feat: new SSO!!!! 🎉
This commit is contained in:
parent
287cb84d82
commit
27cc65fb14
10 changed files with 167 additions and 22 deletions
|
@ -21,6 +21,7 @@
|
|||
../../services/gitlab-runner.nix
|
||||
../../services/lantifa.nix
|
||||
../../services/vaultwarden.nix
|
||||
../../services/uffd.nix
|
||||
# ../../services/workadventure.nix
|
||||
|
||||
./lxc.nix
|
||||
|
|
|
@ -227,7 +227,7 @@ in
|
|||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
ExecStart = "${pkgs.mattermost}/bin/mattermost" +
|
||||
(lib.optionalString (!cfg.mutableConfig) " -c ${database}");
|
||||
(if cfg.mutableConfig then " -c ${database}" else " -c ${cfg.statePath}/config/config.json");
|
||||
WorkingDirectory = "${cfg.statePath}";
|
||||
Restart = "always";
|
||||
RestartSec = "10";
|
||||
|
|
|
@ -60,6 +60,8 @@ let
|
|||
'';
|
||||
};
|
||||
|
||||
uffd = callPackage ./uffd {};
|
||||
|
||||
inherit (unstable) bottom vaultwarden vaultwarden-vault;
|
||||
};
|
||||
|
||||
|
|
35
pkgs/uffd/default.nix
Normal file
35
pkgs/uffd/default.nix
Normal file
|
@ -0,0 +1,35 @@
|
|||
{ stdenv, lib, python3Packages, fetchzip }:
|
||||
|
||||
python3Packages.buildPythonPackage rec {
|
||||
pname = "uffd";
|
||||
version = "2.0.1";
|
||||
|
||||
src = fetchzip {
|
||||
url =
|
||||
"https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz";
|
||||
hash = "sha256-KP4J1bw5u7MklaPu2SBFRNyGgkKOBOpft5MMH+em5M4=";
|
||||
};
|
||||
|
||||
patches = [ ./fix-setuppy.patch ./fix-userinfo.patch ];
|
||||
|
||||
propagatedBuildInputs = with python3Packages; [
|
||||
flask
|
||||
flask_sqlalchemy
|
||||
flask_migrate
|
||||
qrcode
|
||||
fido2
|
||||
oauthlib
|
||||
flask-babel
|
||||
argon2_cffi
|
||||
itsdangerous
|
||||
alembic
|
||||
Mako
|
||||
];
|
||||
|
||||
postPatch = ''
|
||||
sed -i -e 's/==[0-9.]\+//g' setup.py
|
||||
'';
|
||||
|
||||
doCheck = false;
|
||||
doInstallCheck = false;
|
||||
}
|
34
pkgs/uffd/fix-setuppy.patch
Normal file
34
pkgs/uffd/fix-setuppy.patch
Normal file
|
@ -0,0 +1,34 @@
|
|||
--- a/setup.py 2022-04-30 13:12:45.564651955 +0000
|
||||
+++ b/setup.py 2022-04-30 13:17:02.545809513 +0000
|
||||
@@ -41,31 +41,5 @@
|
||||
'Flask-Babel==0.11.2',
|
||||
'alembic==1.0.0',
|
||||
'argon2-cffi==18.3.0',
|
||||
-
|
||||
- # The main dependencies on their own lead to version collisions and pip is
|
||||
- # not very good at resolving them, so we pin the versions from Debian Buster
|
||||
- # for all dependencies.
|
||||
- 'certifi==2018.8.24',
|
||||
- #cffi==1.12.2'
|
||||
- 'cffi # v1.12.2 no longer works with python3.9. Newer versions seem to work fine.',
|
||||
- 'chardet==3.0.4',
|
||||
- 'click==7.0',
|
||||
- 'cryptography==2.6.1',
|
||||
- 'idna==2.6',
|
||||
- 'itsdangerous==0.24',
|
||||
- 'Jinja2==2.10',
|
||||
- 'MarkupSafe==1.1.0',
|
||||
- 'oauthlib==2.1.0',
|
||||
- 'pyasn1==0.4.2',
|
||||
- 'pycparser==2.19',
|
||||
- 'requests==2.21.0',
|
||||
- 'requests-oauthlib==1.0.0',
|
||||
- 'six==1.12.0',
|
||||
- 'SQLAlchemy==1.2.18',
|
||||
- 'urllib3==1.24.1',
|
||||
- 'Werkzeug==0.14.1',
|
||||
- 'python-dateutil==2.7.3',
|
||||
- #editor==1.0.3
|
||||
- 'Mako==1.0.7',
|
||||
],
|
||||
)
|
10
pkgs/uffd/fix-userinfo.patch
Normal file
10
pkgs/uffd/fix-userinfo.patch
Normal file
|
@ -0,0 +1,10 @@
|
|||
--- a/uffd/oauth2/views.py 2022-04-30 20:39:53.825474990 +0000
|
||||
+++ b/uffd/oauth2/views.py 2022-04-30 20:40:12.632389377 +0000
|
||||
@@ -234,6 +234,7 @@
|
||||
id=user.unix_uid,
|
||||
name=user.displayname,
|
||||
nickname=user.loginname,
|
||||
+ username=user.loginname,
|
||||
email=user.mail,
|
||||
groups=[group.name for group in user.groups]
|
||||
)
|
|
@ -71,26 +71,23 @@
|
|||
};
|
||||
omniauth = {
|
||||
enabled = true;
|
||||
auto_sign_in_with_provider = "openid_connect";
|
||||
allow_single_sign_on = ["openid_connect"];
|
||||
auto_sign_in_with_provider = "oauth2_generic";
|
||||
allow_single_sign_on = ["oauth2_generic"];
|
||||
block_auto_created_users = false;
|
||||
providers = [
|
||||
{
|
||||
name = "openid_connect";
|
||||
name = "oauth2_generic";
|
||||
label = "infra4future Login";
|
||||
app_id = "gitlab";
|
||||
app_secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
|
||||
args = {
|
||||
name = "openid_connect";
|
||||
scope = ["openid" "profile" "email"];
