forked from hacc/haccfiles
feat: new SSO!!!! 🎉
This commit is contained in:
parent
287cb84d82
commit
27cc65fb14
10 changed files with 167 additions and 22 deletions
|
@ -21,6 +21,7 @@
|
||||||
../../services/gitlab-runner.nix
|
../../services/gitlab-runner.nix
|
||||||
../../services/lantifa.nix
|
../../services/lantifa.nix
|
||||||
../../services/vaultwarden.nix
|
../../services/vaultwarden.nix
|
||||||
|
../../services/uffd.nix
|
||||||
# ../../services/workadventure.nix
|
# ../../services/workadventure.nix
|
||||||
|
|
||||||
./lxc.nix
|
./lxc.nix
|
||||||
|
|
|
@ -227,7 +227,7 @@ in
|
||||||
User = cfg.user;
|
User = cfg.user;
|
||||||
Group = cfg.group;
|
Group = cfg.group;
|
||||||
ExecStart = "${pkgs.mattermost}/bin/mattermost" +
|
ExecStart = "${pkgs.mattermost}/bin/mattermost" +
|
||||||
(lib.optionalString (!cfg.mutableConfig) " -c ${database}");
|
(if cfg.mutableConfig then " -c ${database}" else " -c ${cfg.statePath}/config/config.json");
|
||||||
WorkingDirectory = "${cfg.statePath}";
|
WorkingDirectory = "${cfg.statePath}";
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
RestartSec = "10";
|
RestartSec = "10";
|
||||||
|
|
|
@ -60,6 +60,8 @@ let
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
uffd = callPackage ./uffd {};
|
||||||
|
|
||||||
inherit (unstable) bottom vaultwarden vaultwarden-vault;
|
inherit (unstable) bottom vaultwarden vaultwarden-vault;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
35
pkgs/uffd/default.nix
Normal file
35
pkgs/uffd/default.nix
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
{ stdenv, lib, python3Packages, fetchzip }:
|
||||||
|
|
||||||
|
python3Packages.buildPythonPackage rec {
|
||||||
|
pname = "uffd";
|
||||||
|
version = "2.0.1";
|
||||||
|
|
||||||
|
src = fetchzip {
|
||||||
|
url =
|
||||||
|
"https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz";
|
||||||
|
hash = "sha256-KP4J1bw5u7MklaPu2SBFRNyGgkKOBOpft5MMH+em5M4=";
|
||||||
|
};
|
||||||
|
|
||||||
|
patches = [ ./fix-setuppy.patch ./fix-userinfo.patch ];
|
||||||
|
|
||||||
|
propagatedBuildInputs = with python3Packages; [
|
||||||
|
flask
|
||||||
|
flask_sqlalchemy
|
||||||
|
flask_migrate
|
||||||
|
qrcode
|
||||||
|
fido2
|
||||||
|
oauthlib
|
||||||
|
flask-babel
|
||||||
|
argon2_cffi
|
||||||
|
itsdangerous
|
||||||
|
alembic
|
||||||
|
Mako
|
||||||
|
];
|
||||||
|
|
||||||
|
postPatch = ''
|
||||||
|
sed -i -e 's/==[0-9.]\+//g' setup.py
|
||||||
|
'';
|
||||||
|
|
||||||
|
doCheck = false;
|
||||||
|
doInstallCheck = false;
|
||||||
|
}
|
34
pkgs/uffd/fix-setuppy.patch
Normal file
34
pkgs/uffd/fix-setuppy.patch
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
--- a/setup.py 2022-04-30 13:12:45.564651955 +0000
|
||||||
|
+++ b/setup.py 2022-04-30 13:17:02.545809513 +0000
|
||||||
|
@@ -41,31 +41,5 @@
|
||||||
|
'Flask-Babel==0.11.2',
|
||||||
|
'alembic==1.0.0',
|
||||||
|
'argon2-cffi==18.3.0',
|
||||||
|
-
|
||||||
|
- # The main dependencies on their own lead to version collisions and pip is
|
||||||
|
- # not very good at resolving them, so we pin the versions from Debian Buster
|
||||||
|
- # for all dependencies.
|
||||||
|
- 'certifi==2018.8.24',
|
||||||
|
- #cffi==1.12.2'
|
||||||
|
- 'cffi # v1.12.2 no longer works with python3.9. Newer versions seem to work fine.',
|
||||||
|
- 'chardet==3.0.4',
|
||||||
|
- 'click==7.0',
|
||||||
|
- 'cryptography==2.6.1',
|
||||||
|
- 'idna==2.6',
|
||||||
|
- 'itsdangerous==0.24',
|
||||||
|
- 'Jinja2==2.10',
|
||||||
|
- 'MarkupSafe==1.1.0',
|
||||||
|
- 'oauthlib==2.1.0',
|
||||||
|
- 'pyasn1==0.4.2',
|
||||||
|
- 'pycparser==2.19',
|
||||||
|
- 'requests==2.21.0',
|
||||||
|
- 'requests-oauthlib==1.0.0',
|
||||||
|
- 'six==1.12.0',
|
||||||
|
- 'SQLAlchemy==1.2.18',
|
||||||
|
- 'urllib3==1.24.1',
|
||||||
|
- 'Werkzeug==0.14.1',
|
||||||
|
- 'python-dateutil==2.7.3',
|
||||||
|
- #editor==1.0.3
|
||||||
|
- 'Mako==1.0.7',
|
||||||
|
],
|
||||||
|
)
|
10
pkgs/uffd/fix-userinfo.patch
Normal file
10
pkgs/uffd/fix-userinfo.patch
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
--- a/uffd/oauth2/views.py 2022-04-30 20:39:53.825474990 +0000
|
||||||
|
+++ b/uffd/oauth2/views.py 2022-04-30 20:40:12.632389377 +0000
|
||||||
|
@@ -234,6 +234,7 @@
|
||||||
|
id=user.unix_uid,
|
||||||
|
name=user.displayname,
|
||||||
|
nickname=user.loginname,
|
||||||
|
+ username=user.loginname,
|
||||||
|
email=user.mail,
|
||||||
|
groups=[group.name for group in user.groups]
|
||||||
|
)
|
|
@ -71,26 +71,23 @@
|
||||||
};
|
};
|
||||||
omniauth = {
|
omniauth = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
auto_sign_in_with_provider = "openid_connect";
|
auto_sign_in_with_provider = "oauth2_generic";
|
||||||
allow_single_sign_on = ["openid_connect"];
|
allow_single_sign_on = ["oauth2_generic"];
|
||||||
block_auto_created_users = false;
|
block_auto_created_users = false;
|
||||||
providers = [
|
providers = [
|
||||||
{
|
{
|
||||||
name = "openid_connect";
|
name = "oauth2_generic";
|
||||||
label = "infra4future Login";
|
label = "infra4future Login";
|
||||||
|
app_id = "gitlab";
|
||||||
|
app_secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
|
||||||
args = {
|
args = {
|
||||||
name = "openid_connect";
|
|
||||||
scope = ["openid" "profile" "email"];
|
|
||||||
response_type = "code";
|
|
||||||
issuer = "https://auth.infra4future.de/auth/realms/forfuture";
|
|
||||||
discovery = true;
|
|
||||||
client_auth_method = "query";
|
|
||||||
uid_field = "username";
|
|
||||||
client_options = {
|
client_options = {
|
||||||
identifier = "gitlab";
|
site = "https://login.infra4future.de";
|
||||||
secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
|
user_info_url = "/oauth2/userinfo";
|
||||||
redirect_uri = "https://gitlab.infra4future.de/users/auth/openid_connect/callback";
|
authorize_url = "/oauth2/authorize";
|
||||||
|
token_url = "/oauth2/token";
|
||||||
};
|
};
|
||||||
|
strategy_class ="OmniAuth::Strategies::OAuth2Generic";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
|
@ -55,8 +55,8 @@
|
||||||
hsts.preload = false;
|
hsts.preload = false;
|
||||||
email = false;
|
email = false;
|
||||||
oauth2 = {
|
oauth2 = {
|
||||||
authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
|
authorizationURL = "https://login.infra4future.de/oauth2/authorize";
|
||||||
tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
|
tokenURL = "https://login.infra4future.de/oauth2/token";
|
||||||
clientID = "hedgedoc";
|
clientID = "hedgedoc";
|
||||||
clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
|
clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
|
||||||
};
|
};
|
||||||
|
@ -64,9 +64,9 @@
|
||||||
};
|
};
|
||||||
systemd.services.hedgedoc.environment = {
|
systemd.services.hedgedoc.environment = {
|
||||||
