forked from hacc/haccfiles
wink: oauth2_proxy half-working
For the record: this is the last state before nftables broke yesterday. As far as I know, all that is missing from this to make the authentication for wink actually work is internet access for the container (as was also the case for hasenloch); the snippets for coredns and NAT copied from that container led to the aforementioned firewall problem — or at least they are the only thing I changed between deployments. Apart from that: this moves the proxy into the container, mostly to make keeping track of its state (esp. the secrets file) easier should we ever decide to move this somewhere else / delete the container, since that will just delete any additional state of the proxy with it.
This commit is contained in:
parent
8f64bcff7d
commit
9ca65bd37d
1 changed files with 37 additions and 34 deletions
|
@ -10,14 +10,9 @@
|
||||||
hostAddress = "192.168.100.10";
|
hostAddress = "192.168.100.10";
|
||||||
localAddress = "192.168.100.11";
|
localAddress = "192.168.100.11";
|
||||||
|
|
||||||
# expose the wink database for easier backups / migrations
|
|
||||||
bindMounts."/var/lib/wink/db" = {
|
|
||||||
hostPath = "/var/lib/wink-db";
|
|
||||||
isReadOnly = false;
|
|
||||||
};
|
|
||||||
|
|
||||||
config = {pkgs, config, ...}: {
|
config = {pkgs, config, ...}: {
|
||||||
networking.firewall.allowedTCPPorts = [ 3000 ];
|
networking.firewall.allowedTCPPorts = [ 8000 ];
|
||||||
environment.systemPackages = [ pkgs.wink pkgs.v8 ];
|
environment.systemPackages = [ pkgs.wink pkgs.v8 ];
|
||||||
|
|
||||||
systemd.services.wink = {
|
systemd.services.wink = {
|
||||||
|
@ -39,39 +34,47 @@
|
||||||
rails-wrapped server -b [::] -p 3000
|
rails-wrapped server -b [::] -p 3000
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.oauth2_proxy =
|
||||||
|
let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect";
|
||||||
|
in {
|
||||||
|
enable = true;
|
||||||
|
#nginx.virtualHosts = [ "matrix.hacc.space" ];
|
||||||
|
upstream = "http://localhost:3000";
|
||||||
|
httpAddress = "http//0.0.0.0:8000";
|
||||||
|
|
||||||
|
email.domains = [ "*" ];
|
||||||
|
|
||||||
|
# for the keycloak side of the configuration, see the documentation at
|
||||||
|
# https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider
|
||||||
|
provider = "keycloak";
|
||||||
|
clientID = "winktest"; # TODO
|
||||||
|
loginURL = "${keycloakurl}/auth";
|
||||||
|
redeemURL = "${keycloakurl}/token";
|
||||||
|
profileURL = "${keycloakurl}/userinfo";
|
||||||
|
validateURL = "${keycloakurl}/userinfo";
|
||||||
|
|
||||||
|
# must contain OAUTH2_PROXY_COOKIE_SECRET and OAUTH2_PROXY_CLIENT_SECRET
|
||||||
|
keyFile = "/var/lib/oauth2_proxy/secrets";
|
||||||
|
|
||||||
|
extraConfig = {
|
||||||
|
# log format (default would also log ip addresses / users)
|
||||||
|
auth-logging-format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}";
|
||||||
|
#allowed_group = "hacc";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
services.nginx.virtualHosts."wink.hacc.space" = {
|
services.nginx.virtualHosts."matrix.hacc.space" = {
|
||||||
locations."/".proxyPass = "http://${config.containers.wink.localAddress}:3000";
|
locations."/".proxyPass = "http://${config.containers.wink.localAddress}:8000";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.oauth2_proxy =
|
|
||||||
let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect";
|
|
||||||
in {
|
|
||||||
enable = true;
|
|
||||||
nginx.virtualHosts = [ "wink.hacc.space" ];
|
|
||||||
|
|
||||||
# for the keycloak side of the configuration, see the documentation at
|
|
||||||
# https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider
|
|
||||||
provider = "keycloak";
|
|
||||||
clientID = ""; # TODO
|
|
||||||
loginURL = "${keycloakurl}/auth";
|
|
||||||
redeemURL = "${keycloakurl}/token";
|
|
||||||
profileURL = "${keycloakurl}/userinfo";
|
|
||||||
validateURL = "${keycloakurl}/userinfo";
|
|
||||||
|
|
||||||
# must contain OAUTH2_PROXY_COOKIE_SECRET and OAUTH2_PROXY_CLIENT_SECRET
|
|
||||||
keyFile = "/var/lib/oauth2_proxy/secrets";
|
|
||||||
|
|
||||||
extraConfig = {
|
|
||||||
# log format (default would also log ip addresses / users)
|
|
||||||
auth_logging_format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}";
|
|
||||||
allowed_group = "hacc";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue