fix(bw): nginx access

2026-02-09 04:19:19 -08:00 · 2024-06-02 19:36:25 -07:00 · 2024-06-02 19:36:25 -07:00 · 23d257aacc
commit 23d257aacc
parent 90f0e94254
3 changed files with 47 additions and 32 deletions
--- a/systems/keycloak/default.nix
+++ b/systems/keycloak/default.nix
@ -12,6 +12,10 @@ _: {
      keycloak.enable = true;
      vouch-proxy.enable = true;
      vaultwarden.enable = true;
+      nginx = {
+        enable = true;
+        ports.proxied.enable = true;
+      };
    };
  };
 }
--- a/systems/keycloak/nixos.nix
+++ b/systems/keycloak/nixos.nix
@ -2,8 +2,11 @@
  meta,
  config,
  access,
+  lib,
  ...
-}: {
+}: let
+  inherit (lib.modules) mkMerge;
+in {
  imports = let
    inherit (meta) nixos;
  in [
@ -15,6 +18,8 @@
    nixos.vaultwarden
    nixos.cloudflared
    nixos.vouch
+    nixos.nginx
+    nixos.access.vaultwarden
  ];

  services.cloudflared = let
@ -24,44 +29,49 @@
      default = "http_status:404";
      credentialsFile = config.sops.secrets.cloudflared-tunnel-keycloak.path;
      ingress = let
+        inherit (config.services) nginx;
+        inherit (config.networking) domain;
        keycloak'system = access.systemForService "keycloak";
        inherit (keycloak'system.exports.services) keycloak;
        vouch'system = access.systemForServiceId "login";
        inherit (vouch'system.exports.services) vouch-proxy;
-        vaultwarden'system = access.systemForServiceId "bw";
-        inherit (vaultwarden'system.exports.services) vaultwarden;
-      in {
-        "${keycloak.id}.${config.networking.domain}" = let
-          portName =
-            if keycloak.ports.https.enable
-            then "https"
-            else "http";
-        in {
-          service = access.proxyUrlFor {
-            system = keycloak'system;
-            service = keycloak;
-            inherit portName;
+        ingress = {
+          "${keycloak.id}.${domain}" = let
+            portName =
+              if keycloak.ports.https.enable
+              then "https"
+              else "http";
+          in {
+            service = access.proxyUrlFor {
+              system = keycloak'system;
+              service = keycloak;
+              inherit portName;
+            };
+            originRequest.${
+              if keycloak.ports.${portName}.protocol == "https"
+              then "noTLSVerify"
+              else null
+            } =
+              true;
          };
-          originRequest.${
-            if keycloak.ports.${portName}.protocol == "https"
-            then "noTLSVerify"
-            else null
-          } =
-            true;
-        };
-        "${vouch-proxy.id}.${config.networking.domain}" = {
-          service = access.proxyUrlFor {
-            system = vouch'system;
-            service = vouch-proxy;
+          "${vouch-proxy.id}.${domain}" = {
+            service = access.proxyUrlFor {
+              system = vouch'system;
+              service = vouch-proxy;
+            };
          };
        };
-        "${vaultwarden.id}.${config.networking.domain}" = {
-          service = access.proxyUrlFor {
-            system = vaultwarden'system;
-            service = vaultwarden;
-          };
-        };
-      };
+      in mkMerge [
+        ingress
+        (nginx.virtualHosts.vaultwarden.proxied.cloudflared.getIngress {})
+      ];
+    };
+  };
+
+  services.nginx = {
+    proxied.enable = true;
+    virtualHosts = {
+      vaultwarden.proxied.enable = "cloudflared";
    };
  };