"CMD_LOGLEVEL" = "warn";
|
"CMD_LOGLEVEL" = "warn";
|
||||||
"CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
|
"CMD_OAUTH2_USER_PROFILE_URL" = "https://login.infra4future.de/oauth2/userinfo";
|
||||||
"CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name";
|
"CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "nickname";
|
||||||
"CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name";
|
"CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "name";
|
||||||
"CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
|
"CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
|
||||||
"CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
|
"CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
|
||||||
};
|
};
|
||||||
|
|
|
@ -141,9 +141,9 @@ in {
|
||||||
Enable = true;
|
Enable = true;
|
||||||
Id = "mattermost";
|
Id = "mattermost";
|
||||||
Scope = "";
|
Scope = "";
|
||||||
AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
|
AuthEndpoint = "https://login.infra4future.de/oauth2/authorize";
|
||||||
TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
|
TokenEndpoint = "https://login.infra4future.de/oauth2/token";
|
||||||
UserApiEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
|
UserApiEndpoint = "https://login.infra4future.de/oauth2/userinfo";
|
||||||
};
|
};
|
||||||
# for some reason, these don't appear to be working; the startup
|
# for some reason, these don't appear to be working; the startup
|
||||||
# process complaines and sets these back to en
|
# process complaines and sets these back to en
|
||||||
|
|
66
services/uffd.nix
Normal file
66
services/uffd.nix
Normal file
|
@ -0,0 +1,66 @@
|
||||||
|
{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
uffd = pkgs.uffd;
|
||||||
|
in {
|
||||||
|
containers.uffd = {
|
||||||
|
privateNetwork = true;
|
||||||
|
hostAddress = "192.168.100.1";
|
||||||
|
localAddress = "192.168.100.9";
|
||||||
|
autoStart = true;
|
||||||
|
bindMounts = {
|
||||||
|
"/persist" = {
|
||||||
|
hostPath = "/persist/containers/uffd";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||||
|
boot.isContainer = true;
|
||||||
|
networking.useDHCP = false;
|
||||||
|
users.users.root.hashedPassword = "";
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||||
|
];
|
||||||
|
|
||||||
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
networking.firewall.enable = false;
|
||||||
|
networking.defaultGateway = {
|
||||||
|
address = "192.168.100.1";
|
||||||
|
interface = "eth0";
|
||||||
|
};
|
||||||
|
services.coredns = {
|
||||||
|
enable = true;
|
||||||
|
config = ''
|
||||||
|
.:53 {
|
||||||
|
forward . 1.1.1.1
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
services.uwsgi = {
|
||||||
|
enable = true;
|
||||||
|
plugins = [ "python3" ];
|
||||||
|
instance = {
|
||||||
|
type = "normal";
|
||||||
|
pythonPackages = self: with self; [ uffd ];
|
||||||
|
module = "uffd:create_app()";
|
||||||
|
# socket = "${config.services.uwsgi.runDir}/uwsgi.sock";
|
||||||
|
http = ":8080";
|
||||||
|
env = [
|
||||||
|
"CONFIG_PATH=/persist/uffd/uffd.conf"
|
||||||
|
];
|
||||||
|
hook-pre-app = "exec:FLASK_APP=${uffd}/lib/python3.9/site-packages/uffd flask db upgrade";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
})).config.system.build.toplevel;
|
||||||
|
};
|
||||||
|
services.nginx.virtualHosts."login.infra4future.de" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
locations = {
|
||||||
|
"/".proxyPass = "http://${config.containers.uffd.localAddress}:8080";
|
||||||
|
"/static".root = "${uffd}/lib/python3.9/site-packages/uffd";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue