gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(vouch): switch to keycloak

Browse source
This commit is contained in:
arcnmx 2024-03-18 15:34:25 -07:00
parent 88477df521
commit b9cb9dc54d
5 changed files with 38 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/nixos/nginx/vouch.nix
View file

@ -21,7 +21,7 @@
}; };
authUrl = mkOption { authUrl = mkOption {
type = str; type = str;
default = "https://id.${networking.domain}"; default = "https://sso.${networking.domain}/realms/${networking.domain}";
}; };
url = mkOption { url = mkOption {
type = str; type = str;

6
nixos/access/vouch.nix
View file

@ -40,7 +40,7 @@ in {
then "localhost" then "localhost"
else listen; else listen;
in in
mkOptionDefault "http://${host}:${toString cfg.port}"; mkOptionDefault "http://${host}:${toString cfg.settings.vouch.port}";
}; };
virtualHosts = let virtualHosts = let
locations = { locations = {
@ -68,7 +68,7 @@ in {
}; };
localLocations = kanidmDomain: { localLocations = kanidmDomain: {
"/".extraConfig = '' "/".extraConfig = ''
proxy_redirect $scheme://${nginx.access.kanidm.domain or "id.${networking.domain}"}/ $scheme://${kanidmDomain}/; proxy_redirect $scheme://sso.${networking.domain}/ $scheme://${kanidmDomain}/;
''; '';
}; };
in { in {
@ -76,7 +76,6 @@ in {
local.enable = true; local.enable = true;
locations = mkMerge [ locations = mkMerge [
locations locations
(localLocations nginx.access.kanidm.localDomain or "id.local.${networking.domain}")
]; ];
useACMEHost = mkDefault access.useACMEHost; useACMEHost = mkDefault access.useACMEHost;
forceSSL = true; forceSSL = true;
@ -85,7 +84,6 @@ in {
local.enable = true; local.enable = true;
locations = mkMerge [ locations = mkMerge [
locations locations
(localLocations nginx.access.kanidm.tailDomain or "id.tail.${networking.domain}")
]; ];
useACMEHost = mkDefault access.useACMEHost; useACMEHost = mkDefault access.useACMEHost;
addSSL = mkIf (access.useACMEHost != null) (mkDefault true); addSSL = mkIf (access.useACMEHost != null) (mkDefault true);

16
nixos/keycloak.nix
View file

@ -1,5 +1,5 @@
{config, lib, ...}: let {config, lib, ...}: let
inherit (lib.modules) mkForce; inherit (lib.modules) mkForce;
in { in {
sops.secrets = let sops.secrets = let
commonSecret = { commonSecret = {
@ -9,14 +9,14 @@ in {
in { in {
keycloak_db_password = commonSecret; keycloak_db_password = commonSecret;
}; };
users.users.keycloak = { users.users.keycloak = {
isSystemUser = true; isSystemUser = true;
group = "keycloak"; group = "keycloak";
}; };
networking.firewall.allowedTCPPorts = [ 80 ]; networking.firewall.interfaces.local.allowedTCPPorts = [ 80 ];
users.groups.keycloak = {}; users.groups.keycloak = {};
systemd.services.keycloak.serviceConfig.DynamicUser = mkForce false; systemd.services.keycloak.serviceConfig.DynamicUser = mkForce false;
services.keycloak = { services.keycloak = {
enable = true; enable = true;
@ -29,8 +29,8 @@ systemd.services.keycloak.serviceConfig.DynamicUser = mkForce false;
}; };
settings = { settings = {
hostname = "sso.gensokyo.zone"; hostname = "sso.${config.networking.domain}";
proxy = "edge"; proxy = "edge";
}; };
}; };
} }

23
nixos/vouch.nix
View file

@ -3,17 +3,30 @@
config, config,
... ...
}: let }: let
inherit (lib) mkDefault; inherit (lib.modules) mkIf mkMerge mkDefault;
cfg = config.services.vouch-proxy; cfg = config.services.vouch-proxy;
sopsFile = mkDefault ./secrets/vouch.yaml; sopsFile = mkDefault ./secrets/vouch.yaml;
enableKeycloak = true;
in { in {
services.vouch-proxy = { services.vouch-proxy = {
enable = mkDefault true; enable = mkDefault true;
domain = mkDefault "login.${config.networking.domain}"; domain = mkDefault "login.${config.networking.domain}";
settings = { authUrl = mkIf enableKeycloak (
vouch.listen = mkDefault "0.0.0.0"; mkDefault "https://sso.${config.networking.domain}/realms/${config.networking.domain}"
vouch.cookie.secure = mkDefault false; );
}; settings = mkMerge [
{
vouch.listen = mkDefault "0.0.0.0";
vouch.cookie.secure = mkDefault false;
}
(mkIf enableKeycloak {
oauth = {
auth_url = mkDefault "${cfg.authUrl}/protocol/openid-connect/auth";
token_url = mkDefault "${cfg.authUrl}/protocol/openid-connect/token";
user_info_url = mkDefault "${cfg.authUrl}/protocol/openid-connect/userinfo";
};
})
];
enableSettingsSecrets = mkDefault true; enableSettingsSecrets = mkDefault true;
extraSettings = { extraSettings = {
oauth.client_secret._secret = config.sops.secrets.vouch-client-secret.path; oauth.client_secret._secret = config.sops.secrets.vouch-client-secret.path;

9
systems/hakurei/nixos.nix
View file

@ -6,6 +6,7 @@
... ...
}: let }: let
inherit (lib.modules) mkIf mkMerge; inherit (lib.modules) mkIf mkMerge;
keycloak = access.nixosFor "keycloak";
mediabox = access.nixosFor "mediabox"; mediabox = access.nixosFor "mediabox";
tei = access.nixosFor "tei"; tei = access.nixosFor "tei";
inherit (mediabox.services) plex; inherit (mediabox.services) plex;
@ -158,6 +159,9 @@ in {
]) ])
]; ];
}; };
"sso.${config.networking.domain}" = {
inherit (nginx) group;
};
}; };
services.nginx = let services.nginx = let
@ -196,6 +200,11 @@ in {
url = "http://${mediabox.lib.access.hostnameForNetwork.local}:${toString mediabox.services.invidious.port}"; url = "http://${mediabox.lib.access.hostnameForNetwork.local}:${toString mediabox.services.invidious.port}";
}; };
virtualHosts = { virtualHosts = {
"sso.${config.networking.domain}" = {
useACMEHost = "sso.${config.networking.domain}";
locations."/".proxyPass = "http://${keycloak.lib.access.hostnameForNetwork.local}:80";
forceSSL = true;
};
${access.kanidm.domain} = { ${access.kanidm.domain} = {
useACMEHost = access.kanidm.domain; useACMEHost = access.kanidm.domain;
}; };