feat: new SSO!!!! 🎉

This commit is contained in:
hexchen 2022-04-30 20:43:12 +00:00
parent 287cb84d82
commit 27cc65fb14
10 changed files with 167 additions and 22 deletions

View file

@ -21,6 +21,7 @@
../../services/gitlab-runner.nix ../../services/gitlab-runner.nix
../../services/lantifa.nix ../../services/lantifa.nix
../../services/vaultwarden.nix ../../services/vaultwarden.nix
../../services/uffd.nix
# ../../services/workadventure.nix # ../../services/workadventure.nix
./lxc.nix ./lxc.nix

View file

@ -227,7 +227,7 @@ in
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
ExecStart = "${pkgs.mattermost}/bin/mattermost" + ExecStart = "${pkgs.mattermost}/bin/mattermost" +
(lib.optionalString (!cfg.mutableConfig) " -c ${database}"); (if cfg.mutableConfig then " -c ${database}" else " -c ${cfg.statePath}/config/config.json");
WorkingDirectory = "${cfg.statePath}"; WorkingDirectory = "${cfg.statePath}";
Restart = "always"; Restart = "always";
RestartSec = "10"; RestartSec = "10";

View file

@ -60,6 +60,8 @@ let
''; '';
}; };
uffd = callPackage ./uffd {};
inherit (unstable) bottom vaultwarden vaultwarden-vault; inherit (unstable) bottom vaultwarden vaultwarden-vault;
}; };

35
pkgs/uffd/default.nix Normal file
View file

@ -0,0 +1,35 @@
{ stdenv, lib, python3Packages, fetchzip }:
python3Packages.buildPythonPackage rec {
pname = "uffd";
version = "2.0.1";
src = fetchzip {
url =
"https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz";
hash = "sha256-KP4J1bw5u7MklaPu2SBFRNyGgkKOBOpft5MMH+em5M4=";
};
patches = [ ./fix-setuppy.patch ./fix-userinfo.patch ];
propagatedBuildInputs = with python3Packages; [
flask
flask_sqlalchemy
flask_migrate
qrcode
fido2
oauthlib
flask-babel
argon2_cffi
itsdangerous
alembic
Mako
];
postPatch = ''
sed -i -e 's/==[0-9.]\+//g' setup.py
'';
doCheck = false;
doInstallCheck = false;
}

View file

@ -0,0 +1,34 @@
--- a/setup.py 2022-04-30 13:12:45.564651955 +0000
+++ b/setup.py 2022-04-30 13:17:02.545809513 +0000
@@ -41,31 +41,5 @@
'Flask-Babel==0.11.2',
'alembic==1.0.0',
'argon2-cffi==18.3.0',
-
- # The main dependencies on their own lead to version collisions and pip is
- # not very good at resolving them, so we pin the versions from Debian Buster
- # for all dependencies.
- 'certifi==2018.8.24',
- #cffi==1.12.2'
- 'cffi # v1.12.2 no longer works with python3.9. Newer versions seem to work fine.',
- 'chardet==3.0.4',
- 'click==7.0',
- 'cryptography==2.6.1',
- 'idna==2.6',
- 'itsdangerous==0.24',
- 'Jinja2==2.10',
- 'MarkupSafe==1.1.0',
- 'oauthlib==2.1.0',
- 'pyasn1==0.4.2',
- 'pycparser==2.19',
- 'requests==2.21.0',
- 'requests-oauthlib==1.0.0',
- 'six==1.12.0',
- 'SQLAlchemy==1.2.18',
- 'urllib3==1.24.1',
- 'Werkzeug==0.14.1',
- 'python-dateutil==2.7.3',
- #editor==1.0.3
- 'Mako==1.0.7',
],
)

View file

@ -0,0 +1,10 @@
--- a/uffd/oauth2/views.py 2022-04-30 20:39:53.825474990 +0000
+++ b/uffd/oauth2/views.py 2022-04-30 20:40:12.632389377 +0000
@@ -234,6 +234,7 @@
id=user.unix_uid,
name=user.displayname,
nickname=user.loginname,
+ username=user.loginname,
email=user.mail,
groups=[group.name for group in user.groups]
)

View file

@ -71,26 +71,23 @@
}; };
omniauth = { omniauth = {
enabled = true; enabled = true;
auto_sign_in_with_provider = "openid_connect"; auto_sign_in_with_provider = "oauth2_generic";
allow_single_sign_on = ["openid_connect"]; allow_single_sign_on = ["oauth2_generic"];
block_auto_created_users = false; block_auto_created_users = false;
providers = [ providers = [
{ {
name = "openid_connect"; name = "oauth2_generic";
label = "infra4future Login"; label = "infra4future Login";
app_id = "gitlab";
app_secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
args = { args = {
name = "openid_connect";
scope = ["openid" "profile" "email"];
response_type = "code";
issuer = "https://auth.infra4future.de/auth/realms/forfuture";
discovery = true;
client_auth_method = "query";
uid_field = "username";
client_options = { client_options = {
identifier = "gitlab"; site = "https://login.infra4future.de";
secret = { _secret = "/persist/secrets/oidc-clientsecret"; }; user_info_url = "/oauth2/userinfo";
redirect_uri = "https://gitlab.infra4future.de/users/auth/openid_connect/callback"; authorize_url = "/oauth2/authorize";
token_url = "/oauth2/token";
}; };
strategy_class ="OmniAuth::Strategies::OAuth2Generic";
}; };
} }
]; ];

View file

@ -55,8 +55,8 @@
hsts.preload = false; hsts.preload = false;
email = false; email = false;
oauth2 = { oauth2 = {
authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth"; authorizationURL = "https://login.infra4future.de/oauth2/authorize";
tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token"; tokenURL = "https://login.infra4future.de/oauth2/token";
clientID = "hedgedoc"; clientID = "hedgedoc";
clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62"; clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
}; };
@ -64,9 +64,9 @@
}; };
systemd.services.hedgedoc.environment = { systemd.services.hedgedoc.environment = {
"CMD_LOGLEVEL" = "warn"; "CMD_LOGLEVEL" = "warn";
"CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo"; "CMD_OAUTH2_USER_PROFILE_URL" = "https://login.infra4future.de/oauth2/userinfo";
"CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name"; "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "nickname";
"CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name"; "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "name";
"CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email"; "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
"CMD_OAUTH2_PROVIDERNAME" = "Infra4Future"; "CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
}; };

View file

@ -141,9 +141,9 @@ in {
Enable = true; Enable = true;
Id = "mattermost"; Id = "mattermost";
Scope = ""; Scope = "";
AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth"; AuthEndpoint = "https://login.infra4future.de/oauth2/authorize";
TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token"; TokenEndpoint = "https://login.infra4future.de/oauth2/token";
UserApiEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo"; UserApiEndpoint = "https://login.infra4future.de/oauth2/userinfo";
}; };
# for some reason, these don't appear to be working; the startup # for some reason, these don't appear to be working; the startup
# process complaines and sets these back to en # process complaines and sets these back to en

66
services/uffd.nix Normal file
View file

@ -0,0 +1,66 @@
{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
let
uffd = pkgs.uffd;
in {
containers.uffd = {
privateNetwork = true;
hostAddress = "192.168.100.1";
localAddress = "192.168.100.9";
autoStart = true;
bindMounts = {
"/persist" = {
hostPath = "/persist/containers/uffd";
isReadOnly = false;
};
};
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
boot.isContainer = true;
networking.useDHCP = false;
users.users.root.hashedPassword = "";
imports = [
((import sources.nix-hexchen) {}).profiles.nopersist
];
nixpkgs.config.allowUnfree = true;
networking.firewall.enable = false;
networking.defaultGateway = {
address = "192.168.100.1";
interface = "eth0";
};
services.coredns = {
enable = true;
config = ''
.:53 {
forward . 1.1.1.1
}
'';
};
services.uwsgi = {
enable = true;
plugins = [ "python3" ];
instance = {
type = "normal";
pythonPackages = self: with self; [ uffd ];
module = "uffd:create_app()";
# socket = "${config.services.uwsgi.runDir}/uwsgi.sock";
http = ":8080";
env = [
"CONFIG_PATH=/persist/uffd/uffd.conf"
];
hook-pre-app = "exec:FLASK_APP=${uffd}/lib/python3.9/site-packages/uffd flask db upgrade";
};
};
})).config.system.build.toplevel;
};
services.nginx.virtualHosts."login.infra4future.de" = {
enableACME = true;
forceSSL = true;
locations = {
"/".proxyPass = "http://${config.containers.uffd.localAddress}:8080";
"/static".root = "${uffd}/lib/python3.9/site-packages/uffd";
};
};
}