|
||||
response_type = "code";
|
||||
issuer = "https://auth.infra4future.de/auth/realms/forfuture";
|
||||
discovery = true;
|
||||
client_auth_method = "query";
|
||||
uid_field = "username";
|
||||
client_options = {
|
||||
identifier = "gitlab";
|
||||
secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
|
||||
redirect_uri = "https://gitlab.infra4future.de/users/auth/openid_connect/callback";
|
||||
site = "https://login.infra4future.de";
|
||||
user_info_url = "/oauth2/userinfo";
|
||||
authorize_url = "/oauth2/authorize";
|
||||
token_url = "/oauth2/token";
|
||||
};
|
||||
strategy_class ="OmniAuth::Strategies::OAuth2Generic";
|
||||
};
|
||||
}
|
||||
];
|
||||
|
|
|
@ -55,8 +55,8 @@
|
|||
hsts.preload = false;
|
||||
email = false;
|
||||
oauth2 = {
|
||||
authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
|
||||
tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
|
||||
authorizationURL = "https://login.infra4future.de/oauth2/authorize";
|
||||
tokenURL = "https://login.infra4future.de/oauth2/token";
|
||||
clientID = "hedgedoc";
|
||||
clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
|
||||
};
|
||||
|
@ -64,9 +64,9 @@
|
|||
};
|
||||
systemd.services.hedgedoc.environment = {
|
||||
"CMD_LOGLEVEL" = "warn";
|
||||
"CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
|
||||
"CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name";
|
||||
"CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name";
|
||||
"CMD_OAUTH2_USER_PROFILE_URL" = "https://login.infra4future.de/oauth2/userinfo";
|
||||
"CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "nickname";
|
||||
"CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "name";
|
||||
"CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
|
||||
"CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
|
||||
};
|
||||
|
|
|
@ -141,9 +141,9 @@ in {
|
|||
Enable = true;
|
||||
Id = "mattermost";
|
||||
Scope = "";
|
||||
AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
|
||||
TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
|
||||
UserApiEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
|
||||
AuthEndpoint = "https://login.infra4future.de/oauth2/authorize";
|
||||
TokenEndpoint = "https://login.infra4future.de/oauth2/token";
|
||||
UserApiEndpoint = "https://login.infra4future.de/oauth2/userinfo";
|
||||
};
|
||||
# for some reason, these don't appear to be working; the startup
|
||||
# process complaines and sets these back to en
|
||||
|
|
66
services/uffd.nix
Normal file
66
services/uffd.nix
Normal file
|
@ -0,0 +1,66 @@
|
|||
{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
|
||||
|
||||
let
|
||||
uffd = pkgs.uffd;
|
||||
in {
|
||||
containers.uffd = {
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.9";
|
||||
autoStart = true;
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/uffd";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
users.users.root.hashedPassword = "";
|
||||
|
||||
imports = [
|
||||
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||
];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
networking.firewall.enable = false;
|
||||
networking.defaultGateway = {
|
||||
address = "192.168.100.1";
|
||||
interface = "eth0";
|
||||
};
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
.:53 {
|
||||
forward . 1.1.1.1
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
services.uwsgi = {
|
||||
enable = true;
|
||||
plugins = [ "python3" ];
|
||||
instance = {
|
||||
type = "normal";
|
||||
pythonPackages = self: with self; [ uffd ];
|
||||
module = "uffd:create_app()";
|
||||
# socket = "${config.services.uwsgi.runDir}/uwsgi.sock";
|
||||
http = ":8080";
|
||||
env = [
|
||||
"CONFIG_PATH=/persist/uffd/uffd.conf"
|
||||
];
|
||||
hook-pre-app = "exec:FLASK_APP=${uffd}/lib/python3.9/site-packages/uffd flask db upgrade";
|
||||
};
|
||||
};
|
||||
})).config.system.build.toplevel;
|
||||
};
|
||||
services.nginx.virtualHosts."login.infra4future.de" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations = {
|
||||
"/".proxyPass = "http://${config.containers.uffd.localAddress}:8080";
|
||||
"/static".root = "${uffd}/lib/python3.9/site-packages/uffd";
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue