gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(grocy): vouch reverse-proxy auth

Browse source
This commit is contained in:
arcnmx 2024-03-20 12:54:08 -07:00
parent c27a8da537
commit bae4f32eff
7 changed files with 388 additions and 68 deletions
Download patch file Download diff file Expand all files Collapse all files

113
modules/nixos/nginx/lua.nix Normal file
View file

@ -0,0 +1,113 @@
{pkgs, config, lib, ...}: let
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkAfter mkOptionDefault;
inherit (lib.strings) hasPrefix;
inherit (lib.attrsets) mapAttrsToList;
inherit (config.services.nginx) lua;
cfg = lua;
enabled = cfg.http.enable || cfg.upstream.enable;
luaPkgPath = pkg: "${pkg.lib or pkg}/lib/lua/${pkgs.luajit_openresty.luaversion}/?.lua";
luaModule = {config, ...}: let
cfg = config.lua;
mkSetBy = var: value:
if hasPrefix "/" "${value}" then "set_by_lua_file \$${var} ${value};"
else ''
set_by_lua_block ''$${var} {
${value}
}
'';
in {
options.lua = with lib.types; {
access = {
block = mkOption {
type = lines;
default = "";
};
files = mkOption {
type = listOf path;
default = [ ];
};
};
set = mkOption {
type = attrsOf (either path lines);
default = { };
};
};
config = {
extraConfig = mkMerge [
(mkIf (cfg.access.block != "") (assert lua.http.enable; ''
access_by_lua_block {
${cfg.access.block}
}
''))
(mkIf (cfg.access.files != [ ]) (assert lua.http.enable; mkMerge (
map (file: "access_by_lua_file ${file};") cfg.access.files
)))
(mkIf (cfg.set != { }) (assert lua.http.enable && lua.ndk.enable; mkMerge (
mapAttrsToList mkSetBy cfg.set
)))
];
};
};
locationModule = {config, ...}: {
imports = [ luaModule ];
};
hostModule = {config, ...}: {
imports = [ luaModule ];
options = with lib.types; {
locations = mkOption {
type = attrsOf (submoduleWith {
modules = [ locationModule ];
shorthandOnlyDefinesConfig = true;
});
};
};
};
in {
options.services.nginx = with lib.types; {
lua = {
ndk.enable = mkEnableOption "ngx_devel_kit";
http.enable = mkEnableOption "ngx_http_lua_module";
upstream.enable = mkEnableOption "ngx_http_lua_upstream";
luaPackage = mkOption {
type = package;
default = pkgs.luajit_openresty;
readOnly = true;
};
modules = mkOption {
type = listOf package;
};
luaPath = mkOption {
type = separatedString ";";
};
};
virtualHosts = mkOption {
type = attrsOf (submoduleWith {
modules = [ hostModule ];
shorthandOnlyDefinesConfig = true;
});
};
};
config = {
services.nginx = {
lua = {
modules = [
cfg.luaPackage.pkgs.lua-resty-core
] ++ cfg.luaPackage.pkgs.lua-resty-core.propagatedBuildInputs;
luaPath = mkMerge (
map luaPkgPath cfg.modules
++ [ (mkAfter ";") ]
);
};
additionalModules = mkMerge [
(mkIf cfg.ndk.enable [ pkgs.nginxModules.develkit ])
(mkIf cfg.http.enable [ pkgs.nginxModules.lua ])
(mkIf cfg.upstream.enable [ pkgs.nginxModules.lua-upstream ])
];
};
systemd.services.nginx = mkIf config.services.nginx.enable {
environment.LUA_PATH = mkIf enabled (mkOptionDefault cfg.luaPath);
};
};
}

213
modules/nixos/nginx/vouch.nix
View file

@ -1,38 +1,55 @@
{
pkgs,
config,
lib,
...
}: let
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkBefore mkDefault;
inherit (lib.modules) mkIf mkMerge mkBefore mkAfter mkOptionDefault mkOverride;
inherit (lib.attrsets) mapAttrsToList;
inherit (lib.strings) toLower replaceStrings concatStringsSep;
inherit (config) networking;
inherit (config.services) vouch-proxy nginx tailscale;
inherit (nginx) vouch;
mkAlmostOptionDefault = mkOverride 1250;
locationModule = {config, virtualHost, ...}: {
options.vouch = with lib.types; {
requireAuth = mkEnableOption "require auth to access this location";
setProxyHeader = mkOption {
type = bool;
default = false;
description = "proxy_set_header X-Vouch-User";
};
};
config = mkIf config.vouch.requireAuth {
proxied.xvars.enable = true;
config = let
enableVouchLocal = vouch.localSso.enable && config.local.enable;
enableVouchTail = enableVouchLocal && tailscale.enable;
allowOrigin = url: "add_header Access-Control-Allow-Origin ${url};";
in mkIf config.vouch.requireAuth {
lua = mkIf virtualHost.vouch.auth.lua.enable {
access.block = mkMerge [
(mkBefore virtualHost.vouch.auth.lua.accessRequest)
(mkBefore virtualHost.vouch.auth.lua.accessVariables)
(mkBefore virtualHost.vouch.auth.lua.accessLogic)
];
};
proxied.xvars.enable = mkIf (enableVouchTail || virtualHost.vouch.auth.lua.enable) true;
extraConfig = assert virtualHost.vouch.enable; mkMerge [
''
add_header Access-Control-Allow-Origin ${vouch.url};
add_header Access-Control-Allow-Origin ${vouch.authUrl};
''
(mkIf (vouch.localSso.enable && config.local.enable) ''
add_header Access-Control-Allow-Origin ${vouch.localUrl};
'')
(mkIf (vouch.localSso.enable && config.local.enable && tailscale.enable) ''
add_header Access-Control-Allow-Origin $x_scheme://${vouch.tailDomain};
'')
''
(mkIf (!virtualHost.vouch.requireAuth) virtualHost.vouch.auth.requestDirective)
(allowOrigin vouch.url)
(allowOrigin vouch.authUrl)
(mkIf enableVouchLocal (allowOrigin vouch.localUrl))
(mkIf enableVouchTail (allowOrigin "$x_scheme://${vouch.tailDomain}"))
(mkIf config.vouch.setProxyHeader ''
proxy_set_header X-Vouch-User $auth_resp_x_vouch_user;
''
'')
];
};
};
hostModule = {config, ...}: let
cfg = config.vouch;
mkHeaderVar = header: toLower (replaceStrings [ "-" ] [ "_" ] header);
mkUpstreamVar = header: "\$upstream_http_${mkHeaderVar header}";
in {
options = with lib.types; {
locations = mkOption {
@ -43,57 +60,125 @@
requireAuth = mkEnableOption "require auth to access this host" // {
default = true;
};
errorLocation = mkOption {
type = str;
default = "@error401";
};
authRequestLocation = mkOption {
type = str;
default = "/validate";
};
authRequestDirective = mkOption {
type = lines;
default = ''
auth_request ${cfg.authRequestLocation};
'';
auth = {
lua = {
enable = mkEnableOption "lua";
accessRequest = mkOption {
type = lines;
default = ''
ngx.ctx.auth_res = ngx.location.capture("${cfg.auth.requestLocation}")
'';
};
accessVariables = mkOption {
type = lines;
};
accessLogic = mkOption {
type = lines;
};
};
errorLocation = mkOption {
type = nullOr str;
default = "@error401";
};
requestLocation = mkOption {
type = str;
default = "/validate";
};
requestDirective = mkOption {
type = lines;
default = ''
auth_request ${cfg.auth.requestLocation};
'';
};
variables = mkOption {
type = attrsOf str;
default = {
auth_resp_x_vouch_user = "X-Vouch-User";
auth_resp_jwt = "X-Vouch-Token";
auth_resp_err = "X-Vouch-Error";
auth_resp_success = "X-Vouch-Success";
auth_resp_redirect = "X-Vouch-Requested-URI";
};
};
};
};
};
config = {
extraConfig = mkIf (cfg.enable && cfg.requireAuth) ''
${cfg.authRequestDirective}
error_page 401 = ${cfg.errorLocation};
'';
vouch.auth = {
lua = {
accessLogic = mkOptionDefault (mkAfter ''
if ngx.ctx.auth_res ~= nil and ngx.ctx.auth_res.status == ngx.HTTP_UNAUTHORIZED then
local vouch_url = ngx.var["vouch_url"] or "${vouch.url}"
local query_args = ngx.encode_args {
url = string.format("%s://%s%s", ngx.var.x_scheme, ngx.var.x_forwarded_host, ngx.var.request_uri),
["X-Vouch-Token"] = ngx.ctx.auth_res.header["X-Vouch-Token"] or "",
error = ngx.ctx.auth_res.header["X-Vouch-Error"] or "",
-- ["vouch-failcount"] is now a session variable and shouldn't be needed anymore
}
return ngx.redirect(string.format("%s/login?%s", vouch_url, query_args), ngx.HTTP_MOVED_TEMPORARILY)
end
if ngx.ctx.auth_res ~= nil and ngx.ctx.auth_res.status == ngx.HTTP_FORBIDDEN or ngx.ctx.auth_res.status == ngx.HTTP_UNAUTHORIZED then
return ngx.exit(ngx.ctx.auth_res.status)
end
if ngx.ctx.auth_res ~= nil and ngx.ctx.auth_res.status ~= ngx.HTTP_OK then
return ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
end
'');
accessVariables = mkMerge (mapAttrsToList (authVar: header: mkOptionDefault
''ngx.var["${authVar}"] = ngx.ctx.auth_res.header["${header}"] or ""''
) cfg.auth.variables);
};
errorLocation = mkIf cfg.auth.lua.enable (mkAlmostOptionDefault null);
requestDirective = mkIf cfg.auth.lua.enable (mkAlmostOptionDefault "");
};
lua = mkIf (cfg.requireAuth && cfg.auth.lua.enable) {
access.block = mkMerge [
(mkBefore cfg.auth.lua.accessRequest)
(mkBefore cfg.auth.lua.accessVariables)
(mkBefore cfg.auth.lua.accessLogic)
];
};
extraConfig = let
localVouchUrl = ''
if ($x_forwarded_host ~ "\.local\.${networking.domain}$") {
set $vouch_url ${vouch.localUrl};
}
'';
tailVouchUrl = ''
if ($x_forwarded_host ~ "\.tail\.${networking.domain}$") {
set $vouch_url $x_scheme://${vouch.tailDomain};
}
'';
setVouchUrl = [
(mkBefore ''
set $vouch_url ${vouch.url};
'')
(mkIf (vouch.localSso.enable && config.local.enable or false) localVouchUrl)
(mkIf (vouch.localSso.enable && config.local.enable or false && tailscale.enable) tailVouchUrl)
];
in mkIf cfg.enable (mkMerge (
[
(mkIf (cfg.requireAuth) (mkBefore cfg.auth.requestDirective))
(mkIf (cfg.auth.errorLocation != null) "error_page 401 = ${cfg.auth.errorLocation};")
] ++ setVouchUrl
++ mapAttrsToList (authVar: header: mkIf (!cfg.auth.lua.enable) (
mkBefore "auth_request_set \$${authVar} ${mkUpstreamVar header};"
)) cfg.auth.variables
));
proxied.xvars.enable = mkIf cfg.enable true;
locations = mkIf cfg.enable {
"/" = mkIf cfg.requireAuth {
vouch.requireAuth = true;
vouch.requireAuth = mkAlmostOptionDefault true;
};
${cfg.errorLocation} = {
${cfg.auth.errorLocation} = mkIf (cfg.auth.errorLocation != null) {
proxied.xvars.enable = true;
extraConfig = let
localVouchUrl = ''
if ($x_forwarded_host ~ "\.local\.${networking.domain}$") {
set $vouch_url ${vouch.localUrl};
}
'';
tailVouchUrl = ''
if ($x_forwarded_host ~ "\.tail\.${networking.domain}$") {
set $vouch_url $x_scheme://${vouch.tailDomain};
}
'';
in
mkMerge [
(mkBefore ''
set $vouch_url ${vouch.url};
'')
(mkIf (vouch.localSso.enable && config.local.enable or false) localVouchUrl)
(mkIf (vouch.localSso.enable && config.local.enable or false && tailscale.enable) tailVouchUrl)
''
return 302 $vouch_url/login?url=$x_scheme://$x_forwarded_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
''
];
extraConfig = ''
return 302 $vouch_url/login?url=$x_scheme://$x_forwarded_host$request_uri&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
'';
};
${cfg.authRequestLocation} = {
${cfg.auth.requestLocation} = {
proxyPass = "${vouch.proxyOrigin}/validate";
proxy.headers.enableRecommended = true;
extraConfig = let
@ -105,10 +190,6 @@
set $x_proxy_host ${vouchProxyHost};
proxy_pass_request_body off;
proxy_set_header Content-Length "";
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
'';
};
};
@ -157,7 +238,7 @@ in {
vouch = mkMerge [
{
proxyOrigin = mkIf (tailscale.enable && !vouch-proxy.enable) (
mkDefault "http://login.tail.${networking.domain}"
mkAlmostOptionDefault "http://login.tail.${networking.domain}"
);
}
(mkIf vouch-proxy.enable {
@ -168,10 +249,10 @@ in {
then "localhost"
else listen;
in
mkDefault "http://${host}:${toString port}";
authUrl = mkDefault vouch-proxy.authUrl;
url = mkDefault vouch-proxy.url;
doubleProxy = mkDefault false;
mkAlmostOptionDefault "http://${host}:${toString port}";
authUrl = mkAlmostOptionDefault vouch-proxy.authUrl;
url = mkAlmostOptionDefault vouch-proxy.url;
doubleProxy = mkAlmostOptionDefault false;
})
];
};