diff --git a/hosts/sentinel/oauth2.nix b/hosts/sentinel/oauth2.nix index 7e80012..51c2df3 100644 --- a/hosts/sentinel/oauth2.nix +++ b/hosts/sentinel/oauth2.nix @@ -3,7 +3,7 @@ nodes, ... }: { - meta.oauth2_proxy = { + meta.oauth2-proxy = { enable = true; cookieDomain = config.repo.secrets.global.domains.me; portalDomain = "oauth2.${config.repo.secrets.global.domains.me}"; @@ -13,7 +13,7 @@ age.secrets.oauth2-cookie-secret = { rekeyFile = ./secrets/oauth2-cookie-secret.age; mode = "440"; - group = "oauth2_proxy"; + group = "oauth2-proxy"; }; # Mirror the original oauth2 secret, but prepend OAUTH2_PROXY_CLIENT_SECRET= @@ -32,10 +32,10 @@ ${decrypt} ${lib.escapeShellArg (lib.head deps).file} ''; mode = "440"; - group = "oauth2_proxy"; + group = "oauth2-proxy"; }; - services.oauth2_proxy = let + services.oauth2-proxy = let clientId = "web-sentinel"; in { provider = "oidc"; @@ -53,7 +53,7 @@ }; }; - systemd.services.oauth2_proxy.serviceConfig.EnvironmentFile = [ + systemd.services.oauth2-proxy.serviceConfig.EnvironmentFile = [ config.age.secrets.oauth2-cookie-secret.path config.age.secrets.oauth2-client-secret.path ]; diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix index b4979be..8c9632b 100644 --- a/hosts/ward/guests/adguardhome.nix +++ b/hosts/ward/guests/adguardhome.nix @@ -9,7 +9,7 @@ in { wireguard.proxy-sentinel = { client.via = "sentinel"; - firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.adguardhome.settings.bind_port]; + firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.adguardhome.settings.port]; }; nodes.sentinel = { @@ -17,7 +17,7 @@ in { services.nginx = { upstreams.adguardhome = { - servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.settings.bind_port}" = {}; + servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.settings.port}" = {}; extraConfig = '' zone adguardhome 64k; keepalive 2; @@ -55,8 +55,8 @@ in { # simpler sed dns.host_addr logic. mutableSettings = false; settings = { - bind_host = "0.0.0.0"; - bind_port = 3000; + host = "0.0.0.0"; + port = 3000; dns = { bind_hosts = [ # This dummy address passes the configuration check and will diff --git a/modules/config/users.nix b/modules/config/users.nix index 8c00826..c57c9e6 100644 --- a/modules/config/users.nix +++ b/modules/config/users.nix @@ -19,7 +19,7 @@ kanidm = uidGid 990; loki = uidGid 989; vaultwarden = uidGid 988; - oauth2_proxy = uidGid 987; + oauth2-proxy = uidGid 987; influxdb2 = uidGid 986; telegraf = uidGid 985; rtkit = uidGid 984; diff --git a/modules/oauth2-proxy.nix b/modules/oauth2-proxy.nix index 42e6309..d16fc46 100644 --- a/modules/oauth2-proxy.nix +++ b/modules/oauth2-proxy.nix @@ -14,9 +14,9 @@ types ; - cfg = config.meta.oauth2_proxy; + cfg = config.meta.oauth2-proxy; in { - options.meta.oauth2_proxy = { + options.meta.oauth2-proxy = { enable = mkEnableOption "oauth2 proxy"; cookieDomain = mkOption { @@ -33,7 +33,7 @@ in { options.services.nginx.virtualHosts = mkOption { type = types.attrsOf (types.submodule ({config, ...}: { options.oauth2 = { - enable = mkEnableOption "access protection of this resource using oauth2_proxy."; + enable = mkEnableOption "access protection of this resource using oauth2-proxy."; allowedGroups = mkOption { type = types.listOf types.str; default = []; @@ -44,9 +44,9 @@ in { }; }; config = mkIf config.oauth2.enable { - locations."/".extraConfig = '' + extraConfig = '' auth_request /oauth2/auth; - error_page 401 = /oauth2/sign_in; + error_page 401 = @redirectToAuth2ProxyLogin; # pass information via X-User and X-Email headers to backend, # requires running with --set-xauthrequest flag @@ -60,20 +60,20 @@ in { add_header Set-Cookie $auth_cookie; ''; - locations."/oauth2/" = { - proxyPass = "http://oauth2_proxy"; + locations."@redirectToAuth2ProxyLogin" = { + return = "307 https://${cfg.portalDomain}/oauth2/start?rd=$scheme://$host$request_uri"; extraConfig = '' - proxy_set_header X-Scheme $scheme; - proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; + auth_request off; ''; }; locations."= /oauth2/auth" = { proxyPass = - "http://oauth2_proxy/oauth2/auth" + "http://oauth2-proxy/oauth2/auth" + optionalString (config.oauth2.allowedGroups != []) "?allowed_groups=${concatStringsSep "," config.oauth2.allowedGroups}"; extraConfig = '' + auth_request off; internal; proxy_set_header X-Scheme $scheme; @@ -87,9 +87,12 @@ in { }; config = mkIf cfg.enable { - services.oauth2_proxy = { + services.oauth2-proxy = { enable = true; + # Needed to prevent evaluation error (should theoretically be fixed upstream...) + nginx.domain = "dummy"; + cookie.domain = ".${cfg.cookieDomain}"; cookie.secure = true; # FIXME disabled because of errors. My closest guess is that this @@ -100,7 +103,7 @@ in { clientSecret = mkDefault null; reverseProxy = true; - httpAddress = "unix:///run/oauth2_proxy/oauth2_proxy.sock"; + httpAddress = "unix:///run/oauth2-proxy/oauth2-proxy.sock"; redirectURL = "https://${cfg.portalDomain}/oauth2/callback"; setXauthrequest = true; @@ -116,20 +119,20 @@ in { }; }; - systemd.services.oauth2_proxy.serviceConfig = { - RuntimeDirectory = "oauth2_proxy"; + systemd.services.oauth2-proxy.serviceConfig = { + RuntimeDirectory = "oauth2-proxy"; RuntimeDirectoryMode = "0750"; UMask = "007"; # TODO remove once https://github.com/oauth2-proxy/oauth2-proxy/issues/2141 is fixed RestartSec = "60"; # Retry every minute }; - users.groups.oauth2_proxy.members = ["nginx"]; + users.groups.oauth2-proxy.members = ["nginx"]; services.nginx = { - upstreams.oauth2_proxy = { - servers."unix:/run/oauth2_proxy/oauth2_proxy.sock" = {}; + upstreams.oauth2-proxy = { + servers."unix:/run/oauth2-proxy/oauth2-proxy.sock" = {}; extraConfig = '' - zone oauth2_proxy 64k; + zone oauth2-proxy 64k; keepalive 2; ''; }; @@ -138,7 +141,15 @@ in { forceSSL = true; useACMEWildcardHost = true; oauth2.enable = true; - locations."/".proxyPass = "http://oauth2_proxy"; + locations."/".proxyPass = "http://oauth2-proxy"; + + locations."/oauth2/" = { + proxyPass = "http://oauth2-proxy"; + extraConfig = '' + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; + ''; + }; }; }; }; diff --git a/pkgs/default.nix b/pkgs/default.nix index 80c60ef..42c07d9 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -8,8 +8,8 @@ provisionSrc = prev.fetchFromGitHub { owner = "oddlama"; repo = "kanidm-provision"; - rev = "aa7a1c8ec04622745b385bd3b0462e1878f56b51"; - hash = "sha256-NRolS3l2kARjkhWP7FYUG//KCEiueh48ZrADdCDb9Zg="; + rev = "v1.0.1"; + hash = "sha256-tSr2I7bGEwJoC5C7BOmru2oh9ta04WVTz449KePYSK4="; }; in { patches = diff --git a/pkgs/kanidm-provision.nix b/pkgs/kanidm-provision.nix index c3b5891..9b8bf01 100644 --- a/pkgs/kanidm-provision.nix +++ b/pkgs/kanidm-provision.nix @@ -5,16 +5,16 @@ }: rustPlatform.buildRustPackage rec { pname = "kanidm-provision"; - version = "1.0.0"; + version = "1.0.1"; src = fetchFromGitHub { owner = "oddlama"; repo = "kanidm-provision"; rev = "v${version}"; - hash = "sha256-T6kiBUdOMHCWRUF/vepoPrvaULDQrUGYsd/3I11HCLY="; + hash = "sha256-tSr2I7bGEwJoC5C7BOmru2oh9ta04WVTz449KePYSK4="; }; - cargoHash = "sha256-nHp3C6szJxOogH/kETIqcQQNhFqBCO0P66j7n3UHuwo="; + cargoHash = "sha256-LRPpAIH+pXThS+HJ63kVbxMMoBgsky1nf99RWarX7/0="; meta = with lib; { description = "A small utility to help with kanidm provisioning";