From 2ad57db0e1ac6b0228bad6807406c6f90db759b4 Mon Sep 17 00:00:00 2001 From: Patrick Date: Sat, 30 Mar 2024 16:29:00 +0100 Subject: [PATCH] feat: rss using oauth2 proxy --- hosts/elisabeth/guests.nix | 134 ++++++------------ .../elisabeth/secrets/kanidm/secrets.nix.age | Bin 1973 -> 1977 bytes .../ttrss/generated/freshrsspasswd.age | 15 -- modules/actual.nix | 2 + modules/netbird-client.nix | 5 - modules/netbird-server.nix | 2 +- modules/services/kanidm.nix | 2 + modules/services/netbird.nix | 2 +- modules/services/ttrss.nix | 6 +- pkgs/actual.nix | 6 - 10 files changed, 52 insertions(+), 122 deletions(-) delete mode 100644 hosts/elisabeth/secrets/ttrss/generated/freshrsspasswd.age create mode 100644 modules/actual.nix diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix index 0799754..4f94739 100644 --- a/hosts/elisabeth/guests.nix +++ b/hosts/elisabeth/guests.nix @@ -57,6 +57,48 @@ in { + virtualHostExtraConfig; }; }; + proxyProtect = hostName: cfg: + lib.mkMerge [ + (blockOf hostName cfg) + { + virtualHosts.${domainOf hostName} = { + locations."/".extraConfig = '' + auth_request /oauth2/auth; + error_page 401 = /oauth2/sign_in; + + # pass information via X-User and X-Email headers to backend, + # requires running with --set-xauthrequest flag + auth_request_set $user $upstream_http_x_auth_request_user; + auth_request_set $email $upstream_http_x_auth_request_email; + proxy_set_header X-User $user; + proxy_set_header X-Email $email; + + # if you enabled --cookie-refresh, this is needed for it to work with auth_request + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + ''; + locations."/oauth2/" = { + proxyPass = "http://oauth2-proxy"; + extraConfig = '' + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; + ''; + }; + + locations."= /oauth2/auth" = { + proxyPass = "http://oauth2-proxy/oauth2/auth?allowed_groups=${hostName}_access"; + extraConfig = '' + internal; + + proxy_set_header X-Scheme $scheme; + # nginx auth_request includes headers but not body + proxy_set_header Content-Length ""; + proxy_pass_request_body off; + ''; + }; + }; + } + ]; in lib.mkMerge [ { @@ -111,96 +153,10 @@ in { (blockOf "vaultwarden" {maxBodySize = "1G";}) (blockOf "forgejo" {maxBodySize = "1G";}) (blockOf "immich" {maxBodySize = "5G";}) - (lib.mkMerge - [ - ( - blockOf "adguardhome" - { - } - ) - { - virtualHosts.${domainOf "adguardhome"} = { - locations."/".extraConfig = '' - auth_request /oauth2/auth; - error_page 401 = /oauth2/sign_in; - - # pass information via X-User and X-Email headers to backend, - # requires running with --set-xauthrequest flag - auth_request_set $user $upstream_http_x_auth_request_user; - auth_request_set $email $upstream_http_x_auth_request_email; - proxy_set_header X-User $user; - proxy_set_header X-Email $email; - - # if you enabled --cookie-refresh, this is needed for it to work with auth_request - auth_request_set $auth_cookie $upstream_http_set_cookie; - add_header Set-Cookie $auth_cookie; - ''; - locations."/oauth2/" = { - proxyPass = "http://oauth2-proxy"; - extraConfig = '' - proxy_set_header X-Scheme $scheme; - proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; - ''; - }; - - locations."= /oauth2/auth" = { - proxyPass = "http://oauth2-proxy/oauth2/auth?allowed_groups=adguardhome_access"; - extraConfig = '' - internal; - - proxy_set_header X-Scheme $scheme; - # nginx auth_request includes headers but not body - proxy_set_header Content-Length ""; - proxy_pass_request_body off; - ''; - }; - }; - } - ]) - (lib.mkMerge [ - (blockOf "oauth2-proxy" {}) - { - virtualHosts.${domainOf "oauth2-proxy"} = { - locations."/".extraConfig = '' - auth_request /oauth2/auth; - error_page 401 = /oauth2/sign_in; - - # pass information via X-User and X-Email headers to backend, - # requires running with --set-xauthrequest flag - auth_request_set $user $upstream_http_x_auth_request_user; - auth_request_set $email $upstream_http_x_auth_request_email; - proxy_set_header X-User $user; - proxy_set_header X-Email $email; - - # if you enabled --cookie-refresh, this is needed for it to work with auth_request - auth_request_set $auth_cookie $upstream_http_set_cookie; - add_header Set-Cookie $auth_cookie; - ''; - - locations."/oauth2/" = { - proxyPass = "http://oauth2-proxy"; - extraConfig = '' - proxy_set_header X-Scheme $scheme; - proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; - ''; - }; - - locations."= /oauth2/auth" = { - proxyPass = "http://oauth2-proxy/oauth2/auth"; - extraConfig = '' - internal; - - proxy_set_header X-Scheme $scheme; - # nginx auth_request includes headers but not body - proxy_set_header Content-Length ""; - proxy_pass_request_body off; - ''; - }; - }; - } - ]) + (proxyProtect "adguardhome" {}) + (proxyProtect "oauth2-proxy" {}) (blockOf "paperless" {maxBodySize = "5G";}) - (blockOf "ttrss" {port = 80;}) + (proxyProtect "ttrss" {port = 80;}) (blockOf "yourspotify" {port = 80;}) (blockOf "apispotify" { port = 3000; diff --git a/hosts/elisabeth/secrets/kanidm/secrets.nix.age b/hosts/elisabeth/secrets/kanidm/secrets.nix.age index 08c0487efcddf05ee1d09e33413deec2d5519d18..adf443c572620c4fd7624d9bb8a4d8a419da665b 100644 GIT binary patch delta 1950 zcmZvZ`BRez0zjdt)F`M(xKzm6fJdMqH+T>ea*_K^h=?Y9AqffO{1S*tY#mP7Mnn(= zMOv>`YOOaSf(n8nhs6;UrJ@i8WU7TCDze+@Z#%Pp!JGHq#YOdt_QG674#kqGk!F~s zIzudoSJ@qaoq{tWS?iBN# z8l8v=W&&h84{Z`?acG7H5|aQk>FhBkG!74wiv@ZK2}aUccxD19qcS8EBi1Chl2Bxq zm8a112o6<}j({=~s7QJ&M?t5=;UH|ARjd&JN-apH*o=g1Dh7*=wD&G^~!nL!!|nvVw$(MOy%z4o{cR%o%nJGLw^rW$T%|oPQRj z$7n2SrBw~15gqGfFx^UX^mdpM27&^J!O9naB#9jnuX5@$Z0S;Fx>=}BGh@x!IW9iJ zfw8Og6sbt1mH(|F7qAku1dy1R7#It$*C1sQF~><}2_)%&FoSGjU?t3WhYX#>Gs(FI zx&V=Bu;m~~kma!c*VpbYfdp=uum=alo{M?Br|{Ji>!g?C=e62iV^!vh>BWI@dtMVs z+DNfxY`QZ*H{B;nt#Qrlj(EL17=^-_>#UbrW#HA0z=o3vA7+-xZr~+(d4H|U=sGhD z-;WZflx**4&|PRus@}M4xbg7)<(+%mk6AmDr-B%m%TI{EUp=*`58ki;;$c&f&(AJ9CIo01`q$vOmO<>Y zg^}r>d{zuDoOiA6&Ay2sJZ3~VA?ux51KS{)c6or*UrO~IUA{&-dJS&iR)6Oi--5Wto@=+@zi2G;?7U+1g}X6Wnp?Fwjlh7NpfmwQSZPBdDc+t zbA0&zvE*>NXb28Xuh#W+`F!p4c}*YKG>;wdL&KKFmfyTtZRPdBqmFwBns)b)v2{}X zd^_&vem1zJ&EenVS6~+G@*Km@n&Y@JLiG%#ld*kePDk3a8StCV^F^{xjp_g^4lllvl!mc*x=X9+~VQ8Qy~qvQ30<4A3t!dzQ`3mc+=O-8s9(Xz;N-QhvYd^iPAee%c8xn1nwlmuY+^1c%6tRt~)Od9)6ae0#5J4mu+A@ z40w=!&Gn{q>(U*E+>)Yn)`yS#d_FkU<27K<=iD;Sa%&<;INFnRWQ)8;5Ca^w6NcnZ*eLN9iOwm7P)HM0&Lc3aa_UpBQV z#dWnTq`14h7v;m=m^5u2IaHNz4~-kuMy>h<^1HYPe*1W5o;%DdOIPHn_)zVtfqB7a zTSr2))Uyfx_e71GNl!lempUy5id1cfUAxgdIeNo;PlyUq>FZri39^9j9|5oaF;S_xrv>tdQ1UIN#eI)DEw&6v}`4tsp<){(j-h7ELxv X{74ya_V%x`0?U%H;?3#@C%spdnGh@i4<3W$3LuuER z4qI9gEu!s`sFy9&DiNNR4!Kgvvf|n2`SE$Zp19GmI4cb!%50`7=h0Qc=|*rkw%M!D&&bIfM%7# zF7Co7(vYG582Sbffgy^`U@U(cFp3SBwI#3)Og2Gk7VMqz~7}IrwQ%6Se zB*`42LB=2v6v=5QGci$}$WpLzWTsS$w404Y8AEM^s?b)D7$B=LB#jcI(Nkq)Q3}bJ zpyer%O0kk}RZGbPF+vW&*krnnXa2t-P`V^u9&VK3k%~A1Lnq@ThB#pk6AA@KITR|6 z31zWy*>+q)8Y@u=;+cgKgO#Guv7}O+NNNqYJCMd$yV`=lGvhHaR z6+S0?@<)R`2Ktt}I;-_auM#Ngccg^>w7Ncbw%ywcc5iB|vM4m{@~-_VKUV&WuIIj~ zp8^n?!)veat2A}Kz2Z;1ppDy$aW+K&mGYmSchBXxuN#JM$JiYNI=2%7JRHUqts_5hV5DhP^g&7kc}J-aIJ2q* z25tV_#knUqnO)O*`tQh_)SJ=QpF#L96up_+PXC99*WTRc>s?TfMpyKkI?vOhzHGJv zLqCx->2JlZyDKUt=TW&Qnr1M&Mt&9%CPEe^MQ&BidK`{Z-3_cR{t#3k zbzJ&*C2sJ*?f7i0?gG z!VU!rYi&-=<{y}@b4{2nCFSFb&WVXT34*lUFEbB35zG&GCY81wZHyS37V?Wgl?u0& zv%{-D-5&{HSv_aht+^xHDl34GbQ-FU^jExT9ZGRQt$*S3j@~%AL=3LeJzPA5Op0=^ zDh_oyam7KoJ((l^@os(O5^DONY=$|g`S^HP0J_?FRR6E($V~K-NjL-%P^B^(YGz90 z5j;(9OiR?|bG=c5T3%wEyE{dagl-52Vr0Jt<}O{G-uf=DO22j3ZBb*@^}1 z;LN+vM% z%bu`Xsczfdf)TNSefX`;oS`5>&S)zveVK1YzsC1lD!(-S2;tL~){~k$Xro`Qa24CT z+L=;Lz42U_S9xd|<+Lf%{lTqe)J>-b=eu_wnmATPd)p0Kil1klmA4pQTs-4vEG*WT z`!{OlnPFWLuc=fJx;eW$s^h-zm|HFTCiBwVLGw$)y7hnNwYZiDag>XTsm#;d5XY)} zEl>SIV*Zhplv@h8LpHvz1W}uYFFceE|GsnMZ++ZNysH_kZR@YKpYx2Q_DAmNWtXHh z58}%gwp861?C8%b2>N6EMrOm|gE3#8iTuWDO0$9mn;)EV^Ui7;BwXlOm=|_j&Yruo Xr~l-KuLi3~Yvv{@+8Pktrux4CM$=IW diff --git a/hosts/elisabeth/secrets/ttrss/generated/freshrsspasswd.age b/hosts/elisabeth/secrets/ttrss/generated/freshrsspasswd.age deleted file mode 100644 index 18f75d3..0000000 --- a/hosts/elisabeth/secrets/ttrss/generated/freshrsspasswd.age +++ /dev/null @@ -1,15 +0,0 @@ -age-encryption.org/v1 --> X25519 KeayMdkWoIyLZu47yQdC+NKUeBli7y/KhyFrbvQKMjo -RFNC0waSc89REZ+uRWTYyKYcM0oW9Q8m92buzX9OlaY --> piv-p256 XTQkUA Aqrx2ok2XeZvJWsPvOi7o7T3/PvZcZ5naOEvSouqGDxt -PW6G4aqvzq4JoJecPp7bP4Rzc6rgAV4NaTfeRCF5OYA --> piv-p256 ZFgiIw A7pQOh63jVeS6WHnWusY2FuLk8ezS/lu6h+LmTqgArA3 -4IkRO5JXgBggCYSI0lOaccyqVmHupOiFqZZwHsdlBDc --> piv-p256 5vmPtQ A7kRH2YuvwTE+wCqpvE8FBlHthHv8cMWVLQOWxbKbgHq -OudUFhREd4J2cQQG9eEeKIjAqHkp+XznKFpvsJjgEHk --> piv-p256 ZFgiIw AsojcZKNzLUdTgOekkqwisrOy7t8hup9sVla7PbL1RKH -cpG56veIp+cpW9JXsK2/4NXQ7kJM7g1Hg/sEnFSuW8k --> ~yTrd-grease ox]5\ *89S8!# -Bfh0HDXNORM8GT6noqoh2KcVvUOksp09VOfG/dUFCC4DUUo ---- EJSmnzU8XIhaFIkPRjyFZxi+kEHap903mrUuc2MpUkY -sl3ip}ܨd*mE =FC}J2ɽpMv,spD]L3 \ No newline at end of file diff --git a/modules/actual.nix b/modules/actual.nix new file mode 100644 index 0000000..2c63c08 --- /dev/null +++ b/modules/actual.nix @@ -0,0 +1,2 @@ +{ +} diff --git a/modules/netbird-client.nix b/modules/netbird-client.nix index 3e6c60a..ebc223e 100644 --- a/modules/netbird-client.nix +++ b/modules/netbird-client.nix @@ -228,11 +228,6 @@ in { UMask = "0077"; }; - unitConfig = { - StartLimitInterval = 5; - StartLimitBurst = 10; - }; - stopIfChanged = false; } ) diff --git a/modules/netbird-server.nix b/modules/netbird-server.nix index 80a2ace..b0c2c6c 100644 --- a/modules/netbird-server.nix +++ b/modules/netbird-server.nix @@ -167,7 +167,7 @@ in { services.coturn = mkIf cfg.enableCoturn { enable = true; - realm = cfg.dorain; + realm = cfg.domain; lt-cred-mech = true; no-cli = true; diff --git a/modules/services/kanidm.nix b/modules/services/kanidm.nix index 5dcc958..bb387e0 100644 --- a/modules/services/kanidm.nix +++ b/modules/services/kanidm.nix @@ -88,6 +88,8 @@ in { preferShortUsername = true; }; + groups."rss.access" = {}; + groups."nextcloud.access" = { members = ["nextcloud.admins"]; }; diff --git a/modules/services/netbird.nix b/modules/services/netbird.nix index 74ae540..4329ba8 100644 --- a/modules/services/netbird.nix +++ b/modules/services/netbird.nix @@ -19,9 +19,9 @@ }; }; services.netbird-server = { + enableCoturn = true; enable = true; domain = "netbird.${config.secrets.secrets.global.domains.web}"; - # TODO remove oidcConfigEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/.well-known/openid-configuration"; singleAccountModeDomain = "netbird.patrick"; }; diff --git a/modules/services/ttrss.nix b/modules/services/ttrss.nix index 89f9d90..e68a7bb 100644 --- a/modules/services/ttrss.nix +++ b/modules/services/ttrss.nix @@ -1,18 +1,14 @@ {config, ...}: { - age.secrets.freshrsspasswd = { - generator.script = "alnum"; - owner = config.services.freshrss.user; - }; wireguard.elisabeth = { client.via = "elisabeth"; firewallRuleForNode.elisabeth.allowedTCPPorts = [80]; }; services.freshrss = { enable = true; - passwordFile = config.age.secrets.freshrsspasswd.path; defaultUser = "patrick"; baseUrl = "https://rss.lel.lol"; virtualHost = "rss.lel.lol"; + authType = "none"; }; environment.persistence."/persist".directories = [ { diff --git a/pkgs/actual.nix b/pkgs/actual.nix index 1b5e73c..79d7e08 100644 --- a/pkgs/actual.nix +++ b/pkgs/actual.nix @@ -67,11 +67,5 @@ stdenv.mkDerivation rec { ''; meta = with lib; { - description = "Single-column Fediverse client for desktop"; - homepage = "https://whalebird.social"; - sourceProvenance = with sourceTypes; [fromSource]; - license = licenses.gpl3Only; - maintainers = with maintainers; [wolfangaukang colinsane weathercold]; - platforms = ["x86_64-linux" "aarch64-linux"]; }; }