stuebinm
432acb31e9
This should let it talk to the outside network (i.e. the internet), and thereby enable the oauth2-proxy to redeem codes to authenticate clients.
90 lines
2.7 KiB
Nix
90 lines
2.7 KiB
Nix
# for documentation on how this container works, have a look at
|
|
# https://wiki.infra4future.de/books/voc-infra/page/wink-65b
|
|
|
|
{ pkgs, config, ...}:
|
|
|
|
{
|
|
containers.wink = {
|
|
autoStart = true;
|
|
privateNetwork = true;
|
|
hostAddress = "192.168.100.10";
|
|
localAddress = "192.168.100.11";
|
|
|
|
|
|
config = {pkgs, config, ...}: {
|
|
networking.firewall.allowedTCPPorts = [ 8000 ];
|
|
environment.systemPackages = [ pkgs.wink pkgs.v8 ];
|
|
|
|
systemd.services.wink = {
|
|
enable = true;
|
|
description = "Wo ist meine Winkekatze?";
|
|
wantedBy = [ "multi-user.target" ];
|
|
serviceConfig.type = "simple";
|
|
environment.HOME = "/var/lib/wink/home";
|
|
path = [ pkgs.wink pkgs.v8 ];
|
|
script = ''
|
|
mkdir -p /var/lib/wink/home
|
|
cd /var/lib/wink
|
|
cp -r ${pkgs.wink.outPath}/* .
|
|
if [ ! -f database.exists ]
|
|
then
|
|
rails-wrapped db:migrate db:seed RAILS_ENV=development
|
|
touch database.exists
|
|
fi
|
|
rails-wrapped server -b [::] -p 3000
|
|
'';
|
|
};
|
|
|
|
services.oauth2_proxy =
|
|
let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect";
|
|
in {
|
|
enable = true;
|
|
#nginx.virtualHosts = [ "matrix.hacc.space" ];
|
|
upstream = "http://localhost:3000";
|
|
httpAddress = "http//0.0.0.0:8000";
|
|
|
|
email.domains = [ "*" ];
|
|
|
|
# for the keycloak side of the configuration, see the documentation at
|
|
# https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider
|
|
provider = "keycloak";
|
|
clientID = "winktest"; # TODO
|
|
loginURL = "${keycloakurl}/auth";
|
|
redeemURL = "${keycloakurl}/token";
|
|
profileURL = "${keycloakurl}/userinfo";
|
|
validateURL = "${keycloakurl}/userinfo";
|
|
|
|
# must contain OAUTH2_PROXY_COOKIE_SECRET and OAUTH2_PROXY_CLIENT_SECRET
|
|
keyFile = "/var/lib/oauth2_proxy/secrets";
|
|
|
|
extraConfig = {
|
|
# log format (default would also log ip addresses / users)
|
|
auth-logging-format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}";
|
|
#allowed_group = "hacc";
|
|
};
|
|
};
|
|
|
|
services.coredns = {
|
|
enable = true;
|
|
config = ''
|
|
.:53 {
|
|
forward . 1.1.1.1
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
|
|
services.nginx.virtualHosts."matrix.hacc.space" = {
|
|
locations."/".proxyPass = "http://${config.containers.wink.localAddress}:8000";
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
};
|
|
|
|
networking.nat.enable = true;
|
|
networking.nat.internalInterfaces = ["ve-wink"];
|
|
networking.nat.externalInterface = "enp6s0";
|
|
|
|
|
|
}
|