feat(idp): cockpit access

2026-02-09 12:29:19 -08:00 · 2024-05-13 10:53:57 -07:00 · 2024-05-13 10:53:57 -07:00 · c51febd94d
commit c51febd94d
parent f826d2bb4a
6 changed files with 57 additions and 8 deletions
--- a/modules/system/exports/cockpit.nix
+++ b/modules/system/exports/cockpit.nix
@ -0,0 +1,15 @@
+{lib, gensokyo-zone, ...}: let
+  inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
+  inherit (lib.attrsets) mapAttrs;
+in {
+  # fedora server web ui
+  config.exports.services.cockpit = {
+    defaults.port.listen = mkAlmostOptionDefault "lan";
+    ports = mapAttrs (_: mapAlmostOptionDefaults) {
+      default = {
+        port = 9090;
+        protocol = "https";
+      };
+    };
+  };
+}
--- a/nixos/access/freeipa.nix
+++ b/nixos/access/freeipa.nix
@ -35,7 +35,6 @@ let
          fromScheme = xvars.get.proxy_scheme;
        };
      };
-      recommendedProxySettings = false;
    };
  };
  ldapsPort = 636;
@ -80,12 +79,22 @@ in {
  config = {
    services.nginx = {
      # TODO: ssl.preread.enable = mkDefault true;
-      upstreams'.freeipa = {config, ...}: {
-        ssl.host = mkDefault (access.systemFor config.servers.access.accessService.system).access.fqdn;
-        host = mkDefault config.ssl.host;
-        servers.access = {
-          accessService = {
-            name = "freeipa";
+      upstreams' = {
+        freeipa = {config, ...}: {
+          ssl.host = mkDefault (access.systemFor config.servers.access.accessService.system).access.fqdn;
+          host = mkDefault config.ssl.host;
+          servers.access = {
+            accessService = {
+              name = "freeipa";
+            };
+          };
+        };
+        freeipa'cockpit = {upstream, ...}: {
+          servers.access = {
+            accessService = {
+              inherit (nginx.upstreams'.freeipa.servers.access.accessService) system;
+              name = "cockpit";
+            };
          };
        };
      };
@ -192,6 +201,7 @@ in {
      ];
      virtualHosts = let
        name.shortServer = mkDefault "ipa";
+        name'cockpit.shortServer = mkDefault "ipa-cock";
      in {
        freeipa = {
          name.shortServer = mkDefault "idp";
@ -223,7 +233,24 @@ in {
        freeipa'web'local = {
          ssl.cert.copyFromVhost = "freeipa'web";
          local.enable = true;
-          inherit name locations;
+          inherit name locations extraConfig;
+        };
+        freeipa'cockpit = {
+          name = name'cockpit;
+          vouch.enable = mkDefault true;
+          ssl = {
+            force = mkDefault virtualHosts.freeipa'web.ssl.force;
+            cert.copyFromVhost = "freeipa'web";
+          };
+          proxy.upstream = "freeipa'cockpit";
+          locations."/".proxy.enable = true;
+        };
+        freeipa'cockpit'local = {
+          name = name'cockpit;
+          ssl.cert.copyFromVhost = "freeipa'cockpit";
+          proxy.copyFromVhost = "freeipa'cockpit";
+          local.enable = true;
+          locations."/".proxy.enable = true;
        };
        freeipa'ldap = {
          serverName = mkDefault ldap.domain;
--- a/systems/freeipa/default.nix
+++ b/systems/freeipa/default.nix
@ -36,6 +36,7 @@ _: {
        enable = true;
        ports.public.enable = false;
      };
+      cockpit.enable = true;
      freeipa.enable = true;
      ldap.enable = true;
      kerberos.enable = true;
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@ -62,6 +62,7 @@ in {
      credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path;
      ingress = mkMerge [
        (virtualHosts.freeipa'web.proxied.cloudflared.getIngress {})
+        (virtualHosts.freeipa'cockpit.proxied.cloudflared.getIngress {})
        (virtualHosts.prox.proxied.cloudflared.getIngress {})
        (virtualHosts.gensokyoZone.proxied.cloudflared.getIngress {})
      ];
@ -166,6 +167,8 @@ in {
        virtualHosts.freeipa.otherServerNames
        virtualHosts.freeipa'web.allServerNames
        virtualHosts.freeipa'web'local.allServerNames
+        virtualHosts.freeipa'cockpit.allServerNames
+        virtualHosts.freeipa'cockpit'local.allServerNames
        virtualHosts.freeipa'ldap.allServerNames
        virtualHosts.freeipa'ldap'local.allServerNames
        (mkIf virtualHosts.freeipa'ldap'tail.enable virtualHosts.freeipa'ldap'tail.allServerNames)
@ -237,6 +240,7 @@ in {
        ssl.cert.enable = true;
      };
      freeipa'web.proxied.enable = "cloudflared";
+      freeipa'cockpit.proxied.enable = "cloudflared";
      keycloak = {
        # we're not the real sso record-holder, so don't respond globally..
        local.denyGlobal = true;
--- a/tf/cloudflare_records.tf
+++ b/tf/cloudflare_records.tf
@ -17,6 +17,7 @@ module "hakurei_system_records" {
    "ldap",
    "krb5",
    "ipa",
+    "ipa-cock",
    "unifi",
    "pbx",
    "smb",
--- a/tf/cloudflare_tunnels.tf
+++ b/tf/cloudflare_tunnels.tf
@ -13,6 +13,7 @@ module "hakurei" {
    "@",
    "prox",
    "ipa",
+    "ipa-cock",
  ]
 }