From 23d257aacc66630604c02196817a64b44d9165a7 Mon Sep 17 00:00:00 2001 From: arcnmx Date: Sun, 2 Jun 2024 19:36:25 -0700 Subject: [PATCH] fix(bw): nginx access --- nixos/vaultwarden.nix | 1 + systems/keycloak/default.nix | 4 ++ systems/keycloak/nixos.nix | 74 ++++++++++++++++++++---------------- 3 files changed, 47 insertions(+), 32 deletions(-) diff --git a/nixos/vaultwarden.nix b/nixos/vaultwarden.nix index 3be06501..4c079cf6 100644 --- a/nixos/vaultwarden.nix +++ b/nixos/vaultwarden.nix @@ -15,6 +15,7 @@ in { databaseUrlPath = mkIf (!postgresql.enable) (mkDefault config.sops.secrets.vaultwarden-database-url.path); adminTokenPath = mkIf enableAdmin (mkDefault config.sops.secrets.vaultwarden-admin-token.path); config = { + DOMAIN = mkDefault "https://bw.${config.networking.domain}"; SIGNUPS_ALLOWED = mkDefault false; ROCKET_ADDRESS = mkDefault "::"; WEBSOCKET_ADDRESS = mkDefault "::"; diff --git a/systems/keycloak/default.nix b/systems/keycloak/default.nix index 194c2cec..3597fa6c 100644 --- a/systems/keycloak/default.nix +++ b/systems/keycloak/default.nix @@ -12,6 +12,10 @@ _: { keycloak.enable = true; vouch-proxy.enable = true; vaultwarden.enable = true; + nginx = { + enable = true; + ports.proxied.enable = true; + }; }; }; } diff --git a/systems/keycloak/nixos.nix b/systems/keycloak/nixos.nix index e5c2cac0..be699b7e 100644 --- a/systems/keycloak/nixos.nix +++ b/systems/keycloak/nixos.nix @@ -2,8 +2,11 @@ meta, config, access, + lib, ... -}: { +}: let + inherit (lib.modules) mkMerge; +in { imports = let inherit (meta) nixos; in [ @@ -15,6 +18,8 @@ nixos.vaultwarden nixos.cloudflared nixos.vouch + nixos.nginx + nixos.access.vaultwarden ]; services.cloudflared = let @@ -24,44 +29,49 @@ default = "http_status:404"; credentialsFile = config.sops.secrets.cloudflared-tunnel-keycloak.path; ingress = let + inherit (config.services) nginx; + inherit (config.networking) domain; keycloak'system = access.systemForService "keycloak"; inherit (keycloak'system.exports.services) keycloak; vouch'system = access.systemForServiceId "login"; inherit (vouch'system.exports.services) vouch-proxy; - vaultwarden'system = access.systemForServiceId "bw"; - inherit (vaultwarden'system.exports.services) vaultwarden; - in { - "${keycloak.id}.${config.networking.domain}" = let - portName = - if keycloak.ports.https.enable - then "https" - else "http"; - in { - service = access.proxyUrlFor { - system = keycloak'system; - service = keycloak; - inherit portName; + ingress = { + "${keycloak.id}.${domain}" = let + portName = + if keycloak.ports.https.enable + then "https" + else "http"; + in { + service = access.proxyUrlFor { + system = keycloak'system; + service = keycloak; + inherit portName; + }; + originRequest.${ + if keycloak.ports.${portName}.protocol == "https" + then "noTLSVerify" + else null + } = + true; }; - originRequest.${ - if keycloak.ports.${portName}.protocol == "https" - then "noTLSVerify" - else null - } = - true; - }; - "${vouch-proxy.id}.${config.networking.domain}" = { - service = access.proxyUrlFor { - system = vouch'system; - service = vouch-proxy; + "${vouch-proxy.id}.${domain}" = { + service = access.proxyUrlFor { + system = vouch'system; + service = vouch-proxy; + }; }; }; - "${vaultwarden.id}.${config.networking.domain}" = { - service = access.proxyUrlFor { - system = vaultwarden'system; - service = vaultwarden; - }; - }; - }; + in mkMerge [ + ingress + (nginx.virtualHosts.vaultwarden.proxied.cloudflared.getIngress {}) + ]; + }; + }; + + services.nginx = { + proxied.enable = true; + virtualHosts = { + vaultwarden.proxied.enable = "cloudflared"; }; };