mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 20:39:18 -08:00
feat(vouch): switch to keycloak
This commit is contained in:
arcnmx
parent
88477df521
commit
b9cb9dc54d
5 changed files with 38 additions and 18 deletions
|
|
@ -21,7 +21,7 @@
|
|||
};
|
||||
authUrl = mkOption {
|
||||
type = str;
|
||||
default = "https://id.${networking.domain}";
|
||||
default = "https://sso.${networking.domain}/realms/${networking.domain}";
|
||||
};
|
||||
url = mkOption {
|
||||
type = str;
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ in {
|
|||
then "localhost"
|
||||
else listen;
|
||||
in
|
||||
mkOptionDefault "http://${host}:${toString cfg.port}";
|
||||
mkOptionDefault "http://${host}:${toString cfg.settings.vouch.port}";
|
||||
};
|
||||
virtualHosts = let
|
||||
locations = {
|
||||
|
|
@ -68,7 +68,7 @@ in {
|
|||
};
|
||||
localLocations = kanidmDomain: {
|
||||
"/".extraConfig = ''
|
||||
proxy_redirect $scheme://${nginx.access.kanidm.domain or "id.${networking.domain}"}/ $scheme://${kanidmDomain}/;
|
||||
proxy_redirect $scheme://sso.${networking.domain}/ $scheme://${kanidmDomain}/;
|
||||
'';
|
||||
};
|
||||
in {
|
||||
|
|
@ -76,7 +76,6 @@ in {
|
|||
local.enable = true;
|
||||
locations = mkMerge [
|
||||
locations
|
||||
(localLocations nginx.access.kanidm.localDomain or "id.local.${networking.domain}")
|
||||
];
|
||||
useACMEHost = mkDefault access.useACMEHost;
|
||||
forceSSL = true;
|
||||
|
|
@ -85,7 +84,6 @@ in {
|
|||
local.enable = true;
|
||||
locations = mkMerge [
|
||||
locations
|
||||
(localLocations nginx.access.kanidm.tailDomain or "id.tail.${networking.domain}")
|
||||
];
|
||||
useACMEHost = mkDefault access.useACMEHost;
|
||||
addSSL = mkIf (access.useACMEHost != null) (mkDefault true);
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
{config, lib, ...}: let
|
||||
inherit (lib.modules) mkForce;
|
||||
inherit (lib.modules) mkForce;
|
||||
in {
|
||||
sops.secrets = let
|
||||
commonSecret = {
|
||||
|
|
@ -9,14 +9,14 @@ in {
|
|||
in {
|
||||
keycloak_db_password = commonSecret;
|
||||
};
|
||||
users.users.keycloak = {
|
||||
users.users.keycloak = {
|
||||
isSystemUser = true;
|
||||
group = "keycloak";
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 ];
|
||||
users.groups.keycloak = {};
|
||||
systemd.services.keycloak.serviceConfig.DynamicUser = mkForce false;
|
||||
networking.firewall.interfaces.local.allowedTCPPorts = [ 80 ];
|
||||
users.groups.keycloak = {};
|
||||
systemd.services.keycloak.serviceConfig.DynamicUser = mkForce false;
|
||||
|
||||
services.keycloak = {
|
||||
enable = true;
|
||||
|
|
@ -29,8 +29,8 @@ systemd.services.keycloak.serviceConfig.DynamicUser = mkForce false;
|
|||
};
|
||||
|
||||
settings = {
|
||||
hostname = "sso.gensokyo.zone";
|
||||
proxy = "edge";
|
||||
hostname = "sso.${config.networking.domain}";
|
||||
proxy = "edge";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,17 +3,30 @@
|
|||
config,
|
||||
...
|
||||
}: let
|
||||
inherit (lib) mkDefault;
|
||||
inherit (lib.modules) mkIf mkMerge mkDefault;
|
||||
cfg = config.services.vouch-proxy;
|
||||
sopsFile = mkDefault ./secrets/vouch.yaml;
|
||||
enableKeycloak = true;
|
||||
in {
|
||||
services.vouch-proxy = {
|
||||
enable = mkDefault true;
|
||||
domain = mkDefault "login.${config.networking.domain}";
|
||||
settings = {
|
||||
vouch.listen = mkDefault "0.0.0.0";
|
||||
vouch.cookie.secure = mkDefault false;
|
||||
};
|
||||
authUrl = mkIf enableKeycloak (
|
||||
mkDefault "https://sso.${config.networking.domain}/realms/${config.networking.domain}"
|
||||
);
|
||||
settings = mkMerge [
|
||||
{
|
||||
vouch.listen = mkDefault "0.0.0.0";
|
||||
vouch.cookie.secure = mkDefault false;
|
||||
}
|
||||
(mkIf enableKeycloak {
|
||||
oauth = {
|
||||
auth_url = mkDefault "${cfg.authUrl}/protocol/openid-connect/auth";
|
||||
token_url = mkDefault "${cfg.authUrl}/protocol/openid-connect/token";
|
||||
user_info_url = mkDefault "${cfg.authUrl}/protocol/openid-connect/userinfo";
|
||||
};
|
||||
})
|
||||
];
|
||||
enableSettingsSecrets = mkDefault true;
|
||||
extraSettings = {
|
||||
oauth.client_secret._secret = config.sops.secrets.vouch-client-secret.path;
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@
|
|||
...
|
||||
}: let
|
||||
inherit (lib.modules) mkIf mkMerge;
|
||||
keycloak = access.nixosFor "keycloak";
|
||||
mediabox = access.nixosFor "mediabox";
|
||||
tei = access.nixosFor "tei";
|
||||
inherit (mediabox.services) plex;
|
||||
|
|
@ -158,6 +159,9 @@ in {
|
|||
])
|
||||
];
|
||||
};
|
||||
"sso.${config.networking.domain}" = {
|
||||
inherit (nginx) group;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = let
|
||||
|
|
@ -196,6 +200,11 @@ in {
|
|||
url = "http://${mediabox.lib.access.hostnameForNetwork.local}:${toString mediabox.services.invidious.port}";
|
||||
};
|
||||
virtualHosts = {
|
||||
"sso.${config.networking.domain}" = {
|
||||
useACMEHost = "sso.${config.networking.domain}";
|
||||
locations."/".proxyPass = "http://${keycloak.lib.access.hostnameForNetwork.local}:80";
|
||||
forceSSL = true;
|
||||
};
|
||||
${access.kanidm.domain} = {
|
||||
useACMEHost = access.kanidm.domain;
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue