mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 12:29:19 -08:00
fix(vouch): local access
This commit is contained in:
arcnmx
parent
34bca016b4
commit
b16d6faee7
8 changed files with 110 additions and 193 deletions
|
|
@ -5,7 +5,8 @@
|
|||
}: let
|
||||
inherit (lib.options) mkOption;
|
||||
inherit (lib.modules) mkIf mkDefault mkOptionDefault;
|
||||
inherit (lib.strings) optionalString;
|
||||
inherit (lib.lists) filter;
|
||||
inherit (lib.strings) optionalString hasPrefix;
|
||||
inherit (config.services) tailscale;
|
||||
inherit (config) networking;
|
||||
hostModule = {config, ...}: let
|
||||
|
|
@ -37,6 +38,9 @@
|
|||
allServerNames = mkOption {
|
||||
type = listOf str;
|
||||
};
|
||||
otherServerNames = mkOption {
|
||||
type = listOf str;
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
|
|
@ -66,9 +70,12 @@
|
|||
(mkIf (cfg.localName != null) cfg.localName)
|
||||
(mkIf (cfg.tailscaleName != null) cfg.tailscaleName)
|
||||
]);
|
||||
allServerNames = mkOptionDefault (
|
||||
allServerNames = mkOptionDefault (filter (name: ! hasPrefix "@" name) (
|
||||
[ config.serverName ] ++ config.serverAliases
|
||||
);
|
||||
));
|
||||
otherServerNames = mkOptionDefault (filter (name: ! hasPrefix "@" name) (
|
||||
config.serverAliases
|
||||
));
|
||||
};
|
||||
};
|
||||
in {
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@
|
|||
};
|
||||
};
|
||||
config = let
|
||||
enableVouchLocal = vouch.localSso.enable && config.local.enable;
|
||||
enableVouchLocal = virtualHost.vouch.localSso.enable;
|
||||
enableVouchTail = enableVouchLocal && tailscale.enable;
|
||||
allowOrigin = url: "add_header Access-Control-Allow-Origin ${url};";
|
||||
in mkIf config.vouch.requireAuth {
|
||||
|
|
@ -57,6 +57,9 @@
|
|||
};
|
||||
vouch = {
|
||||
enable = mkEnableOption "vouch auth proxy";
|
||||
localSso.enable = mkEnableOption "lan-local vouch" // {
|
||||
default = vouch.localSso.enable && config.local.enable;
|
||||
};
|
||||
requireAuth = mkEnableOption "require auth to access this host" // {
|
||||
default = true;
|
||||
};
|
||||
|
|
@ -155,8 +158,8 @@
|
|||
(mkBefore ''
|
||||
set $vouch_url ${vouch.url};
|
||||
'')
|
||||
(mkIf (vouch.localSso.enable && config.local.enable or false) localVouchUrl)
|
||||
(mkIf (vouch.localSso.enable && config.local.enable or false && tailscale.enable) tailVouchUrl)
|
||||
(mkIf cfg.localSso.enable localVouchUrl)
|
||||
(mkIf (cfg.localSso.enable && tailscale.enable) tailVouchUrl)
|
||||
];
|
||||
in mkIf cfg.enable (mkMerge (
|
||||
[
|
||||
|
|
@ -184,8 +187,8 @@
|
|||
proxied.rewriteReferer = false;
|
||||
extraConfig = let
|
||||
# nginx-proxied vouch must use X-Forwarded-Host, but vanilla vouch requires Host
|
||||
vouchProxyHost = if vouch.doubleProxy
|
||||
then "${config.proxy.host}"
|
||||
vouchProxyHost = if vouch.doubleProxy.enable
|
||||
then (if cfg.localSso.enable then vouch.doubleProxy.localServerName else vouch.doubleProxy.serverName)
|
||||
else "$x_forwarded_host";
|
||||
in ''
|
||||
proxy_set_header Host ${vouchProxyHost};
|
||||
|
|
@ -204,17 +207,31 @@ in {
|
|||
services.nginx = {
|
||||
vouch = {
|
||||
enable = mkEnableOption "vouch auth proxy";
|
||||
enableLocal = mkEnableOption "use local vouch instance" // {
|
||||
default = true;
|
||||
};
|
||||
localSso = {
|
||||
# NOTE: this won't work without multiple vouch-proxy instances with different auth urls...
|
||||
enable = mkEnableOption "lan-local auth";
|
||||
enable = mkEnableOption "lan-local auth" // {
|
||||
default = true;
|
||||
};
|
||||
};
|
||||
proxyOrigin = mkOption {
|
||||
type = str;
|
||||
default = "https://login.local.${networking.domain}";
|
||||
};
|
||||
doubleProxy = mkOption {
|
||||
type = bool;
|
||||
default = true;
|
||||
doubleProxy = {
|
||||
enable = mkOption {
|
||||
type = bool;
|
||||
default = true;
|
||||
};
|
||||
serverName = mkOption {
|
||||
type = str;
|
||||
default = "@vouch_internal";
|
||||
};
|
||||
localServerName = mkOption {
|
||||
type = str;
|
||||
default = "@vouch_internal_local";
|
||||
};
|
||||
};
|
||||
authUrl = mkOption {
|
||||
type = str;
|
||||
|
|
@ -245,7 +262,7 @@ in {
|
|||
mkAlmostOptionDefault "http://login.tail.${networking.domain}"
|
||||
);
|
||||
}
|
||||
(mkIf vouch-proxy.enable {
|
||||
(mkIf (vouch.enableLocal && vouch-proxy.enable) {
|
||||
proxyOrigin = let
|
||||
inherit (vouch-proxy.settings.vouch) listen port;
|
||||
host =
|
||||
|
|
@ -256,7 +273,7 @@ in {
|
|||
mkAlmostOptionDefault "http://${host}:${toString port}";
|
||||
authUrl = mkAlmostOptionDefault vouch-proxy.authUrl;
|
||||
url = mkAlmostOptionDefault vouch-proxy.url;
|
||||
doubleProxy = mkAlmostOptionDefault false;
|
||||
doubleProxy.enable = mkAlmostOptionDefault false;
|
||||
})
|
||||
];
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue