mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 12:29:19 -08:00
refactor(idp): access updates
This commit is contained in:
arcnmx
parent
f1639f78c5
commit
c3892e11f4
3 changed files with 73 additions and 81 deletions
|
|
@ -27,6 +27,12 @@
|
|||
includeTailscale = mkOption {
|
||||
type = bool;
|
||||
};
|
||||
localName = mkOption {
|
||||
type = nullOr str;
|
||||
};
|
||||
tailscaleName = mkOption {
|
||||
type = nullOr str;
|
||||
};
|
||||
};
|
||||
allServerNames = mkOption {
|
||||
type = listOf str;
|
||||
|
|
@ -42,6 +48,14 @@
|
|||
includeTailscale = mkOptionDefault (
|
||||
config.local.enable && tailscale.enable && cfg.qualifier != "tail"
|
||||
);
|
||||
localName = mkOptionDefault (
|
||||
if cfg.includeLocal then "${cfg.shortServer}.local.${networking.domain}"
|
||||
else null
|
||||
);
|
||||
tailscaleName = mkOptionDefault (
|
||||
if cfg.includeTailscale then "${cfg.shortServer}.tail.${networking.domain}"
|
||||
else null
|
||||
);
|
||||
};
|
||||
serverName = mkIf (cfg.shortServer != null) (mkDefault (
|
||||
cfg.shortServer
|
||||
|
|
@ -49,8 +63,8 @@
|
|||
+ ".${networking.domain}"
|
||||
));
|
||||
serverAliases = mkIf (cfg.shortServer != null) (mkDefault [
|
||||
(mkIf cfg.includeLocal "${cfg.shortServer}.local.${networking.domain}")
|
||||
(mkIf cfg.includeTailscale "${cfg.shortServer}.tail.${networking.domain}")
|
||||
(mkIf (cfg.localName != null) cfg.localName)
|
||||
(mkIf (cfg.tailscaleName != null) cfg.tailscaleName)
|
||||
]);
|
||||
allServerNames = mkOptionDefault (
|
||||
[ config.serverName ] ++ config.serverAliases
|
||||
|
|
|
|||
|
|
@ -45,8 +45,9 @@ let
|
|||
'';
|
||||
};
|
||||
};
|
||||
locations = locations' access.domain;
|
||||
caLocations = locations' access.caDomain;
|
||||
locations = locations' virtualHosts.freeipa.serverName;
|
||||
caLocations = locations' virtualHosts.freeipa'ca.serverName;
|
||||
kTLS = mkDefault true;
|
||||
in {
|
||||
imports = let
|
||||
inherit (meta) nixos;
|
||||
|
|
@ -96,26 +97,6 @@ in {
|
|||
scheme = if access.port == 443 then "https" else "http";
|
||||
in "${scheme}://${access.host}:${toString access.port}";
|
||||
};
|
||||
domain = mkOption {
|
||||
type = str;
|
||||
default = "idp.${config.networking.domain}";
|
||||
};
|
||||
caDomain = mkOption {
|
||||
type = str;
|
||||
default = "idp-ca.${config.networking.domain}";
|
||||
};
|
||||
globalDomain = mkOption {
|
||||
type = str;
|
||||
default = "freeipa.${config.networking.domain}";
|
||||
};
|
||||
localDomain = mkOption {
|
||||
type = str;
|
||||
default = "freeipa.local.${config.networking.domain}";
|
||||
};
|
||||
tailDomain = mkOption {
|
||||
type = str;
|
||||
default = "freeipa.tail.${config.networking.domain}";
|
||||
};
|
||||
port = mkOption {
|
||||
type = port;
|
||||
default = 443;
|
||||
|
|
@ -124,10 +105,6 @@ in {
|
|||
type = port;
|
||||
default = 636;
|
||||
};
|
||||
useACMEHost = mkOption {
|
||||
type = nullOr str;
|
||||
default = virtualHosts.${access.domain}.useACMEHost;
|
||||
};
|
||||
};
|
||||
config = {
|
||||
services.nginx = {
|
||||
|
|
@ -136,7 +113,7 @@ in {
|
|||
host = mkDefault access.host;
|
||||
port = mkDefault 389;
|
||||
sslPort = mkDefault access.ldapPort;
|
||||
useACMEHost = mkDefault access.useACMEHost;
|
||||
useACMEHost = mkDefault virtualHosts.freeipa.ssl.cert.name;
|
||||
bind.sslPort = mkIf access.preread.enable (mkDefault access.preread.ldapPort);
|
||||
};
|
||||
resolver.addresses = mkIf access.preread.enable (mkMerge [
|
||||
|
|
@ -173,8 +150,8 @@ in {
|
|||
}
|
||||
map $ssl_preread_server_name $ssl_server_name {
|
||||
hostnames;
|
||||
${access.domain} ${upstreams.freeipa};
|
||||
${access.caDomain} ${upstreams.freeipa};
|
||||
${virtualHosts.freeipa.serverName} ${upstreams.freeipa};
|
||||
${virtualHosts.freeipa'ca.serverName} ${upstreams.freeipa};
|
||||
${nginx.access.ldap.domain} ${upstreams.ldap};
|
||||
${nginx.access.ldap.localDomain} ${upstreams.ldap};
|
||||
${nginx.access.ldap.tailDomain} ${upstreams.ldap};
|
||||
|
|
@ -195,7 +172,7 @@ in {
|
|||
|
||||
map $ssl_preread_server_name $ldap_upstream {
|
||||
hostnames;
|
||||
${access.domain} ${upstreams.ldap_freeipa};
|
||||
${virtualHosts.freeipa.serverName} ${upstreams.ldap_freeipa};
|
||||
default ${upstreams.ldap};
|
||||
}
|
||||
|
||||
|
|
@ -231,48 +208,51 @@ in {
|
|||
(mkIf access.preread.enable preread)
|
||||
(mkIf access.kerberos.enable kerberos)
|
||||
];
|
||||
virtualHosts = {
|
||||
${access.domain} = {
|
||||
inherit locations extraConfig;
|
||||
inherit (access) useACMEHost;
|
||||
forceSSL = mkDefault (access.useACMEHost != null);
|
||||
virtualHosts = let
|
||||
name.shortServer = mkDefault "freeipa";
|
||||
in {
|
||||
freeipa = {
|
||||
name.shortServer = mkDefault "idp";
|
||||
inherit locations extraConfig kTLS;
|
||||
ssl.force = mkDefault true;
|
||||
};
|
||||
${access.globalDomain} = {
|
||||
inherit locations extraConfig;
|
||||
inherit (access) useACMEHost;
|
||||
forceSSL = mkDefault (access.useACMEHost != null || virtualHosts.${access.domain}.forceSSL);
|
||||
freeipa'web = {
|
||||
ssl = {
|
||||
force = mkDefault virtualHosts.freeipa.ssl.force;
|
||||
cert.copyFromVhost = "freeipa";
|
||||
};
|
||||
${access.caDomain} = {
|
||||
inherit name locations extraConfig kTLS;
|
||||
};
|
||||
freeipa'ca = {
|
||||
name.shortServer = mkDefault "idp-ca";
|
||||
locations = caLocations;
|
||||
inherit extraConfig;
|
||||
inherit (access) useACMEHost;
|
||||
forceSSL = mkDefault (access.useACMEHost != null || virtualHosts.${access.domain}.forceSSL);
|
||||
ssl = {
|
||||
force = mkDefault virtualHosts.freeipa.ssl.force;
|
||||
cert.copyFromVhost = "freeipa";
|
||||
};
|
||||
${access.localDomain} = {
|
||||
inherit (virtualHosts.${access.domain}) useACMEHost;
|
||||
addSSL = mkDefault (access.useACMEHost != null || virtualHosts.${access.domain}.forceSSL);
|
||||
inherit extraConfig kTLS;
|
||||
};
|
||||
freeipa'web'local = {
|
||||
ssl.cert.copyFromVhost = "freeipa'web";
|
||||
local.enable = true;
|
||||
inherit locations;
|
||||
inherit name locations kTLS;
|
||||
};
|
||||
${access.tailDomain} = mkIf tailscale.enable {
|
||||
inherit (virtualHosts.${access.domain}) useACMEHost;
|
||||
addSSL = mkDefault (access.useACMEHost != null || virtualHosts.${access.domain}.forceSSL);
|
||||
local.enable = true;
|
||||
inherit locations;
|
||||
freeipa'ldap = {
|
||||
serverName = mkDefault ldap.domain;
|
||||
ssl.cert.copyFromVhost = "freeipa";
|
||||
globalRedirect = virtualHosts.freeipa'web.serverName;
|
||||
};
|
||||
${ldap.domain} = { config, ... }: {
|
||||
useACMEHost = mkDefault virtualHosts.${access.domain}.useACMEHost;
|
||||
addSSL = mkDefault (config.useACMEHost != null);
|
||||
globalRedirect = access.domain;
|
||||
};
|
||||
${ldap.localDomain} = {
|
||||
inherit (virtualHosts.${ldap.domain}) useACMEHost addSSL;
|
||||
globalRedirect = access.localDomain;
|
||||
freeipa'ldap'local = {
|
||||
serverName = mkDefault ldap.localDomain;
|
||||
ssl.cert.copyFromVhost = "freeipa'ldap";
|
||||
globalRedirect = virtualHosts.freeipa'web'local.serverName;
|
||||
local.enable = true;
|
||||
};
|
||||
${ldap.tailDomain} = mkIf tailscale.enable {
|
||||
inherit (virtualHosts.${ldap.domain}) useACMEHost addSSL;
|
||||
globalRedirect = access.tailDomain;
|
||||
freeipa'ldap'tail = {
|
||||
enable = mkDefault tailscale.enable;
|
||||
serverName = mkDefault ldap.tailDomain;
|
||||
ssl.cert.copyFromVhost = "freeipa'ldap'local";
|
||||
globalRedirect = virtualHosts.freeipa'web'local.name.tailscaleName;
|
||||
local.enable = true;
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -67,14 +67,14 @@ in {
|
|||
};
|
||||
|
||||
security.acme.certs = let
|
||||
inherit (nginx) access virtualHosts;
|
||||
inherit (nginx) virtualHosts;
|
||||
in {
|
||||
hakurei = {
|
||||
inherit (nginx) group;
|
||||
domain = config.networking.fqdn;
|
||||
extraDomainNames = [
|
||||
config.lib.access.hostnameForNetwork.local
|
||||
(mkIf config.services.tailscale.enable config.lib.access.hostnameForNetwork.tail)
|
||||
access.hostnameForNetwork.local
|
||||
(mkIf config.services.tailscale.enable access.hostnameForNetwork.tail)
|
||||
];
|
||||
};
|
||||
sso = {
|
||||
|
|
@ -126,20 +126,16 @@ in {
|
|||
virtualHosts.unifi'local.allServerNames
|
||||
];
|
||||
};
|
||||
${access.freeipa.domain} = {
|
||||
idp = {
|
||||
inherit (nginx) group;
|
||||
domain = virtualHosts.freeipa.serverName;
|
||||
extraDomainNames = mkMerge [
|
||||
[
|
||||
access.freeipa.localDomain
|
||||
access.freeipa.caDomain
|
||||
access.freeipa.globalDomain
|
||||
access.ldap.domain
|
||||
access.ldap.localDomain
|
||||
]
|
||||
(mkIf tailscale.enable [
|
||||
access.freeipa.tailDomain
|
||||
access.ldap.tailDomain
|
||||
])
|
||||
virtualHosts.freeipa.serverAliases
|
||||
virtualHosts.freeipa'web.allServerNames
|
||||
virtualHosts.freeipa'web'local.allServerNames
|
||||
virtualHosts.freeipa'ldap.allServerNames
|
||||
virtualHosts.freeipa'ldap'local.allServerNames
|
||||
(mkIf virtualHosts.freeipa'ldap'tail.enable virtualHosts.freeipa'ldap'tail.allServerNames)
|
||||
];
|
||||
};
|
||||
pbx = {
|
||||
|
|
@ -199,7 +195,6 @@ in {
|
|||
host = tei.lib.access.hostnameForNetwork.local;
|
||||
};
|
||||
access.freeipa = {
|
||||
useACMEHost = access.freeipa.domain;
|
||||
host = "idp.local.${config.networking.domain}";
|
||||
kerberos.ports.kpasswd = 464;
|
||||
};
|
||||
|
|
@ -209,6 +204,9 @@ in {
|
|||
virtualHosts = {
|
||||
fallback.ssl.cert.name = "hakurei";
|
||||
gensokyoZone.proxied.enable = "cloudflared";
|
||||
freeipa = {
|
||||
ssl.cert.enable = true;
|
||||
};
|
||||
keycloak = {
|
||||
# we're not the real sso record-holder, so don't respond globally..
|
||||
local.denyGlobal = true;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue