feat: rss using oauth2 proxy

2024-03-30 16:29:00 +01:00 · 2024-03-30 16:29:00 +01:00 · 2ad57db0e1
parent e7a7704b7f
commit 2ad57db0e1
10 changed files with 52 additions and 122 deletions
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@ -57,6 +57,48 @@ in {
          + virtualHostExtraConfig;
      };
    };
+    proxyProtect = hostName: cfg:
+      lib.mkMerge [
+        (blockOf hostName cfg)
+        {
+          virtualHosts.${domainOf hostName} = {
+            locations."/".extraConfig = ''
+              auth_request /oauth2/auth;
+              error_page 401 = /oauth2/sign_in;
+
+              # pass information via X-User and X-Email headers to backend,
+              # requires running with --set-xauthrequest flag
+              auth_request_set $user   $upstream_http_x_auth_request_user;
+              auth_request_set $email  $upstream_http_x_auth_request_email;
+              proxy_set_header X-User  $user;
+              proxy_set_header X-Email $email;
+
+              # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+              auth_request_set $auth_cookie $upstream_http_set_cookie;
+              add_header Set-Cookie $auth_cookie;
+            '';
+            locations."/oauth2/" = {
+              proxyPass = "http://oauth2-proxy";
+              extraConfig = ''
+                proxy_set_header X-Scheme                $scheme;
+                proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+              '';
+            };
+
+            locations."= /oauth2/auth" = {
+              proxyPass = "http://oauth2-proxy/oauth2/auth?allowed_groups=${hostName}_access";
+              extraConfig = ''
+                internal;
+
+                proxy_set_header X-Scheme         $scheme;
+                # nginx auth_request includes headers but not body
+                proxy_set_header Content-Length   "";
+                proxy_pass_request_body           off;
+              '';
+            };
+          };
+        }
+      ];
  in
    lib.mkMerge [
      {
@ -111,96 +153,10 @@ in {
      (blockOf "vaultwarden" {maxBodySize = "1G";})
      (blockOf "forgejo" {maxBodySize = "1G";})
      (blockOf "immich" {maxBodySize = "5G";})
-      (lib.mkMerge
-        [
-          (
-            blockOf "adguardhome"
-            {
-            }
-          )
-          {
-            virtualHosts.${domainOf "adguardhome"} = {
-              locations."/".extraConfig = ''
-                auth_request /oauth2/auth;
-                error_page 401 = /oauth2/sign_in;
-
-                # pass information via X-User and X-Email headers to backend,
-                # requires running with --set-xauthrequest flag
-                auth_request_set $user   $upstream_http_x_auth_request_user;
-                auth_request_set $email  $upstream_http_x_auth_request_email;
-                proxy_set_header X-User  $user;
-                proxy_set_header X-Email $email;
-
-                # if you enabled --cookie-refresh, this is needed for it to work with auth_request
-                auth_request_set $auth_cookie $upstream_http_set_cookie;
-                add_header Set-Cookie $auth_cookie;
-              '';
-              locations."/oauth2/" = {
-                proxyPass = "http://oauth2-proxy";
-                extraConfig = ''
-                  proxy_set_header X-Scheme                $scheme;
-                  proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
-                '';
-              };
-
-              locations."= /oauth2/auth" = {
-                proxyPass = "http://oauth2-proxy/oauth2/auth?allowed_groups=adguardhome_access";
-                extraConfig = ''
-                  internal;
-
-                  proxy_set_header X-Scheme         $scheme;
-                  # nginx auth_request includes headers but not body
-                  proxy_set_header Content-Length   "";
-                  proxy_pass_request_body           off;
-                '';
-              };
-            };
-          }
-        ])
-      (lib.mkMerge [
-        (blockOf "oauth2-proxy" {})
-        {
-          virtualHosts.${domainOf "oauth2-proxy"} = {
-            locations."/".extraConfig = ''
-              auth_request /oauth2/auth;
-              error_page 401 = /oauth2/sign_in;
-
-              # pass information via X-User and X-Email headers to backend,
-              # requires running with --set-xauthrequest flag
-              auth_request_set $user   $upstream_http_x_auth_request_user;
-              auth_request_set $email  $upstream_http_x_auth_request_email;
-              proxy_set_header X-User  $user;
-              proxy_set_header X-Email $email;
-
-              # if you enabled --cookie-refresh, this is needed for it to work with auth_request
-              auth_request_set $auth_cookie $upstream_http_set_cookie;
-              add_header Set-Cookie $auth_cookie;
-            '';
-
-            locations."/oauth2/" = {
-              proxyPass = "http://oauth2-proxy";
-              extraConfig = ''
-                proxy_set_header X-Scheme                $scheme;
-                proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
-              '';
-            };
-
-            locations."= /oauth2/auth" = {
-              proxyPass = "http://oauth2-proxy/oauth2/auth";
-              extraConfig = ''
-                internal;
-
-                proxy_set_header X-Scheme         $scheme;
-                # nginx auth_request includes headers but not body
-                proxy_set_header Content-Length   "";
-                proxy_pass_request_body           off;
-              '';
-            };
-          };
-        }
-      ])
+      (proxyProtect "adguardhome" {})
+      (proxyProtect "oauth2-proxy" {})
      (blockOf "paperless" {maxBodySize = "5G";})
-      (blockOf "ttrss" {port = 80;})
+      (proxyProtect "ttrss" {port = 80;})
      (blockOf "yourspotify" {port = 80;})
      (blockOf "apispotify" {
        port = 3000;
--- a/hosts/elisabeth/secrets/kanidm/secrets.nix.age
+++ b/hosts/elisabeth/secrets/kanidm/secrets.nix.age
--- a/hosts/elisabeth/secrets/ttrss/generated/freshrsspasswd.age
+++ b/hosts/elisabeth/secrets/ttrss/generated/freshrsspasswd.age
@ -1,15 +0,0 @@
-age-encryption.org/v1
-> X25519 KeayMdkWoIyLZu47yQdC+NKUeBli7y/KhyFrbvQKMjo
-RFNC0waSc89REZ+uRWTYyKYcM0oW9Q8m92buzX9OlaY
-> piv-p256 XTQkUA Aqrx2ok2XeZvJWsPvOi7o7T3/PvZcZ5naOEvSouqGDxt
-PW6G4aqvzq4JoJecPp7bP4Rzc6rgAV4NaTfeRCF5OYA
-> piv-p256 ZFgiIw A7pQOh63jVeS6WHnWusY2FuLk8ezS/lu6h+LmTqgArA3
-4IkRO5JXgBggCYSI0lOaccyqVmHupOiFqZZwHsdlBDc
-> piv-p256 5vmPtQ A7kRH2YuvwTE+wCqpvE8FBlHthHv8cMWVLQOWxbKbgHq
-OudUFhREd4J2cQQG9eEeKIjAqHkp+XznKFpvsJjgEHk
-> piv-p256 ZFgiIw AsojcZKNzLUdTgOekkqwisrOy7t8hup9sVla7PbL1RKH
-cpG56veIp+cpW9JXsK2/4NXQ7kJM7g1Hg/sEnFSuW8k
-> ~yTrd-grease ox]5\ *89S8!#
-Bfh0HDXNORM8GT6noqoh2KcVvUOksp09VOfG/dUFCC4DUUo
--- EJSmnzU8XIhaFIkPRjyFZxi+kEHap903mrUuc2MpUkY
-þöžéüÀ<C3BC>s¬àl•3‚i±ßp}©êøÜ¨d…*†mŽEþ	=FCÓ}Jé2î×É½‚ùpMvô,¢ˆ„®ÿspÀ<70>Dõðé]˜L3¨ÎÎÚ
--- a/modules/actual.nix
+++ b/modules/actual.nix
@ -0,0 +1,2 @@
+{
+}
--- a/modules/netbird-client.nix
+++ b/modules/netbird-client.nix
@ -228,11 +228,6 @@ in {
                UMask = "0077";
              };

-              unitConfig = {
-                StartLimitInterval = 5;
-                StartLimitBurst = 10;
-              };
-
              stopIfChanged = false;
            }
        )
--- a/modules/netbird-server.nix
+++ b/modules/netbird-server.nix
@ -167,7 +167,7 @@ in {
    services.coturn = mkIf cfg.enableCoturn {
      enable = true;

-      realm = cfg.dorain;
+      realm = cfg.domain;
      lt-cred-mech = true;
      no-cli = true;

--- a/modules/services/kanidm.nix
+++ b/modules/services/kanidm.nix
@ -88,6 +88,8 @@ in {
        preferShortUsername = true;
      };

+      groups."rss.access" = {};
+
      groups."nextcloud.access" = {
        members = ["nextcloud.admins"];
      };
--- a/modules/services/netbird.nix
+++ b/modules/services/netbird.nix
@ -19,9 +19,9 @@
    };
  };
  services.netbird-server = {
+    enableCoturn = true;
    enable = true;
    domain = "netbird.${config.secrets.secrets.global.domains.web}";
-    # TODO remove
    oidcConfigEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/.well-known/openid-configuration";
    singleAccountModeDomain = "netbird.patrick";
  };
--- a/modules/services/ttrss.nix
+++ b/modules/services/ttrss.nix
@ -1,18 +1,14 @@
 {config, ...}: {
-  age.secrets.freshrsspasswd = {
-    generator.script = "alnum";
-    owner = config.services.freshrss.user;
-  };
  wireguard.elisabeth = {
    client.via = "elisabeth";
    firewallRuleForNode.elisabeth.allowedTCPPorts = [80];
  };
  services.freshrss = {
    enable = true;
-    passwordFile = config.age.secrets.freshrsspasswd.path;
    defaultUser = "patrick";
    baseUrl = "https://rss.lel.lol";
    virtualHost = "rss.lel.lol";
+    authType = "none";
  };
  environment.persistence."/persist".directories = [
    {
--- a/pkgs/actual.nix
+++ b/pkgs/actual.nix
@ -67,11 +67,5 @@ stdenv.mkDerivation rec {
  '';

  meta = with lib; {
-    description = "Single-column Fediverse client for desktop";
-    homepage = "https://whalebird.social";
-    sourceProvenance = with sourceTypes; [fromSource];
-    license = licenses.gpl3Only;
-    maintainers = with maintainers; [wolfangaukang colinsane weathercold];
-    platforms = ["x86_64-linux" "aarch64-linux"];
  };
 }