feat(vouch): separate local cookie

2026-02-09 04:19:19 -08:00 · 2024-09-04 16:45:38 -07:00 · 2024-09-04 16:45:38 -07:00 · b8e5fda0a7
commit b8e5fda0a7
parent 5cbde2e43f
6 changed files with 88 additions and 33 deletions
--- a/nixos/secrets/vouch.yaml
+++ b/nixos/secrets/vouch.yaml
@ -1,5 +1,6 @@
 vouch-client-secret: ENC[AES256_GCM,data:gmCOrC3FDSUw/V1FZywiq0MWgKTK7j2ojb/fZahFS4g=,iv:D6UfdfeRaqzEhK9yVsc0TfIfQ/EBzWdtzLt/vUKPR8I=,tag:EZ+XHvi0gnhvJ6s1d6KviA==,type:str]
 vouch-jwt: ENC[AES256_GCM,data:7G1/pzEmR7NM7eFb2wED4HR/A00TNdBjBs/OdziDgIuPttqp4AeLRnJ0UhRps5taEx2cTH0U5GyCR/A9ef9hfA==,iv:ugOuH35frzoT6lX9UTJjzoTm2OTCqS3sNJGq8TfViEY=,tag:jvv4DkLwMB9ytefpGpIqPQ==,type:str]
+vouch-jwt-local: ENC[AES256_GCM,data:T5iVraBlNen0RfKdYNZFwhNrH2vsaLNf0EI8JFp3MyPoFnmL+VAswCfo73danD7xJfMSSLjRzTjThZdtEJtsAQ==,iv:Id5pQDQAiMbx5DTJMBOqPkFH3QlVY1GZ4OICLttomDg=,tag:1pUS6n3WVETzVGLJuSr4eg==,type:str]
 sops:
    shamir_threshold: 1
    kms: []
@ -97,8 +98,8 @@ sops:
            NXp1RVo4WDdXT0p2THpJZXFEZHJWU1UKDoEPjo8e5iihJRcoqriBxhS9mhmQRgVa
            Lyr/gOh691Ke3pAhIF6tjPA8bK0ddn2Hyp1dYafY/JpFUFkX6y+Eng==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-20T00:39:56Z"
-    mac: ENC[AES256_GCM,data:JY2ttbttavS4RqYEFf95BkiPrK1r4r6hXnoQMCqtoQmBhSbUF9X5gvxZuqBFF7as9KgwiWHXFJ6S0FccmDDcBA/QoGxI4IJoR4nEIp7Y/YHTY6Ni0vZfO27yAtGmnViXadOeVyFChVN6GjRnxLp/FaBdXxtjSH8x4sQqf/2VWCw=,iv:/pnWEOcclzw0xcpL6lwErJLOBE9tBk1pOZZe3ew20TM=,tag:WNWiSG7Buve8YxJb1XxFwg==,type:str]
+    lastmodified: "2024-09-04T23:22:37Z"
+    mac: ENC[AES256_GCM,data:KQ/GNg0uevSVjhXo+fJQ49T2/Ll9N8X4R9EZfc3dVKheG+kSLW84vS97GqFqo0pOZm6/QqeAagnbpCLLQ7AVgG2UfKz/kzvstGU8aye0OcqnRfMDhRdbjwpJc/X4mFKOzBDwTe40StjVGzG1xw0fWUcNHwXOdYhAfyveP7KUMt8=,iv:XA++kctNQTxDFDgWeczdMwnvLRy1i5vS5+zRcquuO7Q=,tag:filjUETcyt15qPO8PGmrMg==,type:str]
    pgp:
        - created_at: "2024-09-02T04:45:58Z"
          enc: |-
@ -136,4 +137,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 65BD3044771CB6FB
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0
--- a/nixos/vouch/default.nix
+++ b/nixos/vouch/default.nix
@ -6,7 +6,6 @@
 }: let
  inherit (lib.modules) mkIf mkMerge mkDefault;
  cfg = config.services.vouch-proxy;
-  sopsFile = mkDefault ./secrets/vouch.yaml;
  enableKeycloak = true;
  hassVouch = false;
 in {
@ -21,10 +20,6 @@ in {
        + old.postPatch or "";
      doCheck = false;
    }));
-    domain = mkDefault "login.${config.networking.domain}";
-    authUrl = mkIf enableKeycloak (
-      mkDefault "https://sso.${config.networking.domain}/realms/${config.networking.domain}"
-    );
    settings = mkMerge [
      {
        vouch.listen = mkDefault "0.0.0.0";
@ -38,21 +33,5 @@ in {
        };
      })
