gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(idp): ssl pre-read

Browse source
This commit is contained in:
arcnmx 2024-03-13 09:38:35 -07:00
parent b37e17bc0f
commit 2b1df931cb
5 changed files with 86 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

104
nixos/access/freeipa.nix
View file

@ -6,12 +6,13 @@
}: }:
let let
inherit (lib.options) mkOption mkEnableOption; inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkBefore mkIf mkDefault; inherit (lib.modules) mkIf mkMerge mkBefore mkDefault;
inherit (lib.strings) optionalString concatStringsSep; inherit (lib.strings) optionalString concatStringsSep;
inherit (config.services) tailscale; inherit (config.services) tailscale;
inherit (config.services.nginx) virtualHosts; inherit (config.services) nginx;
access = config.services.nginx.access.freeipa; inherit (nginx) virtualHosts;
inherit (config.services.nginx.access) ldap; access = nginx.access.freeipa;
inherit (nginx.access) ldap;
extraConfig = '' extraConfig = ''
ssl_verify_client optional_no_ca; ssl_verify_client optional_no_ca;
''; '';
@ -28,6 +29,16 @@ let
proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-SSL-CERT $ssl_client_escaped_cert; proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
proxy_redirect https://${domain}/ $scheme://$host/; proxy_redirect https://${domain}/ $scheme://$host/;
set $x_referer $http_referer;
if ($x_referer ~ "^https://([^/]*)/(.*)$") {
set $x_referer_host $1;
set $x_referer_path $2;
}
if ($x_referer_host = $host) {
set $x_referer "https://${domain}/$x_referer_path";
}
proxy_set_header Referer $x_referer;
''; '';
}; };
}; };
@ -44,6 +55,15 @@ in {
host = mkOption { host = mkOption {
type = str; type = str;
}; };
preread = {
enable = mkEnableOption "ssl preread" // {
default = true;
};
port = mkOption {
type = port;
default = 444;
};
};
kerberos = { kerberos = {
enable = mkEnableOption "proxy kerberos" // { enable = mkEnableOption "proxy kerberos" // {
default = true; default = true;
@ -77,6 +97,10 @@ in {
type = str; type = str;
default = "idp-ca.${config.networking.domain}"; default = "idp-ca.${config.networking.domain}";
}; };
globalDomain = mkOption {
type = str;
default = "freeipa.${config.networking.domain}";
};
localDomain = mkOption { localDomain = mkOption {
type = str; type = str;
default = "freeipa.local.${config.networking.domain}"; default = "freeipa.local.${config.networking.domain}";
@ -106,31 +130,61 @@ in {
port = mkDefault access.ldapPort; port = mkDefault access.ldapPort;
useACMEHost = mkDefault access.useACMEHost; useACMEHost = mkDefault access.useACMEHost;
}; };
streamConfig = mkIf access.kerberos.enable '' resolver.addresses = mkIf access.preread.enable [ "[::1]" "127.0.0.1:5353" ];
server { defaultSSLListenPort = mkIf access.preread.enable access.preread.port;
listen 0.0.0.0:${toString access.kerberos.ports.ticket}; streamConfig = let
listen [::]:${toString access.kerberos.ports.ticket}; preread = ''
listen 0.0.0.0:${toString access.kerberos.ports.ticket} udp; upstream freeipa {
listen [::]:${toString access.kerberos.ports.ticket} udp; server ${access.host}:${toString access.port};
proxy_pass ${access.host}:${toString access.kerberos.ports.ticket}; }
} upstream nginx {
server { server localhost:${toString nginx.defaultSSLListenPort};
listen 0.0.0.0:${toString access.kerberos.ports.ticket4} udp; }
listen [::]:${toString access.kerberos.ports.ticket4} udp; map $ssl_preread_server_name $ssl_name {
proxy_pass ${access.host}:${toString access.kerberos.ports.ticket4}; hostnames;
} ${access.domain} freeipa;
server { ${access.caDomain} freeipa;
listen 0.0.0.0:${toString access.kerberos.ports.kpasswd}; default nginx;
listen [::]:${toString access.kerberos.ports.kpasswd}; }
listen 0.0.0.0:${toString access.kerberos.ports.kpasswd} udp; server {
listen [::]:${toString access.kerberos.ports.kpasswd} udp; listen 0.0.0.0:443;
proxy_pass ${access.host}:${toString access.kerberos.ports.kpasswd}; listen [::]:443;
} ssl_preread on;
''; proxy_pass $ssl_name;
}
'';
kerberos = ''
server {
listen 0.0.0.0:${toString access.kerberos.ports.ticket};
listen [::]:${toString access.kerberos.ports.ticket};
listen 0.0.0.0:${toString access.kerberos.ports.ticket} udp;
listen [::]:${toString access.kerberos.ports.ticket} udp;
proxy_pass ${access.host}:${toString access.kerberos.ports.ticket};
}
server {
listen 0.0.0.0:${toString access.kerberos.ports.ticket4} udp;
listen [::]:${toString access.kerberos.ports.ticket4} udp;
proxy_pass ${access.host}:${toString access.kerberos.ports.ticket4};
}
server {
listen 0.0.0.0:${toString access.kerberos.ports.kpasswd};
listen [::]:${toString access.kerberos.ports.kpasswd};
listen 0.0.0.0:${toString access.kerberos.ports.kpasswd} udp;
listen [::]:${toString access.kerberos.ports.kpasswd} udp;
proxy_pass ${access.host}:${toString access.kerberos.ports.kpasswd};
}
'';
in mkMerge [
(mkIf access.preread.enable preread)
(mkIf access.kerberos.enable kerberos)
];
virtualHosts = { virtualHosts = {
${access.domain} = { ${access.domain} = {
inherit locations extraConfig; inherit locations extraConfig;
}; };
${access.globalDomain} = {
inherit locations extraConfig;
};
${access.caDomain} = { ${access.caDomain} = {
locations = caLocations; locations = caLocations;
inherit extraConfig; inherit extraConfig;

6
nixos/access/freepbx.nix
View file

@ -4,7 +4,7 @@
... ...
}: let }: let
inherit (lib.options) mkOption mkEnableOption; inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkDefault; inherit (lib.modules) mkIf mkDefault;
inherit (lib.lists) head optional concatMap; inherit (lib.lists) head optional concatMap;
inherit (lib.strings) splitString; inherit (lib.strings) splitString;
inherit (config.services) nginx tailscale; inherit (config.services) nginx tailscale;
@ -119,7 +119,7 @@ in {
listen = concatMap (addr: [ listen = concatMap (addr: [
{ {
inherit addr; inherit addr;
port = 80; port = nginx.defaultHTTPListenPort;
} }
{ {
inherit addr; inherit addr;
@ -127,7 +127,7 @@ in {
} }
(mkIf (access.useACMEHost != null) { (mkIf (access.useACMEHost != null) {
inherit addr; inherit addr;
port = 443; port = nginx.defaultSSLListenPort;
ssl = true; ssl = true;
}) })
(mkIf (access.useACMEHost != null) { (mkIf (access.useACMEHost != null) {

4
nixos/access/kitchencam.nix
View file

@ -68,12 +68,12 @@ in {
listen = concatMap (addr: [ listen = concatMap (addr: [
(mkIf config.addSSL { (mkIf config.addSSL {
inherit addr; inherit addr;
port = 443; port = nginx.defaultSSLListenPort;
ssl = true; ssl = true;
}) })
{ {
inherit addr; inherit addr;
port = 80; port = nginx.defaultHTTPListenPort;
} }
{ {
inherit addr; inherit addr;

1
systems/hakurei/nixos.nix
View file

@ -101,6 +101,7 @@ in {
[ [
access.freeipa.localDomain access.freeipa.localDomain
access.freeipa.caDomain access.freeipa.caDomain
access.freeipa.globalDomain
access.ldap.domain access.ldap.domain
access.ldap.localDomain access.ldap.localDomain
] ]

1
tf/cloudflare_records.tf
View file

@ -30,6 +30,7 @@ module "hakurei_system_records" {
global_subdomains = [ global_subdomains = [
"plex", "plex",
"idp", "idp",
"freeipa",
"ldap", "ldap",
"pbx", "pbx",
"smb", "smb",