haccfiles/services/wink.nix
stuebinm e6edb7b8d8
wink: add cookie domain in oauth2-proxy
In theory, this should work without that option (by getting the correct domain
from the nginx reverse proxy via IP header), but apparently it doesn't.

Also, I moved wink to wink2.hacc.space
2021-08-26 22:17:14 +02:00

91 lines
2.7 KiB
Nix

# for documentation on how this container works, have a look at
# https://wiki.infra4future.de/books/voc-infra/page/wink-65b
{ pkgs, config, ...}:
{
containers.wink = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
config = {pkgs, config, ...}: {
networking.firewall.allowedTCPPorts = [ 8000 ];
environment.systemPackages = [ pkgs.wink pkgs.v8 ];
systemd.services.wink = {
enable = true;
description = "Wo ist meine Winkekatze?";
wantedBy = [ "multi-user.target" ];
serviceConfig.type = "simple";
environment.HOME = "/var/lib/wink/home";
path = [ pkgs.wink pkgs.v8 ];
script = ''
mkdir -p /var/lib/wink/home
cd /var/lib/wink
cp -r ${pkgs.wink.outPath}/* .
if [ ! -f database.exists ]
then
rails-wrapped db:migrate db:seed RAILS_ENV=development
touch database.exists
fi
rails-wrapped server -b [::] -p 3000
'';
};
services.oauth2_proxy =
let keycloakurl = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect";
in {
enable = true;
#nginx.virtualHosts = [ "matrix.hacc.space" ];
upstream = "http://localhost:3000";
httpAddress = "http//0.0.0.0:8000";
email.domains = [ "*" ];
cookie.domain = "wink2.hacc.space";
# for the keycloak side of the configuration, see the documentation at
# https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#keycloak-auth-provider
provider = "keycloak";
clientID = "winktest"; # TODO
loginURL = "${keycloakurl}/auth";
redeemURL = "${keycloakurl}/token";
profileURL = "${keycloakurl}/userinfo";
validateURL = "${keycloakurl}/userinfo";
# must contain OAUTH2_PROXY_COOKIE_SECRET and OAUTH2_PROXY_CLIENT_SECRET
keyFile = "/var/lib/oauth2_proxy/secrets";
extraConfig = {
# log format (default would also log ip addresses / users)
auth-logging-format = "[{{.Timestamp}}] [{{.Status}}] {{.Message}}";
#allowed_group = "hacc";
};
};
services.coredns = {
enable = true;
config = ''
.:53 {
forward . 1.1.1.1
}
'';
};
};
};
services.nginx.virtualHosts."wink2.hacc.space" = {
locations."/".proxyPass = "http://${config.containers.wink.localAddress}:8000";
forceSSL = true;
enableACME = true;
};
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-wink"];
networking.nat.externalInterface = "enp6s0";
}