feat: rss using oauth2 proxy

2024-03-30 16:29:00 +01:00 · 2024-03-30 16:29:00 +01:00 · 2ad57db0e1
parent e7a7704b7f
commit 2ad57db0e1
10 changed files with 52 additions and 122 deletions
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@ -57,6 +57,48 @@ in {
          + virtualHostExtraConfig;
      };
    };
    proxyProtect = hostName: cfg:
      lib.mkMerge [
        (blockOf hostName cfg)
        {
          virtualHosts.${domainOf hostName} = {
            locations."/".extraConfig = ''
              auth_request /oauth2/auth;
              error_page 401 = /oauth2/sign_in;
              # pass information via X-User and X-Email headers to backend,
              # requires running with --set-xauthrequest flag
              auth_request_set $user   $upstream_http_x_auth_request_user;
              auth_request_set $email  $upstream_http_x_auth_request_email;
              proxy_set_header X-User  $user;
              proxy_set_header X-Email $email;
              # if you enabled --cookie-refresh, this is needed for it to work with auth_request
              auth_request_set $auth_cookie $upstream_http_set_cookie;
              add_header Set-Cookie $auth_cookie;
            '';
            locations."/oauth2/" = {
              proxyPass = "http://oauth2-proxy";
              extraConfig = ''
                proxy_set_header X-Scheme                $scheme;
                proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
              '';
            };
            locations."= /oauth2/auth" = {
              proxyPass = "http://oauth2-proxy/oauth2/auth?allowed_groups=${hostName}_access";
              extraConfig = ''
                internal;
                proxy_set_header X-Scheme         $scheme;
                # nginx auth_request includes headers but not body
                proxy_set_header Content-Length   "";
                proxy_pass_request_body           off;
              '';
            };
          };
        }
      ];
  in
    lib.mkMerge [
      {
@ -111,96 +153,10 @@ in {
      (blockOf "vaultwarden" {maxBodySize = "1G";})
      (blockOf "forgejo" {maxBodySize = "1G";})
      (blockOf "immich" {maxBodySize = "5G";})
-      (lib.mkMerge
+      (proxyProtect "adguardhome" {})
-        [
+      (proxyProtect "oauth2-proxy" {})
          (
            blockOf "adguardhome"
            {
            }
          )
          {
            virtualHosts.${domainOf "adguardhome"} = {
              locations."/".extraConfig = ''
                auth_request /oauth2/auth;
                error_page 401 = /oauth2/sign_in;
                # pass information via X-User and X-Email headers to backend,
                # requires running with --set-xauthrequest flag
                auth_request_set $user   $upstream_http_x_auth_request_user;
                auth_request_set $email  $upstream_http_x_auth_request_email;
                proxy_set_header X-User  $user;
                proxy_set_header X-Email $email;
                # if you enabled --cookie-refresh, this is needed for it to work with auth_request
                auth_request_set $auth_cookie $upstream_http_set_cookie;
                add_header Set-Cookie $auth_cookie;
              '';
              locations."/oauth2/" = {
                proxyPass = "http://oauth2-proxy";
                extraConfig = ''
                  proxy_set_header X-Scheme                $scheme;
                  proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
                '';
              };
              locations."= /oauth2/auth" = {
                proxyPass = "http://oauth2-proxy/oauth2/auth?allowed_groups=adguardhome_access";
                extraConfig = ''
                  internal;
                  proxy_set_header X-Scheme         $scheme;
                  # nginx auth_request includes headers but not body
                  proxy_set_header Content-Length   "";
                  proxy_pass_request_body           off;
                '';
              };
            };
          }
        ])
      (lib.mkMerge [
        (blockOf "oauth2-proxy" {})
        {
          virtualHosts.${domainOf "oauth2-proxy"} = {
            locations."/".extraConfig = ''
              auth_request /oauth2/auth;
              error_page 401 = /oauth2/sign_in;
              # pass information via X-User and X-Email headers to backend,
              # requires running with --set-xauthrequest flag
              auth_request_set $user   $upstream_http_x_auth_request_user;
              auth_request_set $email  $upstream_http_x_auth_request_email;
              proxy_set_header X-User  $user;
              proxy_set_header X-Email $email;
              # if you enabled --cookie-refresh, this is needed for it to work with auth_request
              auth_request_set $auth_cookie $upstream_http_set_cookie;
              add_header Set-Cookie $auth_cookie;
            '';
            locations."/oauth2/" = {
              proxyPass = "http://oauth2-proxy";
              extraConfig = ''
                proxy_set_header X-Scheme                $scheme;
                proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
              '';
            };
            locations."= /oauth2/auth" = {
              proxyPass = "http://oauth2-proxy/oauth2/auth";
              extraConfig = ''
                internal;
                proxy_set_header X-Scheme         $scheme;
                # nginx auth_request includes headers but not body
                proxy_set_header Content-Length   "";
                proxy_pass_request_body           off;
              '';
            };
          };
        }
      ])
      (blockOf "paperless" {maxBodySize = "5G";})
-      (blockOf "ttrss" {port = 80;})
+      (proxyProtect "ttrss" {port = 80;})
      (blockOf "yourspotify" {port = 80;})
      (blockOf "apispotify" {
        port = 3000;
--- a/hosts/elisabeth/secrets/kanidm/secrets.nix.age
+++ b/hosts/elisabeth/secrets/kanidm/secrets.nix.age
--- a/hosts/elisabeth/secrets/ttrss/generated/freshrsspasswd.age
+++ b/hosts/elisabeth/secrets/ttrss/generated/freshrsspasswd.age
@ -1,15 +0,0 @@
 age-encryption.org/v1
 -> X25519 KeayMdkWoIyLZu47yQdC+NKUeBli7y/KhyFrbvQKMjo
 RFNC0waSc89REZ+uRWTYyKYcM0oW9Q8m92buzX9OlaY
 -> piv-p256 XTQkUA Aqrx2ok2XeZvJWsPvOi7o7T3/PvZcZ5naOEvSouqGDxt
 PW6G4aqvzq4JoJecPp7bP4Rzc6rgAV4NaTfeRCF5OYA
 -> piv-p256 ZFgiIw A7pQOh63jVeS6WHnWusY2FuLk8ezS/lu6h+LmTqgArA3
 4IkRO5JXgBggCYSI0lOaccyqVmHupOiFqZZwHsdlBDc
 -> piv-p256 5vmPtQ A7kRH2YuvwTE+wCqpvE8FBlHthHv8cMWVLQOWxbKbgHq
 OudUFhREd4J2cQQG9eEeKIjAqHkp+XznKFpvsJjgEHk
 -> piv-p256 ZFgiIw AsojcZKNzLUdTgOekkqwisrOy7t8hup9sVla7PbL1RKH
 cpG56veIp+cpW9JXsK2/4NXQ7kJM7g1Hg/sEnFSuW8k
 -> ~yTrd-grease ox]5\ *89S8!#
 Bfh0HDXNORM8GT6noqoh2KcVvUOksp09VOfG/dUFCC4DUUo
 --- EJSmnzU8XIhaFIkPRjyFZxi+kEHap903mrUuc2MpUkY
 þöžéüÀ<C3BC>s¬àl•3‚i±ßp}©êøÜ¨d…*†mŽEþ	=FCÓ}Jé2î×É½‚ùpMvô,¢ˆ„®ÿspÀ<70>Dõðé]˜L3¨ÎÎÚ
--- a/modules/actual.nix
+++ b/modules/actual.nix
@ -0,0 +1,2 @@
 {
 }
--- a/modules/netbird-client.nix
+++ b/modules/netbird-client.nix
@ -228,11 +228,6 @@ in {
                UMask = "0077";
              };
              unitConfig = {
                StartLimitInterval = 5;
                StartLimitBurst = 10;
              };
              stopIfChanged = false;
            }
        )
--- a/modules/netbird-server.nix
+++ b/modules/netbird-server.nix
@ -167,7 +167,7 @@ in {
    services.coturn = mkIf cfg.enableCoturn {
      enable = true;
-      realm = cfg.dorain;
+      realm = cfg.domain;
      lt-cred-mech = true;
      no-cli = true;
--- a/modules/services/kanidm.nix
+++ b/modules/services/kanidm.nix
@ -88,6 +88,8 @@ in {
        preferShortUsername = true;
      };
      groups."rss.access" = {};
      groups."nextcloud.access" = {
        members = ["nextcloud.admins"];
      };
--- a/modules/services/netbird.nix
+++ b/modules/services/netbird.nix
@ -19,9 +19,9 @@
    };
  };
  services.netbird-server = {
    enableCoturn = true;
    enable = true;
    domain = "netbird.${config.secrets.secrets.global.domains.web}";
    # TODO remove
    oidcConfigEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/.well-known/openid-configuration";
    singleAccountModeDomain = "netbird.patrick";
  };
--- a/modules/services/ttrss.nix
+++ b/modules/services/ttrss.nix
@ -1,18 +1,14 @@
 {config, ...}: {
  age.secrets.freshrsspasswd = {
    generator.script = "alnum";
    owner = config.services.freshrss.user;
  };
  wireguard.elisabeth = {
    client.via = "elisabeth";
    firewallRuleForNode.elisabeth.allowedTCPPorts = [80];
  };
  services.freshrss = {
    enable = true;
    passwordFile = config.age.secrets.freshrsspasswd.path;
    defaultUser = "patrick";
    baseUrl = "https://rss.lel.lol";
    virtualHost = "rss.lel.lol";
    authType = "none";
  };
  environment.persistence."/persist".directories = [
    {
--- a/pkgs/actual.nix
+++ b/pkgs/actual.nix
@ -67,11 +67,5 @@ stdenv.mkDerivation rec {
  '';
  meta = with lib; {
    description = "Single-column Fediverse client for desktop";
    homepage = "https://whalebird.social";
    sourceProvenance = with sourceTypes; [fromSource];
    license = licenses.gpl3Only;
    maintainers = with maintainers; [wolfangaukang colinsane weathercold];
    platforms = ["x86_64-linux" "aarch64-linux"];
  };
 }