forked from hswaw/hscloud
75 lines
2.0 KiB
Nix
75 lines
2.0 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
let
|
|
beyondspaceDomains = {
|
|
"inventory.waw.hackerspace.pl" = "https";
|
|
"vending.waw.hackerspace.pl" = "https";
|
|
};
|
|
|
|
in with lib; {
|
|
services.oauth2_proxy = {
|
|
enable = true;
|
|
provider = "oidc";
|
|
keyFile = "/var/beyondspace.secrets";
|
|
clientID = "1e0a7ba0-5a15-477a-8d96-690ebbe6e720";
|
|
extraConfig = {
|
|
oidc-issuer-url = "https://sso.hackerspace.pl";
|
|
email-domain = "*";
|
|
};
|
|
};
|
|
|
|
|
|
services.nginx.commonHttpConfig = ''
|
|
map $http_host $beyondspace_upstream_proto {
|
|
hostnames;
|
|
|
|
default http;
|
|
|
|
${concatStringsSep "\n" (mapAttrsToList (key: value: "${key} ${value};") beyondspaceDomains)}
|
|
}
|
|
'';
|
|
|
|
services.nginx.virtualHosts."beyond.waw.hackerspace.pl" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
|
|
serverAliases = attrNames beyondspaceDomains;
|
|
|
|
locations."/oauth2/" = {
|
|
extraConfig = ''
|
|
proxy_pass http://127.0.0.1:4180;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Scheme $scheme;
|
|
proxy_set_header X-Auth-Request-Redirect $request_uri;
|
|
'';
|
|
};
|
|
|
|
locations."= /oauth2/auth" = {
|
|
extraConfig = ''
|
|
proxy_pass http://127.0.0.1:4180;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Scheme $scheme;
|
|
|
|
# nginx auth_request includes headers but not body
|
|
proxy_set_header Content-Length "";
|
|
proxy_pass_request_body off;
|
|
'';
|
|
};
|
|
|
|
locations."/" = {
|
|
extraConfig = ''
|
|
auth_request /oauth2/auth;
|
|
error_page 401 = /oauth2/sign_in;
|
|
|
|
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
|
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
|
add_header Set-Cookie $auth_cookie;
|
|
|
|
proxy_pass $beyondspace_upstream_proto://$host$request_uri;
|
|
'';
|
|
};
|
|
};
|
|
}
|