From 9ca65bd37d356582b53d2f96fc0c39bb51fc2218 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Fri, 19 Mar 2021 15:24:03 +0100 Subject: [PATCH] wink: oauth2_proxy half-working MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit For the record: this is the last state before nftables broke yesterday. As far as I know, all that is missing from this to make the authentication for wink actually work is internet access for the container (as was also the case for hasenloch); the snippets for coredns and NAT copied from that container led to the aforementioned firewall problem — or at least they are the only thing I changed between deployments. Apart from that: this moves the proxy into the container, mostly to make keeping track of its state (esp. the secrets file) easier should we ever decide to move this somewhere else / delete the container, since that will just delete any additional state of the proxy with it. --- services/wink.nix | 71 ++++++++++++++++++++++++----------------------- 1 file changed, 37 insertions(+), 34 deletions(-) diff --git a/services/wink.nix b/services/wink.nix index f279632..689be72 100644 --- a/services/wink.nix +++ b/services/wink.nix @@ -9,15 +9,10 @@ privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.11"; - - # expose the wink database for easier backups / migrations - bindMounts."/var/lib/wink/db" = { - hostPath = "/var/lib/wink-db"; - isReadOnly = false; - }; + config = {pkgs, config, ...}: { - networking.firewall.allowedTCPPorts = [ 3000 ]; + networking.firewall.allowedTCPPorts = [ 8000 ]; environment.systemPackages = [ pkgs.wink pkgs.v8 ]; systemd.services.wink = { @@ -39,39 +34,47 @@ rails-wrapped server -b [::] -p 3000 ''; }; + + services.oauth2_proxy = + let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect"; + in { + enable = true; + #nginx.virtualHosts = [ "matrix.hacc.space" ]; + upstream = "http://localhost:3000"; + httpAddress = "http//0.0.0.0:8000"; + + email.domains = [ "*" ]; + + # for the keycloak side of the configuration, see the documentation at + # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider + provider = "keycloak"; + clientID = "winktest"; # TODO + loginURL = "${keycloakurl}/auth"; + redeemURL = "${keycloakurl}/token"; + profileURL = "${keycloakurl}/userinfo"; + validateURL = "${keycloakurl}/userinfo"; + + # must contain OAUTH2_PROXY_COOKIE_SECRET and OAUTH2_PROXY_CLIENT_SECRET + keyFile = "/var/lib/oauth2_proxy/secrets"; + + extraConfig = { + # log format (default would also log ip addresses / users) + auth-logging-format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}"; + #allowed_group = "hacc"; + }; + }; + + }; }; - - - services.nginx.virtualHosts."wink.hacc.space" = { - locations."/".proxyPass = "http://${config.containers.wink.localAddress}:3000"; + + + services.nginx.virtualHosts."matrix.hacc.space" = { + locations."/".proxyPass = "http://${config.containers.wink.localAddress}:8000"; forceSSL = true; enableACME = true; }; - services.oauth2_proxy = - let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect"; - in { - enable = true; - nginx.virtualHosts = [ "wink.hacc.space" ]; - # for the keycloak side of the configuration, see the documentation at - # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider - provider = "keycloak"; - clientID = ""; # TODO - loginURL = "${keycloakurl}/auth"; - redeemURL = "${keycloakurl}/token"; - profileURL = "${keycloakurl}/userinfo"; - validateURL = "${keycloakurl}/userinfo"; - - # must contain OAUTH2_PROXY_COOKIE_SECRET and OAUTH2_PROXY_CLIENT_SECRET - keyFile = "/var/lib/oauth2_proxy/secrets"; - - extraConfig = { - # log format (default would also log ip addresses / users) - auth_logging_format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}"; - allowed_group = "hacc"; - }; - }; }