feat: new SSO!!!! 🎉

2022-04-30 20:43:12 +00:00 · 2022-04-30 20:43:12 +00:00 · 27cc65fb14
commit 27cc65fb14
parent 287cb84d82
10 changed files with 167 additions and 22 deletions
--- a/hosts/parsons/configuration.nix
+++ b/hosts/parsons/configuration.nix
@ -21,6 +21,7 @@
    ../../services/gitlab-runner.nix
    ../../services/lantifa.nix
    ../../services/vaultwarden.nix
    ../../services/uffd.nix
    # ../../services/workadventure.nix
    ./lxc.nix
--- a/modules/mattermost.nix
+++ b/modules/mattermost.nix
@ -227,7 +227,7 @@ in
          User = cfg.user;
          Group = cfg.group;
          ExecStart = "${pkgs.mattermost}/bin/mattermost" +
-            (lib.optionalString (!cfg.mutableConfig) " -c ${database}");
+            (if cfg.mutableConfig then " -c ${database}" else " -c ${cfg.statePath}/config/config.json");
          WorkingDirectory = "${cfg.statePath}";
          Restart = "always";
          RestartSec = "10";
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -60,6 +60,8 @@ let
      '';
    };
    uffd = callPackage ./uffd {};
    inherit (unstable) bottom vaultwarden vaultwarden-vault;
  };
--- a/pkgs/uffd/default.nix
+++ b/pkgs/uffd/default.nix
@ -0,0 +1,35 @@
 { stdenv, lib, python3Packages, fetchzip }:
 python3Packages.buildPythonPackage rec {
  pname = "uffd";
  version = "2.0.1";
  src = fetchzip {
    url =
      "https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz";
    hash = "sha256-KP4J1bw5u7MklaPu2SBFRNyGgkKOBOpft5MMH+em5M4=";
  };
  patches = [ ./fix-setuppy.patch ./fix-userinfo.patch ];
  propagatedBuildInputs = with python3Packages; [
    flask
    flask_sqlalchemy
    flask_migrate
    qrcode
    fido2
    oauthlib
    flask-babel
    argon2_cffi
    itsdangerous
    alembic
    Mako
  ];
  postPatch = ''
    sed -i -e 's/==[0-9.]\+//g' setup.py
  '';
  doCheck = false;
  doInstallCheck = false;
 }
--- a/pkgs/uffd/fix-setuppy.patch
+++ b/pkgs/uffd/fix-setuppy.patch
@ -0,0 +1,34 @@
 --- a/setup.py	2022-04-30 13:12:45.564651955 +0000
 +++ b/setup.py	2022-04-30 13:17:02.545809513 +0000
@@ -41,31 +41,5 @@
 		'Flask-Babel==0.11.2',
 		'alembic==1.0.0',
 		'argon2-cffi==18.3.0',
 -
 -		# The main dependencies on their own lead to version collisions and pip is
 -		# not very good at resolving them, so we pin the versions from Debian Buster
 -		# for all dependencies.
 -		'certifi==2018.8.24',
 -		#cffi==1.12.2'
 -		'cffi # v1.12.2 no longer works with python3.9. Newer versions seem to work fine.',
 -		'chardet==3.0.4',
 -		'click==7.0',
 -		'cryptography==2.6.1',
 -		'idna==2.6',
 -		'itsdangerous==0.24',
 -		'Jinja2==2.10',
 -		'MarkupSafe==1.1.0',
 -		'oauthlib==2.1.0',
 -		'pyasn1==0.4.2',
 -		'pycparser==2.19',
 -		'requests==2.21.0',
 -		'requests-oauthlib==1.0.0',
 -		'six==1.12.0',
 -		'SQLAlchemy==1.2.18',
 -		'urllib3==1.24.1',
 -		'Werkzeug==0.14.1',
 -		'python-dateutil==2.7.3',
 -		#editor==1.0.3
 -		'Mako==1.0.7',
 	],
 )
--- a/pkgs/uffd/fix-userinfo.patch
+++ b/pkgs/uffd/fix-userinfo.patch
@ -0,0 +1,10 @@
 --- a/uffd/oauth2/views.py	2022-04-30 20:39:53.825474990 +0000
 +++ b/uffd/oauth2/views.py	2022-04-30 20:40:12.632389377 +0000
@@ -234,6 +234,7 @@
 		id=user.unix_uid,
 		name=user.displayname,
 		nickname=user.loginname,
 +		username=user.loginname,
 		email=user.mail,
 		groups=[group.name for group in user.groups]
 	)
--- a/services/gitlab.nix
+++ b/services/gitlab.nix
@ -71,26 +71,23 @@
          };
          omniauth = {
            enabled = true;
-            auto_sign_in_with_provider = "openid_connect";
+            auto_sign_in_with_provider = "oauth2_generic";
-            allow_single_sign_on = ["openid_connect"];
+            allow_single_sign_on = ["oauth2_generic"];
            block_auto_created_users = false;
            providers = [
              {
-                name = "openid_connect";
+                name = "oauth2_generic";
                label = "infra4future Login";
                app_id = "gitlab";
                app_secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
                args = {
                  name = "openid_connect";
                  scope = ["openid" "profile" "email"];
                  response_type = "code";
                  issuer = "https://auth.infra4future.de/auth/realms/forfuture";
                  discovery = true;
                  client_auth_method = "query";
                  uid_field = "username";
                  client_options = {
-                    identifier = "gitlab";
+                    site = "https://login.infra4future.de";
-                    secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
+                    user_info_url = "/oauth2/userinfo";
-                    redirect_uri = "https://gitlab.infra4future.de/users/auth/openid_connect/callback";
+                    authorize_url = "/oauth2/authorize";
                    token_url = "/oauth2/token";
                  };
                  strategy_class ="OmniAuth::Strategies::OAuth2Generic";
                };
              }
            ];
--- a/services/hedgedoc-hacc.nix
+++ b/services/hedgedoc-hacc.nix
@ -55,8 +55,8 @@
          hsts.preload = false;
          email = false;
          oauth2 = {
-            authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
+            authorizationURL = "https://login.infra4future.de/oauth2/authorize";
-            tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
+            tokenURL = "https://login.infra4future.de/oauth2/token";
            clientID = "hedgedoc";
            clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
          };
@ -64,9 +64,9 @@
      };
      systemd.services.hedgedoc.environment = {
        "CMD_LOGLEVEL" = "warn";
-        "CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
+        "CMD_OAUTH2_USER_PROFILE_URL" = "https://login.infra4future.de/oauth2/userinfo";
-        "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name";
+        "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "nickname";
-        "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name";
+        "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "name";
        "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
        "CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
      };
--- a/services/mattermost.nix
+++ b/services/mattermost.nix
@ -141,9 +141,9 @@ in {
            Enable = true;
            Id = "mattermost";
            Scope = "";
-            AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
+            AuthEndpoint = "https://login.infra4future.de/oauth2/authorize";
-            TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
+            TokenEndpoint = "https://login.infra4future.de/oauth2/token";
-            UserApiEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
+            UserApiEndpoint = "https://login.infra4future.de/oauth2/userinfo";
          };
          # for some reason, these don't appear to be working; the startup
          # process complaines and sets these back to en
--- a/services/uffd.nix
+++ b/services/uffd.nix
@ -0,0 +1,66 @@
 { config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
 let
  uffd = pkgs.uffd;
 in {
  containers.uffd = {
    privateNetwork = true;
    hostAddress = "192.168.100.1";
    localAddress = "192.168.100.9";
    autoStart = true;
    bindMounts = {
      "/persist" = {
        hostPath = "/persist/containers/uffd";
        isReadOnly = false;
      };
    };
    path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
      boot.isContainer = true;
      networking.useDHCP = false;
      users.users.root.hashedPassword = "";
      imports = [
        ((import sources.nix-hexchen) {}).profiles.nopersist
      ];
      nixpkgs.config.allowUnfree = true;
      networking.firewall.enable = false;
      networking.defaultGateway = {
        address = "192.168.100.1";
        interface = "eth0";
      };
      services.coredns = {
        enable = true;
        config = ''
        .:53 {
          forward . 1.1.1.1
        }
        '';
      };
      services.uwsgi = {
        enable = true;
        plugins = [ "python3" ];
        instance = {
          type = "normal";
          pythonPackages = self: with self; [ uffd ];
          module = "uffd:create_app()";
          # socket = "${config.services.uwsgi.runDir}/uwsgi.sock";
          http = ":8080";
          env = [
            "CONFIG_PATH=/persist/uffd/uffd.conf"
          ];
          hook-pre-app = "exec:FLASK_APP=${uffd}/lib/python3.9/site-packages/uffd flask db upgrade";
        };
      };
    })).config.system.build.toplevel;
  };
  services.nginx.virtualHosts."login.infra4future.de" = {
    enableACME = true;
    forceSSL = true;
    locations = {
      "/".proxyPass = "http://${config.containers.uffd.localAddress}:8080";
      "/static".root = "${uffd}/lib/python3.9/site-packages/uffd";
    };
  };
 }