sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: promote oauth proxy config to a nginx virtualHosts option

Browse source
This commit is contained in:
oddlama 2023-06-22 02:55:22 +02:00
parent a092a5a846
commit 71dbda6262
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
8 changed files with 136 additions and 98 deletions
Download patch file Download diff file Expand all files Collapse all files

12
hosts/sentinel/oauth2.nix
View file

@ -17,7 +17,6 @@
}; };
services.oauth2_proxy = { services.oauth2_proxy = {
# TODO cookie refresh
provider = "oidc"; provider = "oidc";
scope = "openid"; scope = "openid";
loginURL = "https://${config.proxiedDomains.kanidm}/ui/oauth2"; loginURL = "https://${config.proxiedDomains.kanidm}/ui/oauth2";
@ -25,9 +24,16 @@
validateURL = "https://${config.proxiedDomains.kanidm}/oauth2/openid/web-sentinel/userinfo"; validateURL = "https://${config.proxiedDomains.kanidm}/oauth2/openid/web-sentinel/userinfo";
clientID = "web-sentinel"; clientID = "web-sentinel";
keyFile = config.age.secrets.oauth2-proxy-secret.path; keyFile = config.age.secrets.oauth2-proxy-secret.path;
email.domains = ["*"]; email.domains = ["*"];
extraConfig.skip-provider-button = true; extraConfig = {
# TODO good idea? would fail when offline
# TODO autorestart after 30 minutes, infinite times.
oidc-issuer-url = "https://${config.proxiedDomains.kanidm}/oauth2/openid/web-sentinel";
skip-provider-button = true;
# TODO away
show-debug-on-error = true;
};
}; };
} }

BIN
hosts/sentinel/secrets/oauth2-proxy-secret.age
View file

Binary file not shown.

5
hosts/ward/microvms/adguardhome/default.nix
View file

@ -24,7 +24,6 @@ in {
nodes.sentinel = { nodes.sentinel = {
proxiedDomains.adguard = adguardhomeDomain; proxiedDomains.adguard = adguardhomeDomain;
extra.oauth2_proxy.nginx.virtualHosts."${adguardhomeDomain}".allowedGroups = ["adguardhome"];
services.nginx = { services.nginx = {
upstreams.adguardhome = { upstreams.adguardhome = {
servers."${config.services.adguardhome.settings.bind_host}:${toString config.services.adguardhome.settings.bind_port}" = {}; servers."${config.services.adguardhome.settings.bind_host}:${toString config.services.adguardhome.settings.bind_port}" = {};
@ -36,8 +35,10 @@ in {
virtualHosts.${adguardhomeDomain} = { virtualHosts.${adguardhomeDomain} = {
forceSSL = true; forceSSL = true;
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert adguardhomeDomain; useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert adguardhomeDomain;
oauth2.enable = true;
oauth2.allowedGroups = ["adguardhome"];
locations."/" = { locations."/" = {
proxyPass = "https://adguardhome"; proxyPass = "http://adguardhome";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };

2
hosts/ward/microvms/grafana/default.nix
View file

@ -54,7 +54,7 @@ in {
forceSSL = true; forceSSL = true;
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert grafanaDomain; useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert grafanaDomain;
locations."/" = { locations."/" = {
proxyPass = "https://grafana"; proxyPass = "http://grafana";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };

4
hosts/ward/microvms/loki/default.nix
View file

@ -45,7 +45,7 @@ in {
forceSSL = true; forceSSL = true;
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert lokiDomain; useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert lokiDomain;
locations."/" = { locations."/" = {
proxyPass = "https://loki"; proxyPass = "http://loki";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = '' extraConfig = ''
auth_basic "Authentication required"; auth_basic "Authentication required";
@ -58,7 +58,7 @@ in {
''; '';
}; };
locations."= /ready" = { locations."= /ready" = {
proxyPass = "https://loki"; proxyPass = "http://loki";
extraConfig = '' extraConfig = ''
auth_basic off; auth_basic off;
access_log off; access_log off;

BIN
hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age
View file

Binary file not shown.

33
modules/extra.nix
View file

@ -37,6 +37,29 @@ in {
}; };
}; };
options.services.nginx.virtualHosts = mkOption {
type = types.attrsOf (types.submodule ({config, ...}: {
options.recommendedSecurityHeaders = mkOption {
type = types.bool;
default = true;
description = mdDoc ''Whether to add additional security headers to the "/" location.'';
};
config = mkIf config.recommendedSecurityHeaders {
locations."/".extraConfig = ''
# Enable HTTP Strict Transport Security (HSTS)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
# Minimize information leaked to other domains
add_header Referrer-Policy "origin-when-cross-origin";
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
'';
};
}));
};
config = { config = {
lib.extra = { lib.extra = {
# For a given domain, this searches for a matching wildcard acme domain that # For a given domain, this searches for a matching wildcard acme domain that
@ -80,16 +103,6 @@ in {
error_log syslog:server=unix:/dev/log; error_log syslog:server=unix:/dev/log;
access_log syslog:server=unix:/dev/log; access_log syslog:server=unix:/dev/log;
ssl_ecdh_curve secp384r1; ssl_ecdh_curve secp384r1;
# Enable HTTP Strict Transport Security (HSTS)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
# Minimize information leaked to other domains
add_header Referrer-Policy "origin-when-cross-origin";
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
''; '';
}; };

178
modules/oauth2-proxy.nix
View file

@ -37,13 +37,24 @@ in {
nginx.virtualHosts = mkOption { nginx.virtualHosts = mkOption {
default = {}; default = {};
description = mdDoc '' description =
Access to all virtualHostst that have an entry here will be put behind mdDoc ''
the oauth2 proxy, requiring authentication before users can access the resource. '';
Also set `allowedGroups` for granuar access control. type =
''; types.attrsOf (types.submodule {
type = types.attrsOf (types.submodule { });
options.allowedGroups = mkOption { };
};
options.services.nginx.virtualHosts = mkOption {
type = types.attrsOf (types.submodule ({
name,
config,
...
}: {
options.oauth2 = {
enable = mkEnableOption (mdDoc "access protection of this resource using oauth2_proxy.");
allowedGroups = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = []; default = [];
description = mdDoc '' description = mdDoc ''
@ -51,21 +62,73 @@ in {
empty list to allow any authenticated client. empty list to allow any authenticated client.
''; '';
}; };
}); };
}; config = mkIf config.oauth2.enable {
locations."/".extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
'';
locations."/oauth2/" = {
proxyPass = "https://${cfg.authProxyDomain}";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
locations."= /oauth2/auth" = {
proxyPass =
"https://${cfg.authProxyDomain}"
+ optionalString (config.oauth2.allowedGroups != [])
"?allowed_groups=${concatStringsSep "," config.oauth2.allowedGroups}";
extraConfig = ''
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
};
}));
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.oauth2_proxy = { services.oauth2_proxy = {
enable = true; enable = true;
cookie.domain = ".${cfg.cookieDomain}";
cookie.secure = true; cookie.secure = true;
cookie.httpOnly = false; cookie.httpOnly = false;
cookie.refresh = "5m";
cookie.expire = "30m";
reverseProxy = true; reverseProxy = true;
httpAddress = "unix:///run/oauth2_proxy/oauth2_proxy.sock"; httpAddress = "unix:///run/oauth2_proxy/oauth2_proxy.sock";
# Share the cookie with all subpages
extraConfig.whitelist-domain = ".${cfg.cookieDomain}";
setXauthrequest = true; setXauthrequest = true;
extraConfig = {
# Share the cookie with all subpages
whitelist-domain = ".${cfg.cookieDomain}";
set-authorization-header = true;
pass-access-token = true;
skip-jwt-bearer-tokens = true;
upstream = "static://202";
# TODO allowed group?
};
}; };
systemd.services.oauth2_proxy.serviceConfig = { systemd.services.oauth2_proxy.serviceConfig = {
@ -84,78 +147,33 @@ in {
''; '';
}; };
virtualHosts = virtualHosts.${cfg.authProxyDomain} = {
{ forceSSL = true;
${cfg.authProxyDomain} = { useACMEHost = config.lib.extra.matchingWildcardCert cfg.authProxyDomain;
forceSSL = true;
useACMEHost = config.lib.extra.matchingWildcardCert cfg.authProxyDomain;
locations."/".extraConfig = '' locations."/".extraConfig = ''
deny all; deny all;
return 404; return 404;
''; '';
locations."/oauth2/" = { locations."/oauth2/" = {
proxyPass = "http://oauth2_proxy"; proxyPass = "http://oauth2_proxy";
extraConfig = '' extraConfig = ''
proxy_set_header X-Scheme $scheme; proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
locations."= /oauth2/auth" = {
proxyPass = "http://oauth2_proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
};
}
// flip mapAttrs cfg.nginx.virtualHosts
(vhost: vhostCfg: let
authQuery =
optionalString (vhostCfg.allowedGroups != [])
"?allowed_groups=${concatStringsSep "," vhostCfg.allowedGroups}";
in {
locations."/".extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
''; '';
};
locations."/oauth2/" = { locations."= /oauth2/auth" = {
proxyPass = "https://${cfg.authProxyDomain}"; proxyPass = "http://oauth2_proxy";
extraConfig = '' extraConfig = ''
proxy_set_header X-Scheme $scheme; proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; # nginx auth_request includes headers but not body
''; proxy_set_header Content-Length "";
}; proxy_pass_request_body off;
'';
locations."= /oauth2/auth" = { };
proxyPass = "https://${cfg.authProxyDomain}${authQuery}"; };
extraConfig = ''
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
});
}; };
}; };
} }