forked from hswaw/hscloud
h/m/customs/beyondspace: oauth2-based members-only proxy
Change-Id: I4f7102b4c4ddd9d0f085653ad08e071f172f289d Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1307 Reviewed-by: vuko <vuko@hackerspace.pl>
This commit is contained in:
parent
c35ea6a220
commit
9c5d866105
3 changed files with 77 additions and 0 deletions
|
@ -28,6 +28,7 @@ pkgs.buildBazelPackage rec {
|
|||
lib.strings.hasSuffix "/hswaw" name ||
|
||||
lib.strings.hasInfix "/hswaw/site" name ||
|
||||
lib.strings.hasInfix "/hswaw/laserproxy" name ||
|
||||
lib.strings.hasInfix "/hswaw/site" name ||
|
||||
|
||||
lib.strings.hasSuffix "/BUILD" name ||
|
||||
lib.strings.hasSuffix "/WORKSPACE" name ||
|
||||
|
|
74
hswaw/machines/customs.hackerspace.pl/beyondspace.nix
Normal file
74
hswaw/machines/customs.hackerspace.pl/beyondspace.nix
Normal file
|
@ -0,0 +1,74 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
beyondspaceDomains = {
|
||||
"inventory.waw.hackerspace.pl" = "https";
|
||||
"vending.waw.hackerspace.pl" = "https";
|
||||
};
|
||||
|
||||
in with lib; {
|
||||
services.oauth2_proxy = {
|
||||
enable = true;
|
||||
provider = "oidc";
|
||||
keyFile = "/var/beyondspace.secrets";
|
||||
clientID = "1e0a7ba0-5a15-477a-8d96-690ebbe6e720";
|
||||
extraConfig = {
|
||||
oidc-issuer-url = "https://sso.hackerspace.pl";
|
||||
email-domain = "*";
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
services.nginx.commonHttpConfig = ''
|
||||
map $http_host $beyondspace_upstream_proto {
|
||||
hostnames;
|
||||
|
||||
default http;
|
||||
|
||||
${concatStringsSep "\n" (mapAttrsToList (key: value: "${key} ${value};") beyondspaceDomains)}
|
||||
}
|
||||
'';
|
||||
|
||||
services.nginx.virtualHosts."beyond.waw.hackerspace.pl" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
||||
serverAliases = attrNames beyondspaceDomains;
|
||||
|
||||
locations."/oauth2/" = {
|
||||
extraConfig = ''
|
||||
proxy_pass http://127.0.0.1:4180;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Scheme $scheme;
|
||||
proxy_set_header X-Auth-Request-Redirect $request_uri;
|
||||
'';
|
||||
};
|
||||
|
||||
locations."= /oauth2/auth" = {
|
||||
extraConfig = ''
|
||||
proxy_pass http://127.0.0.1:4180;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Scheme $scheme;
|
||||
|
||||
# nginx auth_request includes headers but not body
|
||||
proxy_set_header Content-Length "";
|
||||
proxy_pass_request_body off;
|
||||
'';
|
||||
};
|
||||
|
||||
locations."/" = {
|
||||
extraConfig = ''
|
||||
auth_request /oauth2/auth;
|
||||
error_page 401 = /oauth2/sign_in;
|
||||
|
||||
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
|
||||
proxy_pass $beyondspace_upstream_proto://$host$request_uri;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
|
@ -50,6 +50,7 @@ in {
|
|||
./checkinator-web.nix
|
||||
./mikrotik-exporter.nix
|
||||
./netboot.nix
|
||||
./beyondspace.nix
|
||||
./laserproxy/service.nix
|
||||
];
|
||||
|
||||
|
@ -436,6 +437,7 @@ in {
|
|||
services.nginx.appendHttpConfig = ''
|
||||
server_names_hash_bucket_size 64;
|
||||
'';
|
||||
services.nginx.resolver.addresses = [ "127.0.0.1" ];
|
||||
|
||||
security.acme = {
|
||||
email = "bofh@hackerspace.pl";
|
||||
|
|
Loading…
Reference in a new issue