    ];
-    enableSettingsSecrets = mkDefault true;
-    extraSettings = {
-      oauth.client_secret._secret = config.sops.secrets.vouch-client-secret.path;
-      vouch.jwt.secret._secret = config.sops.secrets.vouch-jwt.path;
-    };
-  };
-
-  sops.secrets = {
-    vouch-jwt = {
-      inherit sopsFile;
-      owner = cfg.user;
-    };
-    vouch-client-secret = {
-      inherit sopsFile;
-      owner = cfg.user;
-    };
  };
 }
--- a/nixos/vouch/gensokyo.nix
+++ b/nixos/vouch/gensokyo.nix
@ -0,0 +1,36 @@
+{
+  config,
+  meta,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkDefault;
+  inherit (config.networking) domain;
+  cfg = config.services.vouch-proxy;
+  sopsFile = mkDefault ../secrets/vouch.yaml;
+  enableKeycloak = true;
+in {
+  imports = [meta.nixos.vouch.default];
+  services.vouch-proxy = {
+    domain = mkDefault "login.${domain}";
+    authUrl = mkIf enableKeycloak (
+      mkDefault "https://sso.${domain}/realms/${domain}"
+    );
+    enableSettingsSecrets = true;
+    extraSettings = {
+      oauth.client_secret._secret = config.sops.secrets.vouch-client-secret.path;
+      vouch.jwt.secret._secret = config.sops.secrets.vouch-jwt.path;
+    };
+  };
+
+  sops.secrets = {
+    vouch-jwt = {
+      inherit sopsFile;
+      owner = cfg.user;
+    };
+    vouch-client-secret = {
+      inherit sopsFile;
+      owner = cfg.user;
+    };
+  };
+}
--- a/nixos/vouch/local.nix
+++ b/nixos/vouch/local.nix
@ -0,0 +1,46 @@
+{
+  config,
+  meta,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkDefault;
+  inherit (config.networking) domain;
+  cfg = config.services.vouch-proxy;
+  sopsFile = mkDefault ../secrets/vouch.yaml;
+  enableKeycloak = true;
+  distinctLocal = true;
+  jwtSecret =
+    if distinctLocal
+    then "vouch-jwt-local"
+    else "vouch-jwt";
+in {
+  imports = [meta.nixos.vouch.default];
+  services.vouch-proxy = {
+    # configure a secondary vouch instance for local clients, but don't use it by default
+    domain = mkDefault "login.local.${domain}";
+    authUrl = mkIf enableKeycloak (
+      mkDefault "https://sso.local.${domain}/realms/${domain}"
+    );
+    settings.vouch.cookie = {
+      domain = "local.${domain}";
+      name = mkIf distinctLocal "VouchLocal";
+    };
+    enableSettingsSecrets = true;
+    extraSettings = {
+      oauth.client_secret._secret = config.sops.secrets.vouch-client-secret.path;
+      vouch.jwt.secret._secret = config.sops.secrets.${jwtSecret}.path;
+    };
+  };
+
+  sops.secrets = {
+    ${jwtSecret} = {
+      inherit sopsFile;
+      owner = cfg.user;
+    };
+    vouch-client-secret = {
+      inherit sopsFile;
+      owner = cfg.user;
+    };
+  };
+}