = true;
-    package = pkgs.caddy.withPackages {
-      plugins = [
-        {
-          name = "github.com/greenpau/caddy-security";
-          version = "v1.1.18";
-        }
-      ];
-      vendorHash = "sha256-RqSXQihtY5+ACaMo7bLdhu1A+qcraexb1W/Ia+aUF1k";
-    };
-
-    virtualHosts.${proxyAuthDomain} = {
-      useACMEHost = config.lib.extra.matchingWildcardCert proxyAuthDomain;
-      extraConfig = ''
-        import common
-        authenticate with myportal
-      '';
-    };
-
-    globalConfig = ''
-      order authenticate before respond
-      order authorize before basicauth
-
-      security {
-        oauth identity provider kanidm {
-          realm kanidm
-          driver generic
-          client_id web-sentinel
-          client_secret {env.KANIDM_CLIENT_SECRET}
-          scopes openid email profile
-          base_auth_url https://${config.proxiedDomains.kanidm}/ui/oauth2
-          metadata_url https://${config.proxiedDomains.kanidm}/oauth2/openid/sentinel/.well-known/openid-configuration
-        }
-
-        authentication portal myportal {
-          enable identity provider kanidm
-          cookie domain ${config.repo.secrets.local.personalDomain}
-          ui {
-            links {
-              "My Identity" "/whoami" icon "las la-user"
-            }
-          }
-
-          transform user {
-            match realm kanidm
-            action add role authp/user
-          }
-
-          #transform user {
-          #  match realm kanidm
-          #  match scope read:access_aguardhome
-          #  action add role authp/admin
-          #}
-        }
-    '';
-  };
-
-  systemd.services.caddy.serviceConfig.environmentFile = config.age.secrets.caddy-env.path;
-}
diff --git a/hosts/sentinel/default.nix b/hosts/sentinel/default.nix
index 776caba..db339c2 100644
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@@ -14,9 +14,12 @@
     ./net.nix
 
     ./acme.nix
-    ./caddy.nix
+    ./oauth2.nix
   ];
 
+  users.groups.acme.members = ["nginx"];
+  services.nginx.enable = true;
+
   extra.promtail = {
     enable = true;
     proxy = "sentinel";
diff --git a/hosts/sentinel/oauth2.nix b/hosts/sentinel/oauth2.nix
new file mode 100644
index 0000000..649c067
--- /dev/null
+++ b/hosts/sentinel/oauth2.nix
@@ -0,0 +1,33 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  extra.oauth2_proxy = {
+    enable = true;
+    cookieDomain = config.repo.secrets.local.personalDomain;
+    authProxyDomain = "sentinel.${config.repo.secrets.local.personalDomain}";
+  };
+
+  age.secrets.oauth2-proxy-secret = {
+    rekeyFile = ./secrets/oauth2-proxy-secret.age;
+    mode = "440";
+    group = "oauth2_proxy";
+  };
+
+  services.oauth2_proxy = {
+    # TODO cookie refresh
+    provider = "oidc";
+    scope = "openid";
+    loginURL = "https://${config.proxiedDomains.kanidm}/ui/oauth2";
+    redeemURL = "https://${config.proxiedDomains.kanidm}/oauth2/token";
+    validateURL = "https://${config.proxiedDomains.kanidm}/oauth2/openid/web-sentinel/userinfo";
+    clientID = "web-sentinel";
+    keyFile = config.age.secrets.oauth2-proxy-secret.path;
+
+    email.domains = ["*"];
+
+    extraConfig.skip-provider-button = true;
+  };
+}
diff --git a/hosts/sentinel/secrets/caddy-env.age b/hosts/sentinel/secrets/caddy-env.age
deleted file mode 100644
index e778980d3279b496a6801fe57d31fc64cab8eeb5..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 495
zcmWm8JB!l*003ZJj=Q+J2ntz_1A8$^o1}?DA!%&-OfN}mlB#H$rfJ@3UQHu7-R9tM
z%YixzA}5HTAPC|l=pYJ;;>{v@;3z)u?iYNYW*U&;>(MeytiV4PL?)b}08|5&GLEAZ
zIBnQ+F-W^`)KpNqf%mvN-q5YKlkz4``-EUPG%2tbFEnVt8jGzFNk|=qr5SXHBnB&M
zQV&kWMNUg?RbVUDG{hNMMUI5f%Al}}6JS1<3{n8;64#GWnMvIeSKmrvYa#ea#qLm*
zo*)&HC!sTGthNOlQR{$+P@<O<#xOQJ+{h-S!sa3}$0&-7DPo#yUUN=he$e;HBMY{D
z!ePTQWJZP-8z7f7m|C!o0D3gnGd`-8f}}5^sIpWMFT?ewuF#4hDmmpc<>K%&z%#Vx
zxK%doh?pn)aiYp2Y`z3sr|x0xR!hqyUh4}wZ02J^7y=Lkfs*gVa-Iveo<{I;E6nGj
zPE`%cZSx$Hll<6eGJI>&T2>rj=i2=PY=eHc+r6{@arJVaJh@#(wtwwiy%nrHy#4C=
zq;%>uCx3mi{`UL7^EZp(mDNAbzHQvQ{_+y^{?X^XnezBWcje8Q6N|q;zU2EmpEd`_
YYroIl{jhe-n5?~??LKgS-r%492Q$X6*8l(j

diff --git a/hosts/sentinel/secrets/dhparams.pem.age b/hosts/sentinel/secrets/dhparams.pem.age
new file mode 100644
index 0000000000000000000000000000000000000000..4062e4628470a9771601efc71f8d918c11404cb3
GIT binary patch
literal 1129
zcmV-v1eW_@XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zV;K|yLbMQAHEa8hhE
zGjVoLX;L_NP-;(WLS#rYW-?Q2Vs}huaalHSRA&k^No;mZWqL4Ba6xT$Y-&(fWl=*&
zc`rFeSWs1LLO3v2b7NOWOgDE@L}LmqJ|J*ub}eu+H8vo4aZ_bDQ6ND#K|wb;H+N1=
zXL4yWRZVI(F=A?ERc>f!Gf_xJW;bDOM^7tnPhu-&XjlqCFJ)p=Pc?38K|wHbcStWt
zT4YC4OiWR0VlXgMV@Yvvb5mzBbVqY}Fi8q6J|IRdXL4m>b7cxxSVuNTbVE5yQZjEe
zOh{KoWie}EQBrJ3FjZ=CY%gqSLMu2qaZL&>EiE8IX;V>4OiDsXVn<RdYc@wpVKFad
zYHCw(K|(obX-8Q`ZFz5Hb82H|bX5xf228QbvRXXr4#^4V{=CCEY<bP3_dgCOOJBW1
z405ITmwNL1;w$*(Hm^12m??+jZ^u9^Y(qX2lZZf2@-@1)`|Lrli~B(By|qMl&y#>q
zpUfAaH^Cn5wCf|-K9NsS6aw}b!+G418CZ6jiW86U6A3)VdCo<KR+uV_0|e{0>FEjN
z<rE)1)D_TPJ=UZ-@ARC5U;?W<EQ3wp2q4URicI-Q_c6%usVdC>Bxnpy7W7`pFUkY*
zv6}+D<4-z|u=K(ChCC4NHv#zqLsX^|Nt6|kq$}koE$O+X(+Ps1dJ+c;&~C@<H%)J|
zp-!aqd0nOmZ;D|)epB)>=U5XK`x~e-eZsN0tl7%0opOm_4Rit^*+Rmn4)Sq4=F6D<
z1LQ<M_dXnKIP2p9%0BKmNHn;X_z}bj2AA4Zt;ij?^Hncg4tb%eiHt6FvA}7GECf|y
zbdnO_WQq91IN~!_w2s=B{0ELC*b@bp4*32KK>7dU<QH`2LcS0P6H1U*-jHB;b2bb&
zi}b*&R<GSW$aLPfrQK_nVAlbE=cVhZmR2?lKFg<J5J11!?y4u6XLzg_QI7ocgjq`Q
zMnT&{wH8VT5f6#ii09A8-~yK$V+Vn;IF0hIx`7BB7TI=rFoc)W;tet0W~W2VJ7$Xb
zB|;m|Z-`4JSBPc*58X6t*+gxK|0!3YI#JcJb0jJBkm6fK-x@4jjoDCyh$mkpg+?+&
z583-Ps<2WiAnU!HqbIjI!#^4gWAGgn{>^gghyt|#_vctjcr<XFI;4x&VdDbnF;Fbx
zrgz?o4QU|E;&UZ~a#BBUC5iF1jXuYzpMcBZh5xsKEkwP%DqZQtD1E>pTkU*Oh4XEX
z{fS32vILWWNh25CiicF1=^nOAiWiKF0en-Nu$h_Dj+)f>Ht{OT2VK170(8PWkD*qy
zG<ubc{Zko7Z>S-c0Hc3{b3LVJd2XZurSrlQsMk(O2{8sttd;C*S{cZxH6aoAdknNc
vu-?G6vR3ZtJmW%|x;?4(ZC$71K&EYb1)ubFoWF>pb(D5A6^@DL^8D3nQpfh%

literal 0
HcmV?d00001

diff --git a/hosts/sentinel/secrets/oauth2-proxy-secret.age b/hosts/sentinel/secrets/oauth2-proxy-secret.age
new file mode 100644
index 0000000000000000000000000000000000000000..4b09340d7bb252d2e6b1d5d3392c77e169d02f2f
GIT binary patch
literal 476
zcmWm7J&V&|007`~5zQ(%9vLbQAvQ_#=9)!Fnx;)so3A!$yXE`i+PrC+rk5;&qv&vh
zn;;0{aEKu4;ixX>p$P5{3Uc7+FOYlwz~e*#9%Noo=Vb!3JFtk_6^Y<?(HR8*$)cLU
z@@*@mw`M;V7yb_Dkyk{#YIF>b8)VfynT$v{6U=yr_~v|(l*E=-HoJPvhH!2Ql$u)8
z4PDZN&2ITP=YT!39C$h8NrmSWV9=wr8FY1&gB+y~4yc)I)V{lolEcPZO`I_18#mJe
zd83#NO|CmDr;!j<C#d#fssIZPWn!QeR$q|kV!}I3>RJW1XvXriP!&(>US1#`<53Yf
zn*h=4kyGfVQxgJ!{hg1I*cM7dofOQV@_C<RZGsThSrEEawRBmy3@2H)m(hAkcp76P
zm=Wfqm1HQu1D=)2_spY7MsykGK&eZ@01Lsfha7?6IF6=t3XELr!4*SlYb<19mtOmN
zA;pp$CP69n3b_M0PB0?m_{15-zaL$+{_Q=x{a_#MynUXMSKocyUHN)#|L>otk1t-n
xKK-(H{^A=}o-I#*sI8x`K7Tl$JiPzw<ol<V{p75F++4qPgD%9IZ{D};_J76irMdtB

literal 0
HcmV?d00001