gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(idp): ssl pre-read

Browse source
This commit is contained in:
arcnmx 2024-03-13 09:38:35 -07:00
parent b37e17bc0f
commit 2b1df931cb
5 changed files with 86 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

104
nixos/access/freeipa.nix
View file

@ -6,12 +6,13 @@
}:
let
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkBefore mkIf mkDefault;
inherit (lib.modules) mkIf mkMerge mkBefore mkDefault;
inherit (lib.strings) optionalString concatStringsSep;
inherit (config.services) tailscale;
inherit (config.services.nginx) virtualHosts;
access = config.services.nginx.access.freeipa;
inherit (config.services.nginx.access) ldap;
inherit (config.services) nginx;
inherit (nginx) virtualHosts;
access = nginx.access.freeipa;
inherit (nginx.access) ldap;
extraConfig = ''
ssl_verify_client optional_no_ca;
'';
@ -28,6 +29,16 @@ let
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
proxy_redirect https://${domain}/ $scheme://$host/;
set $x_referer $http_referer;
if ($x_referer ~ "^https://([^/]*)/(.*)$") {
set $x_referer_host $1;
set $x_referer_path $2;
}
if ($x_referer_host = $host) {
set $x_referer "https://${domain}/$x_referer_path";
}
proxy_set_header Referer $x_referer;
'';
};
};
@ -44,6 +55,15 @@ in {
host = mkOption {
type = str;
};
preread = {
enable = mkEnableOption "ssl preread" // {
default = true;
};
port = mkOption {
type = port;
default = 444;
};
};
kerberos = {
enable = mkEnableOption "proxy kerberos" // {
default = true;
@ -77,6 +97,10 @@ in {
type = str;
default = "idp-ca.${config.networking.domain}";
};
globalDomain = mkOption {
type = str;
default = "freeipa.${config.networking.domain}";
};
localDomain = mkOption {
type = str;
default = "freeipa.local.${config.networking.domain}";
@ -106,31 +130,61 @@ in {
port = mkDefault access.ldapPort;
useACMEHost = mkDefault access.useACMEHost;
};
streamConfig = mkIf access.kerberos.enable ''
server {
listen 0.0.0.0:${toString access.kerberos.ports.ticket};
listen [::]:${toString access.kerberos.ports.ticket};
listen 0.0.0.0:${toString access.kerberos.ports.ticket} udp;
listen [::]:${toString access.kerberos.ports.ticket} udp;
proxy_pass ${access.host}:${toString access.kerberos.ports.ticket};
}
server {
listen 0.0.0.0:${toString access.kerberos.ports.ticket4} udp;
listen [::]:${toString access.kerberos.ports.ticket4} udp;
proxy_pass ${access.host}:${toString access.kerberos.ports.ticket4};
}
server {
listen 0.0.0.0:${toString access.kerberos.ports.kpasswd};
listen [::]:${toString access.kerberos.ports.kpasswd};
listen 0.0.0.0:${toString access.kerberos.ports.kpasswd} udp;
listen [::]:${toString access.kerberos.ports.kpasswd} udp;
proxy_pass ${access.host}:${toString access.kerberos.ports.kpasswd};
}
'';
resolver.addresses = mkIf access.preread.enable [ "[::1]" "127.0.0.1:5353" ];
defaultSSLListenPort = mkIf access.preread.enable access.preread.port;
streamConfig = let
preread = ''
upstream freeipa {
server ${access.host}:${toString access.port};
}
upstream nginx {
server localhost:${toString nginx.defaultSSLListenPort};
}
map $ssl_preread_server_name $ssl_name {
hostnames;
${access.domain} freeipa;
${access.caDomain} freeipa;
default nginx;
}
server {
listen 0.0.0.0:443;
listen [::]:443;
ssl_preread on;
proxy_pass $ssl_name;
}
'';
kerberos = ''
server {
listen 0.0.0.0:${toString access.kerberos.ports.ticket};
listen [::]:${toString access.kerberos.ports.ticket};
listen 0.0.0.0:${toString access.kerberos.ports.ticket} udp;
listen [::]:${toString access.kerberos.ports.ticket} udp;
proxy_pass ${access.host}:${toString access.kerberos.ports.ticket};
}
server {
listen 0.0.0.0:${toString access.kerberos.ports.ticket4} udp;
listen [::]:${toString access.kerberos.ports.ticket4} udp;
proxy_pass ${access.host}:${toString access.kerberos.ports.ticket4};
}
server {
listen 0.0.0.0:${toString access.kerberos.ports.kpasswd};
listen [::]:${toString access.kerberos.ports.kpasswd};
listen 0.0.0.0:${toString access.kerberos.ports.kpasswd} udp;
listen [::]:${toString access.kerberos.ports.kpasswd} udp;
proxy_pass ${access.host}:${toString access.kerberos.ports.kpasswd};
}
'';
in mkMerge [
(mkIf access.preread.enable preread)
(mkIf access.kerberos.enable kerberos)
];
virtualHosts = {
${access.domain} = {
inherit locations extraConfig;
};
${access.globalDomain} = {
inherit locations extraConfig;
};
${access.caDomain} = {
locations = caLocations;
inherit extraConfig;

6
nixos/access/freepbx.nix
View file

@ -4,7 +4,7 @@
...
}: let
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkDefault;
inherit (lib.modules) mkIf mkDefault;
inherit (lib.lists) head optional concatMap;
inherit (lib.strings) splitString;
inherit (config.services) nginx tailscale;
@ -119,7 +119,7 @@ in {
listen = concatMap (addr: [
{
inherit addr;
port = 80;
port = nginx.defaultHTTPListenPort;
}
{
inherit addr;
@ -127,7 +127,7 @@ in {
}
(mkIf (access.useACMEHost != null) {
inherit addr;
port = 443;
port = nginx.defaultSSLListenPort;
ssl = true;
})
(mkIf (access.useACMEHost != null) {

4
nixos/access/kitchencam.nix
View file

@ -68,12 +68,12 @@ in {
listen = concatMap (addr: [
(mkIf config.addSSL {
inherit addr;
port = 443;
port = nginx.defaultSSLListenPort;
ssl = true;
})
{
inherit addr;
port = 80;
port = nginx.defaultHTTPListenPort;
}
{
inherit addr;