h/m/customs/beyondspace: oauth2-based members-only proxy
Change-Id: I4f7102b4c4ddd9d0f085653ad08e071f172f289d
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1307
Reviewed-by: vuko <vuko@hackerspace.pl>
diff --git a/hswaw/laserproxy/default.nix b/hswaw/laserproxy/default.nix
index 1a03992..45d5ae6 100644
--- a/hswaw/laserproxy/default.nix
+++ b/hswaw/laserproxy/default.nix
@@ -28,6 +28,7 @@
lib.strings.hasSuffix "/hswaw" name ||
lib.strings.hasInfix "/hswaw/site" name ||
lib.strings.hasInfix "/hswaw/laserproxy" name ||
+ lib.strings.hasInfix "/hswaw/site" name ||
lib.strings.hasSuffix "/BUILD" name ||
lib.strings.hasSuffix "/WORKSPACE" name ||
diff --git a/hswaw/machines/customs.hackerspace.pl/beyondspace.nix b/hswaw/machines/customs.hackerspace.pl/beyondspace.nix
new file mode 100644
index 0000000..90b17c0
--- /dev/null
+++ b/hswaw/machines/customs.hackerspace.pl/beyondspace.nix
@@ -0,0 +1,74 @@
+{ config, pkgs, lib, ... }:
+
+let
+ beyondspaceDomains = {
+ "inventory.waw.hackerspace.pl" = "https";
+ "vending.waw.hackerspace.pl" = "https";
+ };
+
+in with lib; {
+ services.oauth2_proxy = {
+ enable = true;
+ provider = "oidc";
+ keyFile = "/var/beyondspace.secrets";
+ clientID = "1e0a7ba0-5a15-477a-8d96-690ebbe6e720";
+ extraConfig = {
+ oidc-issuer-url = "https://sso.hackerspace.pl";
+ email-domain = "*";
+ };
+ };
+
+
+ services.nginx.commonHttpConfig = ''
+ map $http_host $beyondspace_upstream_proto {
+ hostnames;
+
+ default http;
+
+ ${concatStringsSep "\n" (mapAttrsToList (key: value: "${key} ${value};") beyondspaceDomains)}
+ }
+ '';
+
+ services.nginx.virtualHosts."beyond.waw.hackerspace.pl" = {
+ forceSSL = true;
+ enableACME = true;
+
+ serverAliases = attrNames beyondspaceDomains;
+
+ locations."/oauth2/" = {
+ extraConfig = ''
+ proxy_pass http://127.0.0.1:4180;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Scheme $scheme;
+ proxy_set_header X-Auth-Request-Redirect $request_uri;
+ '';
+ };
+
+ locations."= /oauth2/auth" = {
+ extraConfig = ''
+ proxy_pass http://127.0.0.1:4180;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Scheme $scheme;
+
+ # nginx auth_request includes headers but not body
+ proxy_set_header Content-Length "";
+ proxy_pass_request_body off;
+ '';
+ };
+
+ locations."/" = {
+ extraConfig = ''
+ auth_request /oauth2/auth;
+ error_page 401 = /oauth2/sign_in;
+
+ # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+ auth_request_set $auth_cookie $upstream_http_set_cookie;
+ add_header Set-Cookie $auth_cookie;
+
+ proxy_pass $beyondspace_upstream_proto://$host$request_uri;
+ '';
+ };
+ };
+}
diff --git a/hswaw/machines/customs.hackerspace.pl/configuration.nix b/hswaw/machines/customs.hackerspace.pl/configuration.nix
index ff8ea00..e74b50a 100644
--- a/hswaw/machines/customs.hackerspace.pl/configuration.nix
+++ b/hswaw/machines/customs.hackerspace.pl/configuration.nix
@@ -50,6 +50,7 @@
./checkinator-web.nix
./mikrotik-exporter.nix
./netboot.nix
+ ./beyondspace.nix
./laserproxy/service.nix
];
@@ -436,6 +437,7 @@
services.nginx.appendHttpConfig = ''
server_names_hash_bucket_size 64;
'';
+ services.nginx.resolver.addresses = [ "127.0.0.1" ];
security.acme = {
email = "bofh@hackerspace.pl";