feat: rss using oauth2 proxy

This commit is contained in:
Patrick 2024-03-30 16:29:00 +01:00
parent e7a7704b7f
commit 2ad57db0e1
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
10 changed files with 52 additions and 122 deletions

View file

@ -57,6 +57,48 @@ in {
+ virtualHostExtraConfig;
};
};
proxyProtect = hostName: cfg:
lib.mkMerge [
(blockOf hostName cfg)
{
virtualHosts.${domainOf hostName} = {
locations."/".extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
'';
locations."/oauth2/" = {
proxyPass = "http://oauth2-proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
locations."= /oauth2/auth" = {
proxyPass = "http://oauth2-proxy/oauth2/auth?allowed_groups=${hostName}_access";
extraConfig = ''
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
};
}
];
in
lib.mkMerge [
{
@ -111,96 +153,10 @@ in {
(blockOf "vaultwarden" {maxBodySize = "1G";})
(blockOf "forgejo" {maxBodySize = "1G";})
(blockOf "immich" {maxBodySize = "5G";})
(lib.mkMerge
[
(
blockOf "adguardhome"
{
}
)
{
virtualHosts.${domainOf "adguardhome"} = {
locations."/".extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
'';
locations."/oauth2/" = {
proxyPass = "http://oauth2-proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
locations."= /oauth2/auth" = {
proxyPass = "http://oauth2-proxy/oauth2/auth?allowed_groups=adguardhome_access";
extraConfig = ''
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
};
}
])
(lib.mkMerge [
(blockOf "oauth2-proxy" {})
{
virtualHosts.${domainOf "oauth2-proxy"} = {
locations."/".extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
'';
locations."/oauth2/" = {
proxyPass = "http://oauth2-proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
locations."= /oauth2/auth" = {
proxyPass = "http://oauth2-proxy/oauth2/auth";
extraConfig = ''
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
};
}
])
(proxyProtect "adguardhome" {})
(proxyProtect "oauth2-proxy" {})
(blockOf "paperless" {maxBodySize = "5G";})
(blockOf "ttrss" {port = 80;})
(proxyProtect "ttrss" {port = 80;})
(blockOf "yourspotify" {port = 80;})
(blockOf "apispotify" {
port = 3000;

View file

@ -1,15 +0,0 @@
age-encryption.org/v1
-> X25519 KeayMdkWoIyLZu47yQdC+NKUeBli7y/KhyFrbvQKMjo
RFNC0waSc89REZ+uRWTYyKYcM0oW9Q8m92buzX9OlaY
-> piv-p256 XTQkUA Aqrx2ok2XeZvJWsPvOi7o7T3/PvZcZ5naOEvSouqGDxt
PW6G4aqvzq4JoJecPp7bP4Rzc6rgAV4NaTfeRCF5OYA
-> piv-p256 ZFgiIw A7pQOh63jVeS6WHnWusY2FuLk8ezS/lu6h+LmTqgArA3
4IkRO5JXgBggCYSI0lOaccyqVmHupOiFqZZwHsdlBDc
-> piv-p256 5vmPtQ A7kRH2YuvwTE+wCqpvE8FBlHthHv8cMWVLQOWxbKbgHq
OudUFhREd4J2cQQG9eEeKIjAqHkp+XznKFpvsJjgEHk
-> piv-p256 ZFgiIw AsojcZKNzLUdTgOekkqwisrOy7t8hup9sVla7PbL1RKH
cpG56veIp+cpW9JXsK2/4NXQ7kJM7g1Hg/sEnFSuW8k
-> ~yTrd-grease ox]5\ *89S8!#
Bfh0HDXNORM8GT6noqoh2KcVvUOksp09VOfG/dUFCC4DUUo
--- EJSmnzU8XIhaFIkPRjyFZxi+kEHap903mrUuc2MpUkY
þöžéüÀ<C3BC>­s¬àl•3i±ßp}©êøܨd…*†mŽEþ =FCÓ}Jé2î×ɽùpMvô,¢ˆ„®ÿspÀ<70>Dõðé]˜L3¨ÎÎÚ

2
modules/actual.nix Normal file
View file

@ -0,0 +1,2 @@
{
}

View file

@ -228,11 +228,6 @@ in {
UMask = "0077";
};
unitConfig = {
StartLimitInterval = 5;
StartLimitBurst = 10;
};
stopIfChanged = false;
}
)

View file

@ -167,7 +167,7 @@ in {
services.coturn = mkIf cfg.enableCoturn {
enable = true;
realm = cfg.dorain;
realm = cfg.domain;
lt-cred-mech = true;
no-cli = true;

View file

@ -88,6 +88,8 @@ in {
preferShortUsername = true;
};
groups."rss.access" = {};
groups."nextcloud.access" = {
members = ["nextcloud.admins"];
};

View file

@ -19,9 +19,9 @@
};
};
services.netbird-server = {
enableCoturn = true;
enable = true;
domain = "netbird.${config.secrets.secrets.global.domains.web}";
# TODO remove
oidcConfigEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/.well-known/openid-configuration";
singleAccountModeDomain = "netbird.patrick";
};

View file

@ -1,18 +1,14 @@
{config, ...}: {
age.secrets.freshrsspasswd = {
generator.script = "alnum";
owner = config.services.freshrss.user;
};
wireguard.elisabeth = {
client.via = "elisabeth";
firewallRuleForNode.elisabeth.allowedTCPPorts = [80];
};
services.freshrss = {
enable = true;
passwordFile = config.age.secrets.freshrsspasswd.path;
defaultUser = "patrick";
baseUrl = "https://rss.lel.lol";
virtualHost = "rss.lel.lol";
authType = "none";
};
environment.persistence."/persist".directories = [
{

View file

@ -67,11 +67,5 @@ stdenv.mkDerivation rec {
'';
meta = with lib; {
description = "Single-column Fediverse client for desktop";
homepage = "https://whalebird.social";
sourceProvenance = with sourceTypes; [fromSource];
license = licenses.gpl3Only;
maintainers = with maintainers; [wolfangaukang colinsane weathercold];
platforms = ["x86_64-linux" "aarch64-linux"];
};
}