gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor(idp): access updates

Browse source
This commit is contained in:
arcnmx 2024-03-21 17:18:32 -07:00
parent f1639f78c5
commit c3892e11f4
3 changed files with 73 additions and 81 deletions
Download patch file Download diff file Expand all files Collapse all files

18
modules/nixos/nginx/name.nix
View file

@ -27,6 +27,12 @@
includeTailscale = mkOption { includeTailscale = mkOption {
type = bool; type = bool;
}; };
localName = mkOption {
type = nullOr str;
};
tailscaleName = mkOption {
type = nullOr str;
};
}; };
allServerNames = mkOption { allServerNames = mkOption {
type = listOf str; type = listOf str;
@ -42,6 +48,14 @@
includeTailscale = mkOptionDefault ( includeTailscale = mkOptionDefault (
config.local.enable && tailscale.enable && cfg.qualifier != "tail" config.local.enable && tailscale.enable && cfg.qualifier != "tail"
); );
localName = mkOptionDefault (
if cfg.includeLocal then "${cfg.shortServer}.local.${networking.domain}"
else null
);
tailscaleName = mkOptionDefault (
if cfg.includeTailscale then "${cfg.shortServer}.tail.${networking.domain}"
else null
);
}; };
serverName = mkIf (cfg.shortServer != null) (mkDefault ( serverName = mkIf (cfg.shortServer != null) (mkDefault (
cfg.shortServer cfg.shortServer
@ -49,8 +63,8 @@
+ ".${networking.domain}" + ".${networking.domain}"
)); ));
serverAliases = mkIf (cfg.shortServer != null) (mkDefault [ serverAliases = mkIf (cfg.shortServer != null) (mkDefault [
(mkIf cfg.includeLocal "${cfg.shortServer}.local.${networking.domain}") (mkIf (cfg.localName != null) cfg.localName)
(mkIf cfg.includeTailscale "${cfg.shortServer}.tail.${networking.domain}") (mkIf (cfg.tailscaleName != null) cfg.tailscaleName)
]); ]);
allServerNames = mkOptionDefault ( allServerNames = mkOptionDefault (
[ config.serverName ] ++ config.serverAliases [ config.serverName ] ++ config.serverAliases

106
nixos/access/freeipa.nix
View file

@ -45,8 +45,9 @@ let
''; '';
}; };
}; };
locations = locations' access.domain; locations = locations' virtualHosts.freeipa.serverName;
caLocations = locations' access.caDomain; caLocations = locations' virtualHosts.freeipa'ca.serverName;
kTLS = mkDefault true;
in { in {
imports = let imports = let
inherit (meta) nixos; inherit (meta) nixos;
@ -96,26 +97,6 @@ in {
scheme = if access.port == 443 then "https" else "http"; scheme = if access.port == 443 then "https" else "http";
in "${scheme}://${access.host}:${toString access.port}"; in "${scheme}://${access.host}:${toString access.port}";
}; };
domain = mkOption {
type = str;
default = "idp.${config.networking.domain}";
};
caDomain = mkOption {
type = str;
default = "idp-ca.${config.networking.domain}";
};
globalDomain = mkOption {
type = str;
default = "freeipa.${config.networking.domain}";
};
localDomain = mkOption {
type = str;
default = "freeipa.local.${config.networking.domain}";
};
tailDomain = mkOption {
type = str;
default = "freeipa.tail.${config.networking.domain}";
};
port = mkOption { port = mkOption {
type = port; type = port;
default = 443; default = 443;
@ -124,10 +105,6 @@ in {
type = port; type = port;
default = 636; default = 636;
}; };
useACMEHost = mkOption {
type = nullOr str;
default = virtualHosts.${access.domain}.useACMEHost;
};
}; };
config = { config = {
services.nginx = { services.nginx = {
@ -136,7 +113,7 @@ in {
host = mkDefault access.host; host = mkDefault access.host;
port = mkDefault 389; port = mkDefault 389;
sslPort = mkDefault access.ldapPort; sslPort = mkDefault access.ldapPort;
useACMEHost = mkDefault access.useACMEHost; useACMEHost = mkDefault virtualHosts.freeipa.ssl.cert.name;
bind.sslPort = mkIf access.preread.enable (mkDefault access.preread.ldapPort); bind.sslPort = mkIf access.preread.enable (mkDefault access.preread.ldapPort);
}; };
resolver.addresses = mkIf access.preread.enable (mkMerge [ resolver.addresses = mkIf access.preread.enable (mkMerge [
@ -173,8 +150,8 @@ in {
} }
map $ssl_preread_server_name $ssl_server_name { map $ssl_preread_server_name $ssl_server_name {
hostnames; hostnames;
${access.domain} ${upstreams.freeipa}; ${virtualHosts.freeipa.serverName} ${upstreams.freeipa};
${access.caDomain} ${upstreams.freeipa}; ${virtualHosts.freeipa'ca.serverName} ${upstreams.freeipa};
${nginx.access.ldap.domain} ${upstreams.ldap}; ${nginx.access.ldap.domain} ${upstreams.ldap};
${nginx.access.ldap.localDomain} ${upstreams.ldap}; ${nginx.access.ldap.localDomain} ${upstreams.ldap};
${nginx.access.ldap.tailDomain} ${upstreams.ldap}; ${nginx.access.ldap.tailDomain} ${upstreams.ldap};
@ -195,7 +172,7 @@ in {
map $ssl_preread_server_name $ldap_upstream { map $ssl_preread_server_name $ldap_upstream {
hostnames; hostnames;
${access.domain} ${upstreams.ldap_freeipa}; ${virtualHosts.freeipa.serverName} ${upstreams.ldap_freeipa};
default ${upstreams.ldap}; default ${upstreams.ldap};
} }
@ -231,48 +208,51 @@ in {
(mkIf access.preread.enable preread) (mkIf access.preread.enable preread)
(mkIf access.kerberos.enable kerberos) (mkIf access.kerberos.enable kerberos)
]; ];
virtualHosts = { virtualHosts = let
${access.domain} = { name.shortServer = mkDefault "freeipa";
inherit locations extraConfig; in {
inherit (access) useACMEHost; freeipa = {
forceSSL = mkDefault (access.useACMEHost != null); name.shortServer = mkDefault "idp";
inherit locations extraConfig kTLS;
ssl.force = mkDefault true;
}; };
${access.globalDomain} = { freeipa'web = {
inherit locations extraConfig; ssl = {
inherit (access) useACMEHost; force = mkDefault virtualHosts.freeipa.ssl.force;
forceSSL = mkDefault (access.useACMEHost != null || virtualHosts.${access.domain}.forceSSL); cert.copyFromVhost = "freeipa";
};
inherit name locations extraConfig kTLS;
}; };
${access.caDomain} = { freeipa'ca = {
name.shortServer = mkDefault "idp-ca";
locations = caLocations; locations = caLocations;
inherit extraConfig; ssl = {
inherit (access) useACMEHost; force = mkDefault virtualHosts.freeipa.ssl.force;
forceSSL = mkDefault (access.useACMEHost != null || virtualHosts.${access.domain}.forceSSL); cert.copyFromVhost = "freeipa";
};
inherit extraConfig kTLS;
}; };
${access.localDomain} = { freeipa'web'local = {
inherit (virtualHosts.${access.domain}) useACMEHost; ssl.cert.copyFromVhost = "freeipa'web";
addSSL = mkDefault (access.useACMEHost != null || virtualHosts.${access.domain}.forceSSL);
local.enable = true; local.enable = true;
inherit locations; inherit name locations kTLS;
}; };
${access.tailDomain} = mkIf tailscale.enable { freeipa'ldap = {
inherit (virtualHosts.${access.domain}) useACMEHost; serverName = mkDefault ldap.domain;
addSSL = mkDefault (access.useACMEHost != null || virtualHosts.${access.domain}.forceSSL); ssl.cert.copyFromVhost = "freeipa";
local.enable = true; globalRedirect = virtualHosts.freeipa'web.serverName;
inherit locations;
}; };
${ldap.domain} = { config, ... }: { freeipa'ldap'local = {
useACMEHost = mkDefault virtualHosts.${access.domain}.useACMEHost; serverName = mkDefault ldap.localDomain;
addSSL = mkDefault (config.useACMEHost != null); ssl.cert.copyFromVhost = "freeipa'ldap";
globalRedirect = access.domain; globalRedirect = virtualHosts.freeipa'web'local.serverName;
};
${ldap.localDomain} = {
inherit (virtualHosts.${ldap.domain}) useACMEHost addSSL;
globalRedirect = access.localDomain;
local.enable = true; local.enable = true;
}; };
${ldap.tailDomain} = mkIf tailscale.enable { freeipa'ldap'tail = {
inherit (virtualHosts.${ldap.domain}) useACMEHost addSSL; enable = mkDefault tailscale.enable;
globalRedirect = access.tailDomain; serverName = mkDefault ldap.tailDomain;
ssl.cert.copyFromVhost = "freeipa'ldap'local";
globalRedirect = virtualHosts.freeipa'web'local.name.tailscaleName;
local.enable = true; local.enable = true;
}; };
}; };

30
systems/hakurei/nixos.nix
View file

@ -67,14 +67,14 @@ in {
}; };
security.acme.certs = let security.acme.certs = let
inherit (nginx) access virtualHosts; inherit (nginx) virtualHosts;
in { in {
hakurei = { hakurei = {
inherit (nginx) group; inherit (nginx) group;
domain = config.networking.fqdn; domain = config.networking.fqdn;
extraDomainNames = [ extraDomainNames = [
config.lib.access.hostnameForNetwork.local access.hostnameForNetwork.local
(mkIf config.services.tailscale.enable config.lib.access.hostnameForNetwork.tail) (mkIf config.services.tailscale.enable access.hostnameForNetwork.tail)
]; ];
}; };
sso = { sso = {
@ -126,20 +126,16 @@ in {
virtualHosts.unifi'local.allServerNames virtualHosts.unifi'local.allServerNames
]; ];
}; };
${access.freeipa.domain} = { idp = {
inherit (nginx) group; inherit (nginx) group;
domain = virtualHosts.freeipa.serverName;
extraDomainNames = mkMerge [ extraDomainNames = mkMerge [
[ virtualHosts.freeipa.serverAliases
access.freeipa.localDomain virtualHosts.freeipa'web.allServerNames
access.freeipa.caDomain virtualHosts.freeipa'web'local.allServerNames
access.freeipa.globalDomain virtualHosts.freeipa'ldap.allServerNames
access.ldap.domain virtualHosts.freeipa'ldap'local.allServerNames
access.ldap.localDomain (mkIf virtualHosts.freeipa'ldap'tail.enable virtualHosts.freeipa'ldap'tail.allServerNames)
]
(mkIf tailscale.enable [
access.freeipa.tailDomain
access.ldap.tailDomain
])
]; ];
}; };
pbx = { pbx = {
@ -199,7 +195,6 @@ in {
host = tei.lib.access.hostnameForNetwork.local; host = tei.lib.access.hostnameForNetwork.local;
}; };
access.freeipa = { access.freeipa = {
useACMEHost = access.freeipa.domain;
host = "idp.local.${config.networking.domain}"; host = "idp.local.${config.networking.domain}";
kerberos.ports.kpasswd = 464; kerberos.ports.kpasswd = 464;
}; };
@ -209,6 +204,9 @@ in {
virtualHosts = { virtualHosts = {
fallback.ssl.cert.name = "hakurei"; fallback.ssl.cert.name = "hakurei";
gensokyoZone.proxied.enable = "cloudflared"; gensokyoZone.proxied.enable = "cloudflared";
freeipa = {
ssl.cert.enable = true;
};
keycloak = { keycloak = {
# we're not the real sso record-holder, so don't respond globally.. # we're not the real sso record-holder, so don't respond globally..
local.denyGlobal = true; local.denyGlobal = true;