fix(vouch): local access

2026-02-09 12:29:19 -08:00 · 2024-03-22 14:02:17 -07:00 · 2024-03-22 14:02:17 -07:00 · b16d6faee7
commit b16d6faee7
parent 34bca016b4
8 changed files with 110 additions and 193 deletions
--- a/nixos/access/barcodebuddy.nix
+++ b/nixos/access/barcodebuddy.nix
@ -6,7 +6,7 @@
  inherit (lib.modules) mkIf mkDefault;
  inherit (config.services) barcodebuddy nginx;
  name.shortServer = mkDefault "bbuddy";
-  serverName = "bbuddy_internal";
+  serverName = "@bbuddy_internal";
  extraConfig = ''
    set $x_proxy_host ${serverName};
  '';
--- a/nixos/access/invidious.nix
+++ b/nixos/access/invidious.nix
@ -53,7 +53,7 @@ in {
        };
      };
      invidious'int = { config, ... }: {
-        serverName = "invidious_internal";
+        serverName = "@invidious_internal";
        proxied.enable = true;
        local.denyGlobal = true;
        # TODO: consider disabling registration then redirecting to login if `SID` cookie is unset instead of using vouch
--- a/nixos/access/kanidm.nix
+++ b/nixos/access/kanidm.nix
@ -1,131 +0,0 @@
-{
-  config,
-  meta,
-  lib,
-  ...
-}: let
-  inherit (lib.options) mkOption;
-  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
-  inherit (config) networking;
-  inherit (config.services) tailscale nginx;
-  inherit (nginx) virtualHosts;
-  cfg = config.services.kanidm;
-  access = nginx.access.kanidm;
-  proxyPass = mkDefault "https://${access.host}:${toString access.port}";
-  locations = {
-    "/" = {
-      inherit proxyPass;
-    };
-    "=/ca.pem" = mkIf cfg.server.unencrypted.enable {
-      alias = "${cfg.server.unencrypted.package.ca}";
-    };
-  };
-  localLocations = vouchDomain: {
-    "/".extraConfig = ''
-      proxy_redirect $scheme://${nginx.access.vouch.domain or "login.${networking.domain}"}/ $scheme://${vouchDomain}/;
-    '';
-  };
-in {
-  imports = let
-    inherit (meta) nixos;
-  in [
-    nixos.access.ldap
-  ];
-
-  options.services.nginx.access.kanidm = with lib.types; {
-    host = mkOption {
-      type = str;
-    };
-    domain = mkOption {
-      type = str;
-      default = "id.${networking.domain}";
-    };
-    localDomain = mkOption {
-      type = str;
-      default = "id.local.${networking.domain}";
-    };
-    tailDomain = mkOption {
-      type = str;
-      default = "id.tail.${networking.domain}";
-    };
-    port = mkOption {
-      type = port;
-    };
-    ldapHost = mkOption {
-      type = str;
-      default = access.host;
-    };
-    ldapPort = mkOption {
-      type = port;
-    };
-    ldapEnable = mkOption {
-      type = bool;
-      default = false;
-    };
-    useACMEHost = mkOption {
-      type = nullOr str;
-      default = virtualHosts.${access.domain}.useACMEHost;
-    };
-  };
-  config = {
-    services.nginx = {
-      access.kanidm = mkIf cfg.enableServer {
-        domain = mkOptionDefault cfg.server.frontend.domain;
-        host = mkOptionDefault "localhost";
-        port = mkOptionDefault cfg.server.frontend.port;
-        ldapPort = mkOptionDefault cfg.server.ldap.port;
-        ldapEnable = mkDefault cfg.server.ldap.enable;
-      };
-      access.ldap = mkIf (cfg.enableServer && cfg.ldapEnable) {
-        enable = mkDefault true;
-        host = mkOptionDefault access.kanidm.ldapHost;
-        port = mkOptionDefault access.kanidm.ldapPort;
-        useACMEHost = mkDefault access.kanidm.useACMEHost;
-      };
-      virtualHosts = {
-        ${access.domain} = {
-          inherit locations;
-        };
-        ${access.localDomain} = {
-          inherit (virtualHosts.${access.domain}) useACMEHost;
-          addSSL = mkDefault (access.useACMEHost != null || virtualHosts.${access.domain}.forceSSL);
-          local.enable = true;
-          locations = mkMerge [
-            locations
-            (localLocations nginx.access.vouch.localDomain or "login.local.${networking.domain}")
-          ];
-        };
-        ${access.tailDomain} = mkIf tailscale.enable {
-          inherit (virtualHosts.${access.domain}) useACMEHost;
-          addSSL = mkDefault (access.useACMEHost != null || virtualHosts.${access.domain}.forceSSL);
-          local.enable = true;
-          locations = mkMerge [
-            locations
-            (localLocations nginx.access.vouch.tailDomain or "login.tail.${networking.domain}")
-          ];
-        };
-      };
-    };
-
-    services.kanidm.server.unencrypted.domain = mkMerge [
-      [
-        access.localDomain
-        config.networking.fqdn
-        config.lib.access.hostnameForNetwork.local
-      ]
-      (mkIf tailscale.enable [
-        "id.tail.${config.networking.domain}"
-        config.lib.access.hostnameForNetwork.tail
-      ])
-    ];
-
-    networking.firewall = {
-      interfaces.local.allowedTCPPorts = [
-        389
-      ];
-      allowedTCPPorts = [
-        636
-      ];
-    };
-  };
-}
--- a/nixos/access/keycloak.nix
+++ b/nixos/access/keycloak.nix
@ -44,11 +44,11 @@ in {
        };
        local.enable = true;
        inherit locations;
-        extraConfig = mkIf nginx.vouch.localSso.enable ''
+        extraConfig = mkIf false ''
          set $vouch_local_url ${nginx.vouch.localUrl};
-          if ($x_forwarded_host ~ "\.tail\.${networking.domain}$") {
-            set $vouch_local_url $x_scheme://${nginx.vouch.tailDomain};
-          }
+          #if ($x_forwarded_host ~ "\.tail\.${networking.domain}$") {
+          #  set $vouch_local_url $x_scheme://${nginx.vouch.tailDomain};
+          #}
          proxy_redirect ${nginx.vouch.url}/ $vouch_local_url/;
        '';
      };
--- a/nixos/access/vouch.nix
+++ b/nixos/access/vouch.nix
@ -3,40 +3,31 @@
  lib,
  ...
 }: let
-  inherit (lib.options) mkOption;
  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
  inherit (config) networking;
  inherit (config.services) tailscale nginx;
  cfg = config.services.vouch-proxy;
-  access = nginx.access.vouch;
 in {
-  options.services.nginx.access.vouch = with lib.types; {
-    url = mkOption {
-      type = str;
-    };
-  };
  config.services.nginx = {
-    access.vouch = mkIf cfg.enable {
-      url = let
+    virtualHosts = let
+      localVouchUrl = let
        inherit (cfg.settings.vouch) listen;
        host =
          if listen == "0.0.0.0" || listen == "[::]"
          then "localhost"
          else listen;
      in
-        mkOptionDefault "http://${host}:${toString cfg.settings.vouch.port}";
-    };
-    virtualHosts = let
+        "http://${host}:${toString cfg.settings.vouch.port}";
      locations = {
        "/" = {
-          proxyPass = mkDefault access.url;
          extraConfig = ''
            proxy_redirect default;
+            set $x_proxy_host $x_forwarded_host;
          '';
        };
-        "/validate" = {config, ...}: {
+        "/validate" = {config, virtualHost, ...}: {
          proxied.enable = true;
-          proxyPass = mkDefault (access.url + "/validate");
+          proxyPass = mkDefault (virtualHost.locations."/".proxyPass + "/validate");
          proxy.headers.enableRecommended = true;
          local.denyGlobal = true;
          extraConfig = ''
@ -44,7 +35,7 @@ in {
          '';
        };
      };
-      localLocations = kanidmDomain: mkIf nginx.vouch.localSso.enable {
+      localLocations = kanidmDomain: mkIf (nginx.vouch.localSso.enable && false) {
        "/" = {
          proxied.xvars.enable = true;
          extraConfig = ''
@ -55,14 +46,25 @@ in {
      name.shortServer = mkDefault "login";
    in {
      vouch = {
-        inherit name locations;
+        inherit name;
+        serverAliases = [ nginx.vouch.doubleProxy.serverName ];
+        proxied.enable = true;
+        local.denyGlobal = true;
+        locations = mkMerge [
+          locations
+          {
+            "/".proxyPass = mkIf cfg.enable (mkDefault localVouchUrl);
+          }
+        ];
        ssl.force = true;
      };
      vouch'local = {
        name = {
          inherit (name) shortServer;
-          includeTailscale = false;
+          includeTailscale = mkDefault false;
        };
+        serverAliases = mkIf cfg.enable [ nginx.vouch.doubleProxy.localServerName ];
+        proxied.enable = true;
        local.enable = true;
        ssl = {
          force = true;
@ -70,11 +72,14 @@ in {
        };
        locations = mkMerge [
          locations
+          {
+            "/".proxyPass = mkDefault nginx.virtualHosts.vouch.locations."/".proxyPass;
+          }
          (localLocations "sso.local.${networking.domain}")
        ];
      };
      vouch'tail = {
-        enable = mkDefault tailscale.enable;
+        enable = mkDefault (tailscale.enable && !nginx.virtualHosts.vouch'local.name.includeTailscale);
        ssl.cert.copyFromVhost = "vouch'local";
        name = {
          inherit (name) shortServer;
@ -83,6 +88,9 @@ in {
        local.enable = true;
        locations = mkMerge [
          locations
+          {
+            "/".proxyPass = mkDefault nginx.virtualHosts.vouch'local.locations."/".proxyPass;
+          }
          (localLocations "sso.tail.${networking.domain}")
        ];
      };