wip: prepare testing caddy over nginx with oauth2-proxy

2023-06-04 21:42:28 +02:00 · 2023-06-04 21:42:28 +02:00 · c5a863ce51
commit c5a863ce51
parent 7f2f93b640
7 changed files with 245 additions and 10 deletions
--- a/hosts/sentinel/caddy.nix
+++ b/hosts/sentinel/caddy.nix
@ -0,0 +1,45 @@
+{
+  config,
+  lib,
+  nodes,
+  ...
+}: let
+  inherit (config.repo.secrets.local) acme personalDomain;
+in {
+  networking.domain = personalDomain;
+
+  rekey.secrets.acme-credentials = {
+    file = ./secrets/acme-credentials.age;
+    mode = "440";
+    group = "acme";
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      inherit (acme) email;
+      credentialsFile = config.rekey.secrets.acme-credentials.path;
+      dnsProvider = "cloudflare";
+      dnsPropagationCheck = true;
+      reloadServices = ["nginx"];
+    };
+  };
+  extra.acme.wildcardDomains = acme.domains;
+  users.groups.acme.members = ["nginx"];
+
+  rekey.secrets."dhparams.pem" = {
+    file = ./secrets/dhparams.pem.age;
+    mode = "440";
+    group = "nginx";
+  };
+
+  services.caddy = let
+    authDomain = nodes.ward-nginx.config.services.kanidm.serverSettings.domain;
+    authPort = lib.last (lib.splitString ":" nodes.ward-nginx.config.services.kanidm.serverSettings.bindaddress);
+    grafanaDomain = nodes.ward-test.config.services.grafana.settings.server.domain;
+    grafanaPort = toString nodes.ward-test.config.services.grafana.settings.server.http_port;
+    lokiDomain = "loki.${personalDomain}";
+    lokiPort = toString nodes.ward-loki.config.services.loki.settings.server.http_port;
+  in {
+  };
+}
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@ -12,6 +12,7 @@

    ./fs.nix
    ./net.nix
-    ./nginx.nix
+    #./nginx.nix
+    ./caddy.nix
  ];
 }
--- a/hosts/sentinel/nginx.nix
+++ b/hosts/sentinel/nginx.nix
@ -38,8 +38,14 @@ in {
    authPort = lib.last (lib.splitString ":" nodes.ward-nginx.config.services.kanidm.serverSettings.bindaddress);
    grafanaDomain = nodes.ward-test.config.services.grafana.settings.server.domain;
    grafanaPort = toString nodes.ward-test.config.services.grafana.settings.server.http_port;
+    lokiDomain = "loki.${personalDomain}";
+    lokiPort = toString nodes.ward-loki.config.services.loki.settings.server.http_port;
  in {
    enable = true;
+
+    # TODO move subconfigs to the relevant hosts instead.
+    # -> have something like merged config nodes.<name>....
+
    upstreams.kanidm = {
      servers."${nodes.ward-nginx.config.extra.wireguard.proxy-sentinel.ipv4}:${authPort}" = {};
      extraConfig = ''
@ -71,5 +77,32 @@ in {
      useACMEHost = config.lib.extra.matchingWildcardCert grafanaDomain;
      locations."/".proxyPass = "http://grafana";
    };
+
+    upstreams.loki = {
+      servers."${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${lokiPort}" = {};
+      extraConfig = ''
+        zone loki 64k;
+        keepalive 2;
+      '';
+    };
+    virtualHosts.${lokiDomain} = {
+      forceSSL = true;
+      useACMEHost = config.lib.extra.matchingWildcardCert lokiDomain;
+      locations."/" = {
+        proxyPass = "http://loki";
+        proxyWebsockets = true;
+        extraConfig = ''
+          access_log off;
+        '';
+      };
+      locations."/ready" = {
+        proxyPass = "http://loki";
+        proxyWebsockets = true;
+        extraConfig = ''
+          auth_request off;
+          access_log off;
+        '';
+      };
+    };
  };
 }
--- a/hosts/sentinel/oauth2-proxy.nix
+++ b/hosts/sentinel/oauth2-proxy.nix
@ -0,0 +1,57 @@
+{
+  config,
+  lib,
+  nodes,
+  ...
+}: let
+  inherit (config.repo.secrets.local) acme personalDomain;
+  authDomain = "auth.${personalDomain}";
+in {
+  networking.domain = personalDomain;
+
+  # Contains OAUTH2_PROXY_CLIENT_SECRET=...
+  #rekey.secrets.grafana-secret-key = {
+  #  file = ./secrets/oauth2-proxy-client-secret.age;
+  #  mode = "440";
+  #  group = "oauth2_proxy";
+  #};
+
+  services.oauth2_proxy = {
+    enable = true;
+    cookie.secure = true;
+    cookie.httpOnly = false;
+    email.domains = ["*"];
+    provider = "oidc";
+    scope = "openid email";
+    loginURL = "https://${authDomain}/ui/oauth2";
+    redeemURL = "https://${authDomain}/oauth2/token";
+    validateURL = "https://${authDomain}/oauth2/openid/grafana/userinfo";
+    clientID = "oauth2-proxy";
+    clientSecret = "";
+    #keyFile = config.rekey.secrets.oauth2-proxy-client-secret.path;
+    reverseProxy = true;
+    extraConfig.skip-provider-button = true;
+    setXauthrequest = true;
+  };
+
+  # Apply oauth by default to all locations
+  services.nginx.virtualHosts = lib.genAttrs config.services.oauth2_proxy.nginx.virtualHosts (_: {
+    extraConfig = ''
+      auth_request /oauth2/auth;
+      error_page 401 = /oauth2/sign_in;
+
+      # pass information via X-User and X-Email headers to backend,
+      # requires running with --set-xauthrequest flag
+      auth_request_set $user   $upstream_http_x_auth_request_user;
+      auth_request_set $email  $upstream_http_x_auth_request_email;
+      proxy_set_header X-User  $user;
+      proxy_set_header X-Email $email;
+
+      # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+      auth_request_set $auth_cookie $upstream_http_set_cookie;
+      add_header Set-Cookie $auth_cookie;
+    '';
+    locations."/oauth2/".extraConfig = "auth_request off;";
+    locations."/oauth2/auth".extraConfig = "auth_request off;";
+  });
+}