From b8e5fda0a777eec927188510e0c383910b361b5b Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Wed, 4 Sep 2024 16:45:38 -0700
Subject: [PATCH] feat(vouch): separate local cookie

---
 nixos/secrets/vouch.yaml               |  7 ++--
 nixos/{vouch.nix => vouch/default.nix} | 21 ------------
 nixos/vouch/gensokyo.nix               | 36 ++++++++++++++++++++
 nixos/vouch/local.nix                  | 46 ++++++++++++++++++++++++++
 systems/hakurei/nixos.nix              |  9 +----
 systems/keycloak/nixos.nix             |  2 +-
 6 files changed, 88 insertions(+), 33 deletions(-)
 rename nixos/{vouch.nix => vouch/default.nix} (59%)
 create mode 100644 nixos/vouch/gensokyo.nix
 create mode 100644 nixos/vouch/local.nix

diff --git a/nixos/secrets/vouch.yaml b/nixos/secrets/vouch.yaml
index b3511c57..f34d0566 100644
--- a/nixos/secrets/vouch.yaml
+++ b/nixos/secrets/vouch.yaml
@@ -1,5 +1,6 @@
 vouch-client-secret: ENC[AES256_GCM,data:gmCOrC3FDSUw/V1FZywiq0MWgKTK7j2ojb/fZahFS4g=,iv:D6UfdfeRaqzEhK9yVsc0TfIfQ/EBzWdtzLt/vUKPR8I=,tag:EZ+XHvi0gnhvJ6s1d6KviA==,type:str]
 vouch-jwt: ENC[AES256_GCM,data:7G1/pzEmR7NM7eFb2wED4HR/A00TNdBjBs/OdziDgIuPttqp4AeLRnJ0UhRps5taEx2cTH0U5GyCR/A9ef9hfA==,iv:ugOuH35frzoT6lX9UTJjzoTm2OTCqS3sNJGq8TfViEY=,tag:jvv4DkLwMB9ytefpGpIqPQ==,type:str]
+vouch-jwt-local: ENC[AES256_GCM,data:T5iVraBlNen0RfKdYNZFwhNrH2vsaLNf0EI8JFp3MyPoFnmL+VAswCfo73danD7xJfMSSLjRzTjThZdtEJtsAQ==,iv:Id5pQDQAiMbx5DTJMBOqPkFH3QlVY1GZ4OICLttomDg=,tag:1pUS6n3WVETzVGLJuSr4eg==,type:str]
 sops:
     shamir_threshold: 1
     kms: []
@@ -97,8 +98,8 @@ sops:
             NXp1RVo4WDdXT0p2THpJZXFEZHJWU1UKDoEPjo8e5iihJRcoqriBxhS9mhmQRgVa
             Lyr/gOh691Ke3pAhIF6tjPA8bK0ddn2Hyp1dYafY/JpFUFkX6y+Eng==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-20T00:39:56Z"
-    mac: ENC[AES256_GCM,data:JY2ttbttavS4RqYEFf95BkiPrK1r4r6hXnoQMCqtoQmBhSbUF9X5gvxZuqBFF7as9KgwiWHXFJ6S0FccmDDcBA/QoGxI4IJoR4nEIp7Y/YHTY6Ni0vZfO27yAtGmnViXadOeVyFChVN6GjRnxLp/FaBdXxtjSH8x4sQqf/2VWCw=,iv:/pnWEOcclzw0xcpL6lwErJLOBE9tBk1pOZZe3ew20TM=,tag:WNWiSG7Buve8YxJb1XxFwg==,type:str]
+    lastmodified: "2024-09-04T23:22:37Z"
+    mac: ENC[AES256_GCM,data:KQ/GNg0uevSVjhXo+fJQ49T2/Ll9N8X4R9EZfc3dVKheG+kSLW84vS97GqFqo0pOZm6/QqeAagnbpCLLQ7AVgG2UfKz/kzvstGU8aye0OcqnRfMDhRdbjwpJc/X4mFKOzBDwTe40StjVGzG1xw0fWUcNHwXOdYhAfyveP7KUMt8=,iv:XA++kctNQTxDFDgWeczdMwnvLRy1i5vS5+zRcquuO7Q=,tag:filjUETcyt15qPO8PGmrMg==,type:str]
     pgp:
         - created_at: "2024-09-02T04:45:58Z"
           enc: |-
@@ -136,4 +137,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 65BD3044771CB6FB
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0
diff --git a/nixos/vouch.nix b/nixos/vouch/default.nix
similarity index 59%
rename from nixos/vouch.nix
rename to nixos/vouch/default.nix
index bcb81ef3..a9b20d6b 100644
--- a/nixos/vouch.nix
+++ b/nixos/vouch/default.nix
@@ -6,7 +6,6 @@
 }: let
   inherit (lib.modules) mkIf mkMerge mkDefault;
   cfg = config.services.vouch-proxy;
-  sopsFile = mkDefault ./secrets/vouch.yaml;
   enableKeycloak = true;
   hassVouch = false;
 in {
@@ -21,10 +20,6 @@ in {
         + old.postPatch or "";
       doCheck = false;
     }));
-    domain = mkDefault "login.${config.networking.domain}";
-    authUrl = mkIf enableKeycloak (
-      mkDefault "https://sso.${config.networking.domain}/realms/${config.networking.domain}"
-    );
     settings = mkMerge [
       {
         vouch.listen = mkDefault "0.0.0.0";
@@ -38,21 +33,5 @@ in {
         };
       })
     ];
-    enableSettingsSecrets = mkDefault true;
-    extraSettings = {
-      oauth.client_secret._secret = config.sops.secrets.vouch-client-secret.path;
-      vouch.jwt.secret._secret = config.sops.secrets.vouch-jwt.path;
-    };
-  };
-
-  sops.secrets = {
-    vouch-jwt = {
-      inherit sopsFile;
-      owner = cfg.user;
-    };
-    vouch-client-secret = {
-      inherit sopsFile;
-      owner = cfg.user;
-    };
   };
 }
diff --git a/nixos/vouch/gensokyo.nix b/nixos/vouch/gensokyo.nix
new file mode 100644
index 00000000..61e2b0e4
--- /dev/null
+++ b/nixos/vouch/gensokyo.nix
@@ -0,0 +1,36 @@
+{
+  config,
+  meta,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkDefault;
+  inherit (config.networking) domain;
+  cfg = config.services.vouch-proxy;
+  sopsFile = mkDefault ../secrets/vouch.yaml;
+  enableKeycloak = true;
+in {
+  imports = [meta.nixos.vouch.default];
+  services.vouch-proxy = {
+    domain = mkDefault "login.${domain}";
+    authUrl = mkIf enableKeycloak (
+      mkDefault "https://sso.${domain}/realms/${domain}"
+    );
+    enableSettingsSecrets = true;
+    extraSettings = {
+      oauth.client_secret._secret = config.sops.secrets.vouch-client-secret.path;
+      vouch.jwt.secret._secret = config.sops.secrets.vouch-jwt.path;
+    };
+  };
+
+  sops.secrets = {
+    vouch-jwt = {
+      inherit sopsFile;
+      owner = cfg.user;
+    };
+    vouch-client-secret = {
+      inherit sopsFile;
+      owner = cfg.user;
+    };
+  };
+}
diff --git a/nixos/vouch/local.nix b/nixos/vouch/local.nix
new file mode 100644
index 00000000..85aa8c04
--- /dev/null
+++ b/nixos/vouch/local.nix
@@ -0,0 +1,46 @@
+{
+  config,
+  meta,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkDefault;
+  inherit (config.networking) domain;
+  cfg = config.services.vouch-proxy;
+  sopsFile = mkDefault ../secrets/vouch.yaml;
+  enableKeycloak = true;
+  distinctLocal = true;
+  jwtSecret =
+    if distinctLocal
+    then "vouch-jwt-local"
+    else "vouch-jwt";
+in {
+  imports = [meta.nixos.vouch.default];
+  services.vouch-proxy = {
+    # configure a secondary vouch instance for local clients, but don't use it by default
+    domain = mkDefault "login.local.${domain}";
+    authUrl = mkIf enableKeycloak (
+      mkDefault "https://sso.local.${domain}/realms/${domain}"
+    );
+    settings.vouch.cookie = {
+      domain = "local.${domain}";
+      name = mkIf distinctLocal "VouchLocal";
+    };
+    enableSettingsSecrets = true;
+    extraSettings = {
+      oauth.client_secret._secret = config.sops.secrets.vouch-client-secret.path;
+      vouch.jwt.secret._secret = config.sops.secrets.${jwtSecret}.path;
+    };
+  };
+
+  sops.secrets = {
+    ${jwtSecret} = {
+      inherit sopsFile;
+      owner = cfg.user;
+    };
+    vouch-client-secret = {
+      inherit sopsFile;
+      owner = cfg.user;
+    };
+  };
+}
diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix
index 61294b50..28498930 100644
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@@ -26,7 +26,7 @@ in {
     nixos.ddclient
     nixos.acme
     nixos.nginx
-    nixos.vouch
+    nixos.vouch.local
     nixos.access.nginx
     nixos.access.global
     nixos.access.mosquitto
@@ -77,13 +77,6 @@ in {
     };
   };
 
-  # configure a secondary vouch instance for local clients, but don't use it by default
-  services.vouch-proxy = {
-    authUrl = "https://${virtualHosts.keycloak'local.serverName}/realms/${config.networking.domain}";
-    domain = "login.local.${config.networking.domain}";
-    settings.cookie.domain = "local.${config.networking.domain}";
-  };
-
   security.acme.certs = {
     hakurei = {
       inherit (nginx) group;
diff --git a/systems/keycloak/nixos.nix b/systems/keycloak/nixos.nix
index b1a0c346..cd2dc98d 100644
--- a/systems/keycloak/nixos.nix
+++ b/systems/keycloak/nixos.nix
@@ -17,7 +17,7 @@ in {
     nixos.keycloak
     nixos.vaultwarden
     nixos.cloudflared
-    nixos.vouch
+    nixos.vouch.gensokyo
     nixos.nginx
     nixos.access.vaultwarden
   ];