| { config, pkgs, lib, ... }: |
| |
| let |
| beyondspaceDomains = { |
| "inventory.waw.hackerspace.pl" = "https"; |
| "vending.waw.hackerspace.pl" = "https"; |
| }; |
| |
| in with lib; { |
| services.oauth2_proxy = { |
| enable = true; |
| provider = "oidc"; |
| keyFile = "/var/beyondspace.secrets"; |
| clientID = "1e0a7ba0-5a15-477a-8d96-690ebbe6e720"; |
| extraConfig = { |
| oidc-issuer-url = "https://sso.hackerspace.pl"; |
| email-domain = "*"; |
| }; |
| }; |
| |
| |
| services.nginx.commonHttpConfig = '' |
| map $http_host $beyondspace_upstream_proto { |
| hostnames; |
| |
| default http; |
| |
| ${concatStringsSep "\n" (mapAttrsToList (key: value: "${key} ${value};") beyondspaceDomains)} |
| } |
| ''; |
| |
| services.nginx.virtualHosts."beyond.waw.hackerspace.pl" = { |
| forceSSL = true; |
| enableACME = true; |
| |
| serverAliases = attrNames beyondspaceDomains; |
| |
| locations."/oauth2/" = { |
| extraConfig = '' |
| proxy_pass http://127.0.0.1:4180; |
| proxy_set_header Host $host; |
| proxy_set_header X-Real-IP $remote_addr; |
| proxy_set_header X-Scheme $scheme; |
| proxy_set_header X-Auth-Request-Redirect $request_uri; |
| ''; |
| }; |
| |
| locations."= /oauth2/auth" = { |
| extraConfig = '' |
| proxy_pass http://127.0.0.1:4180; |
| proxy_set_header Host $host; |
| proxy_set_header X-Real-IP $remote_addr; |
| proxy_set_header X-Scheme $scheme; |
| |
| # nginx auth_request includes headers but not body |
| proxy_set_header Content-Length ""; |
| proxy_pass_request_body off; |
| ''; |
| }; |
| |
| locations."/" = { |
| extraConfig = '' |
| auth_request /oauth2/auth; |
| error_page 401 = /oauth2/sign_in; |
| |
| # if you enabled --cookie-refresh, this is needed for it to work with auth_request |
| auth_request_set $auth_cookie $upstream_http_set_cookie; |
| add_header Set-Cookie $auth_cookie; |
| |
| proxy_pass $beyondspace_upstream_proto://$host$request_uri; |
| ''; |
| }; |
| }; |
| } |