wink: oauth2_proxy half-working

For the record: this is the last state before nftables broke yesterday.
As far as I know, all that is missing from this to make the authentication
for wink actually work is internet access for the container (as was also
the case for hasenloch); the snippets for coredns and NAT copied from that
container led to the aforementioned firewall problem — or at least they are
the only thing I changed between deployments.

Apart from that:
this moves the proxy into the container, mostly to make keeping track of its
state (esp. the secrets file) easier should we ever decide to move this
somewhere else / delete the container, since that will just delete any
additional state of the proxy with it.
This commit is contained in:
stuebinm 2021-03-19 15:24:03 +01:00
parent 8f64bcff7d
commit 9ca65bd37d
No known key found for this signature in database
GPG key ID: 8FBE8AAD32FA12B7

View file

@ -10,14 +10,9 @@
hostAddress = "192.168.100.10"; hostAddress = "192.168.100.10";
localAddress = "192.168.100.11"; localAddress = "192.168.100.11";
# expose the wink database for easier backups / migrations
bindMounts."/var/lib/wink/db" = {
hostPath = "/var/lib/wink-db";
isReadOnly = false;
};
config = {pkgs, config, ...}: { config = {pkgs, config, ...}: {
networking.firewall.allowedTCPPorts = [ 3000 ]; networking.firewall.allowedTCPPorts = [ 8000 ];
environment.systemPackages = [ pkgs.wink pkgs.v8 ]; environment.systemPackages = [ pkgs.wink pkgs.v8 ];
systemd.services.wink = { systemd.services.wink = {
@ -39,26 +34,21 @@
rails-wrapped server -b [::] -p 3000 rails-wrapped server -b [::] -p 3000
''; '';
}; };
};
};
services.nginx.virtualHosts."wink.hacc.space" = {
locations."/".proxyPass = "http://${config.containers.wink.localAddress}:3000";
forceSSL = true;
enableACME = true;
};
services.oauth2_proxy = services.oauth2_proxy =
let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect"; let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect";
in { in {
enable = true; enable = true;
nginx.virtualHosts = [ "wink.hacc.space" ]; #nginx.virtualHosts = [ "matrix.hacc.space" ];
upstream = "http://localhost:3000";
httpAddress = "http//0.0.0.0:8000";
email.domains = [ "*" ];
# for the keycloak side of the configuration, see the documentation at # for the keycloak side of the configuration, see the documentation at
# https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider
provider = "keycloak"; provider = "keycloak";
clientID = ""; # TODO clientID = "winktest"; # TODO
loginURL = "${keycloakurl}/auth"; loginURL = "${keycloakurl}/auth";
redeemURL = "${keycloakurl}/token"; redeemURL = "${keycloakurl}/token";
profileURL = "${keycloakurl}/userinfo"; profileURL = "${keycloakurl}/userinfo";
@ -69,9 +59,22 @@
extraConfig = { extraConfig = {
# log format (default would also log ip addresses / users) # log format (default would also log ip addresses / users)
auth_logging_format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}"; auth-logging-format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}";
allowed_group = "hacc"; #allowed_group = "hacc";
}; };
}; };
};
};
services.nginx.virtualHosts."matrix.hacc.space" = {
locations."/".proxyPass = "http://${config.containers.wink.localAddress}:8000";
forceSSL = true;
enableACME = true;
};
} }