chore(vouch): clean up local access

2026-02-09 12:29:19 -08:00 · 2024-02-19 15:16:49 -08:00 · 2024-02-19 15:16:49 -08:00 · 9274618cf0
commit 9274618cf0
parent e4596f256f
9 changed files with 208 additions and 89 deletions
--- a/modules/nixos/nginx-local.nix
+++ b/modules/nixos/nginx-local.nix
@ -1,49 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}: let
-  inherit (lib.modules) mkIf mkBefore;
-  inherit (lib.options) mkOption mkEnableOption;
-  inherit (lib.strings) concatMapStringsSep optionalString;
-  inherit (lib.lists) optionals;
-  inherit (config.services) tailscale;
-  inherit (config.networking.access) cidrForNetwork localaddrs;
-  localModule = { config, ... }: {
-    options = with lib.types; {
-      local = {
-        enable = mkEnableOption "local traffic only";
-      };
-    };
-    config = mkIf config.local.enable {
-      extraConfig = let
-        mkAllow = cidr: "allow ${cidr};";
-        allowAddresses =
-          cidrForNetwork.loopback.all
-          ++ cidrForNetwork.local.all
-          ++ optionals tailscale.enable cidrForNetwork.tail.all;
-        allows = concatMapStringsSep "\n" mkAllow allowAddresses + optionalString localaddrs.enable ''
-          include ${localaddrs.stateDir}/*.nginx.conf;
-        '';
-      in mkBefore ''
-        ${allows}
-        deny all;
-      '';
-    };
-  };
-  hostModule = { config, ... }: {
-    imports = [ localModule ];
-
-    options = with lib.types; {
-      locations = mkOption {
-        type = attrsOf (submodule localModule);
-      };
-    };
-  };
-in {
-  options = with lib.types; {
-    services.nginx.virtualHosts = mkOption {
-      type = attrsOf (submodule hostModule);
-    };
-  };
-}
--- a/modules/nixos/nginx/local.nix
+++ b/modules/nixos/nginx/local.nix
@ -0,0 +1,94 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib.options) mkOption;
+  inherit (lib.modules) mkIf mkBefore mkOptionDefault;
+  inherit (lib.strings) concatMapStringsSep optionalString;
+  inherit (lib.lists) optionals;
+  inherit (config.services) tailscale;
+  inherit (config.networking.access) cidrForNetwork localaddrs;
+  localModule = { config, ... }: {
+    options.local = with lib.types; {
+      enable = mkOption {
+        type = bool;
+        description = "for local traffic only";
+        defaultText = literalExpression "false";
+      };
+      denyGlobal = mkOption {
+        type = bool;
+        defaultText = literalExpression "config.local.enable";
+      };
+      trusted = mkOption {
+        type = bool;
+        defaultText = literalExpression "config.local.denyGlobal";
+      };
+      emitDenyGlobal = mkOption {
+        internal = true;
+        type = bool;
+        default = config.local.denyGlobal;
+      };
+    };
+    config = mkIf config.local.emitDenyGlobal {
+      extraConfig = let
+        mkAllow = cidr: "allow ${cidr};";
+        allowAddresses =
+          cidrForNetwork.loopback.all
+          ++ cidrForNetwork.local.all
+          ++ optionals tailscale.enable cidrForNetwork.tail.all;
+        allows = concatMapStringsSep "\n" mkAllow allowAddresses + optionalString localaddrs.enable ''
+          include ${localaddrs.stateDir}/*.nginx.conf;
+        '';
+      in mkBefore ''
+        ${allows}
+        deny all;
+      '';
+    };
+  };
+  locationModule = { config, virtualHost, ... }: {
+    imports = [
+      localModule
+    ];
+
+    config.local = {
+      enable = mkOptionDefault virtualHost.local.enable;
+      denyGlobal = mkOptionDefault virtualHost.local.denyGlobal;
+      trusted = mkOptionDefault virtualHost.local.trusted;
+      emitDenyGlobal = virtualHost.local.emitDenyGlobal;
+    };
+  };
+  hostModule = { config, ... }: {
+    imports = [ localModule ];
+
+    options = with lib.types; {
+      locations = mkOption {
+        type = attrsOf (submoduleWith {
+          modules = [ locationModule ];
+          shorthandOnlyDefinesConfig = true;
+          specialArgs = {
+            virtualHost = config;
+          };
+        });
+      };
+    };
+
+    config.local = {
+      enable = mkOptionDefault false;
+      denyGlobal = mkOptionDefault config.local.enable;
+      trusted = mkOptionDefault config.local.denyGlobal;
+    };
+  };
+in {
+  options = with lib.types; {
+    services.nginx.virtualHosts = mkOption {
+      type = attrsOf (submoduleWith {
+        modules = [ hostModule ];
+        shorthandOnlyDefinesConfig = true;
+        specialArgs = {
+          nixosConfig = config;
+        };
+      });
+    };
+  };
+}
--- a/modules/nixos/nginx/vouch.nix
+++ b/modules/nixos/nginx/vouch.nix
@ -16,6 +16,10 @@ let
          type = str;
          default = "https://login.local.${networking.domain}";
        };
+        doubleProxy = mkOption {
+          type = bool;
+          default = true;
+        };
        authUrl = mkOption {
          type = str;
          default = "https://id.${networking.domain}";
@ -49,6 +53,7 @@ let
          in mkDefault "http://${host}:${toString port}";
          authUrl = mkDefault vouch-proxy.authUrl;
          url = mkDefault vouch-proxy.url;
+          doubleProxy = mkDefault false;
        };
      }
      {
@ -63,11 +68,21 @@ let
        '';
        locations = {
          "/" = {
-            extraConfig = ''
-              add_header Access-Control-Allow-Origin ${config.vouch.url};
-              add_header Access-Control-Allow-Origin ${config.vouch.authUrl};
-              proxy_set_header X-Vouch-User $auth_resp_x_vouch_user;
-            '';
+            extraConfig = mkMerge [
+              ''
+                add_header Access-Control-Allow-Origin ${config.vouch.url};
+                add_header Access-Control-Allow-Origin ${config.vouch.authUrl};
+              ''
+              (mkIf config.local.enable ''
+                add_header Access-Control-Allow-Origin ${config.vouch.localUrl};
+              '')
+              (mkIf (config.local.enable && tailscale.enable) ''
+                add_header Access-Control-Allow-Origin $scheme://${config.vouch.tailDomain};
+              '')
+              ''
+                proxy_set_header X-Vouch-User $auth_resp_x_vouch_user;
+              ''
+            ];
          };
          "@error401" = {
            extraConfig = let
@ -78,32 +93,45 @@ let
              '';
              tailVouchUrl = ''
                if ($http_host ~ "\.tail\.${networking.domain}$") {
-                  set $vouch_url $scheme://${config.vouch.tailDomain};
+                  set $vouch_url $vouch_scheme://${config.vouch.tailDomain};
                }
              '';
            in mkMerge [
              (mkBefore ''
                set $vouch_url ${config.vouch.url};
+                set $vouch_scheme $scheme;
              '')
+              (mkIf config.local.trusted (mkBefore ''
+                if ($http_x_forwarded_proto) {
+                  set $vouch_scheme $http_x_forwarded_proto;
+                }
+              ''))
              (mkIf (config.local.enable or false) localVouchUrl)
              (mkIf (config.local.enable or false && tailscale.enable) tailVouchUrl)
              ''
-                return 302 $vouch_url/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
+                return 302 $vouch_url/login?url=$vouch_scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
              ''
            ];
          };
          "/validate" = {
            recommendedProxySettings = false;
            proxyPass = "${config.vouch.proxyOrigin}/validate";
-            extraConfig = ''
-              proxy_set_header Host $host;
-              proxy_pass_request_body off;
-              proxy_set_header Content-Length "";
-              auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
-              auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
-              auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
-              auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
-            '';
+            extraConfig = mkMerge [
+              (mkIf (!config.vouch.doubleProxy) ''
+                proxy_set_header Host $host;
+              '')
+              (mkIf config.vouch.doubleProxy ''
+                proxy_set_header X-Host $host;
+              '')
+              ''
+                proxy_pass_request_body off;
+                proxy_set_header Content-Length "";
+                auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
+                auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
+                auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
+                auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
+              ''
+            ];
          };
        };
      })
--- a/modules/nixos/nginx/websocket.nix
+++ b/modules/nixos/nginx/websocket.nix