forked from mirrors_public/oddlama_nix-config
feat: prepare sentinel for webapp oauth2 authentication
This commit is contained in:
parent
19acca7cba
commit
6b81ecd961
9 changed files with 145 additions and 68 deletions
|
@ -1,14 +1,19 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
nodes,
|
||||
nodeName,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
users.groups.acme.members = ["caddy"];
|
||||
|
||||
services.caddy = {
|
||||
age.secrets.caddy-env = {
|
||||
rekeyFile = ./secrets/caddy-env.age;
|
||||
mode = "440";
|
||||
group = "caddy";
|
||||
};
|
||||
|
||||
services.caddy = let
|
||||
proxyAuthDomain = "sentinel.${config.repo.secrets.local.personalDomain}";
|
||||
in {
|
||||
enable = true;
|
||||
package = pkgs.caddy.withPackages {
|
||||
plugins = [
|
||||
|
@ -19,5 +24,52 @@
|
|||
];
|
||||
vendorHash = "sha256-RqSXQihtY5+ACaMo7bLdhu1A+qcraexb1W/Ia+aUF1k";
|
||||
};
|
||||
|
||||
virtualHosts.${proxyAuthDomain} = {
|
||||
useACMEHost = config.lib.extra.matchingWildcardCert proxyAuthDomain;
|
||||
extraConfig = ''
|
||||
import common
|
||||
authenticate with myportal
|
||||
'';
|
||||
};
|
||||
|
||||
globalConfig = ''
|
||||
order authenticate before respond
|
||||
order authorize before basicauth
|
||||
|
||||
security {
|
||||
oauth identity provider kanidm {
|
||||
realm kanidm
|
||||
driver generic
|
||||
client_id web-sentinel
|
||||
client_secret {env.KANIDM_CLIENT_SECRET}
|
||||
scopes openid email profile
|
||||
base_auth_url https://${config.proxiedDomains.kanidm}/ui/oauth2
|
||||
metadata_url https://${config.proxiedDomains.kanidm}/oauth2/openid/sentinel/.well-known/openid-configuration
|
||||
}
|
||||
|
||||
authentication portal myportal {
|
||||
enable identity provider kanidm
|
||||
cookie domain ${config.repo.secrets.local.personalDomain}
|
||||
ui {
|
||||
links {
|
||||
"My Identity" "/whoami" icon "las la-user"
|
||||
}
|
||||
}
|
||||
|
||||
transform user {
|
||||
match realm kanidm
|
||||
action add role authp/user
|
||||
}
|
||||
|
||||
#transform user {
|
||||
# match realm kanidm
|
||||
# match scope read:access_aguardhome
|
||||
# action add role authp/admin
|
||||
#}
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.caddy.serviceConfig.environmentFile = config.age.secrets.caddy-env.path;
|
||||
}
|
||||
|
|
|
@ -16,4 +16,9 @@
|
|||
./acme.nix
|
||||
./caddy.nix
|
||||
];
|
||||
|
||||
extra.promtail = {
|
||||
enable = true;
|
||||
proxy = "sentinel";
|
||||
};
|
||||
}
|
||||
|
|
BIN
hosts/sentinel/secrets/caddy-env.age
Normal file
BIN
hosts/sentinel/secrets/caddy-env.age
Normal file
Binary file not shown.
11
hosts/sentinel/secrets/promtail-loki-basic-auth-password.age
Normal file
11
hosts/sentinel/secrets/promtail-loki-basic-auth-password.age
Normal file
|
@ -0,0 +1,11 @@
|
|||
age-encryption.org/v1
|
||||
-> X25519 5yDq2pctzyK8uUxKxekOz9tHbmUq4JKCzEbBCYQ79w0
|
||||
lFsTmuUufwYoZ1fAbs7BCmaU3h6Mck8w98TmUdahWP8
|
||||
-> piv-p256 xqSe8Q Aul+3eIiUD0DWAiRPR7Ms4l9ohF+62P98EYqngOFOwU9
|
||||
TdW4WUaIeT7rC9eeGjEM1jPEp/LE1q2V3/fQFLyjbtk
|
||||
-> yYnni-grease 2a
|
||||
SV/4RAhtPi8LsDwcXpwT8AZQCwwJ1tu0R3aN8r7J5cs2RCNGKvNYhU3WRZ6XUi84
|
||||
S1SGmd886W3twPhMYSjm9j8IqqJ5iaWq0IXPpxLZIpv1viS4jDoLgMcKxFbKI97z
|
||||
5OCc
|
||||
--- 30SxKU9DX+vU3e/fd4upxOLcv4DSujy06P+Ja2yHPjM
|
||||
¾?ÙGu>ir7åyÛ¦mé–`Ç‘·"AêM7´^…ì�÷‘ÏM*ÿO%BÜÁÂRµQ©Â“§^Hxï_ÑÎ;e‚ü—ÃdW�3†q0\ª4:Ü
|
Loading…
Add table
Add a link
Reference in a new issue