mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 12:29:19 -08:00
58 lines
1.6 KiB
Nix
58 lines
1.6 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: let
|
|
inherit (lib.modules) mkIf mkMerge mkDefault;
|
|
cfg = config.services.vouch-proxy;
|
|
sopsFile = mkDefault ./secrets/vouch.yaml;
|
|
enableKeycloak = true;
|
|
hassVouch = false;
|
|
in {
|
|
services.vouch-proxy = {
|
|
enable = mkDefault true;
|
|
package = mkIf hassVouch (pkgs.vouch-proxy.overrideAttrs (old: {
|
|
postPatch =
|
|
''
|
|
sed -i handlers/login.go \
|
|
-e 's/badStrings *=.*$/badStrings = []string{}/'
|
|
''
|
|
+ old.postPatch or "";
|
|
doCheck = false;
|
|
}));
|
|
domain = mkDefault "login.${config.networking.domain}";
|
|
authUrl = mkIf enableKeycloak (
|
|
mkDefault "https://sso.${config.networking.domain}/realms/${config.networking.domain}"
|
|
);
|
|
settings = mkMerge [
|
|
{
|
|
vouch.listen = mkDefault "0.0.0.0";
|
|
vouch.cookie.secure = mkDefault false;
|
|
}
|
|
(mkIf enableKeycloak {
|
|
oauth = {
|
|
auth_url = mkDefault "${cfg.authUrl}/protocol/openid-connect/auth";
|
|
token_url = mkDefault "${cfg.authUrl}/protocol/openid-connect/token";
|
|
user_info_url = mkDefault "${cfg.authUrl}/protocol/openid-connect/userinfo";
|
|
};
|
|
})
|
|
];
|
|
enableSettingsSecrets = mkDefault true;
|
|
extraSettings = {
|
|
oauth.client_secret._secret = config.sops.secrets.vouch-client-secret.path;
|
|
vouch.jwt.secret._secret = config.sops.secrets.vouch-jwt.path;
|
|
};
|
|
};
|
|
|
|
sops.secrets = {
|
|
vouch-jwt = {
|
|
inherit sopsFile;
|
|
owner = cfg.user;
|
|
};
|
|
vouch-client-secret = {
|
|
inherit sopsFile;
|
|
owner = cfg.user;
|
|
};
|
|
};
|
|
}
|