hswaw/machines/customs.hackerspace.pl/beyondspace.nix

{ config, pkgs, lib, ... }:

let
  beyondspaceDomains = {
    "inventory.waw.hackerspace.pl" = "https";
    "vending.waw.hackerspace.pl" = "https";
    "label.waw.hackerspace.pl" = "http";
  };

in with lib; {
  services.oauth2_proxy = {
    enable = true;
    provider = "oidc";
    keyFile = "/var/beyondspace.secrets";
    clientID = "1e0a7ba0-5a15-477a-8d96-690ebbe6e720";
    extraConfig = {
      oidc-issuer-url = "https://sso.hackerspace.pl";
      email-domain = "*";
      provider-display-name = "sso.hackerspace.pl";

      # We use HTTP basic authentication for programmatic access to LAN services
      htpasswd-file = "/var/beyondspace.htpasswd";
      display-htpasswd-form = false;

      custom-sign-in-logo = builtins.path { path = ./default-vhost/beyondspace.png; };
      footer = "This page is only accessible to <a href='https://hackerspace.pl'>Warsaw Hackerspace</a> members (or directly from within Warsaw Hackerspace LAN).";
    };
  };


  services.nginx.commonHttpConfig = ''
    map $http_host $beyondspace_upstream_proto {
      hostnames;

      default http;

      ${concatStringsSep "\n" (mapAttrsToList (key: value: "${key} ${value};") beyondspaceDomains)}
    }
    '';

  services.nginx.virtualHosts."beyond.waw.hackerspace.pl" = {
    # NOTE: we *can't* use forceSSL here for services that do not use HTTPS in
    # local network setups, since this will pollute browser's redirect cache...
    addSSL = true;
    enableACME = true;

    serverAliases = attrNames beyondspaceDomains;

    locations."/oauth2/" = {
      extraConfig = ''
        if ($scheme != https) {
          return 302 https://$host$request_uri;
        }

        proxy_pass       http://127.0.0.1:4180;
        proxy_set_header Host                    $host;
        proxy_set_header X-Real-IP               $remote_addr;
        proxy_set_header X-Scheme                $scheme;
        proxy_set_header X-Auth-Request-Redirect $request_uri;
      '';
    };

    locations."= /oauth2/auth" = {
      extraConfig = ''
        if ($scheme != https) {
          return 302 https://$host$request_uri;
        }

        proxy_pass       http://127.0.0.1:4180;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Scheme         $scheme;

        # nginx auth_request includes headers but not body
        proxy_set_header Content-Length   "";
        proxy_pass_request_body           off;
      '';
    };

    locations."/" = {
      extraConfig = ''
        if ($scheme != https) {
          return 302 https://$host$request_uri;
        }

        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;

        # if you enabled --cookie-refresh, this is needed for it to work with auth_request
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header Set-Cookie $auth_cookie;

        proxy_pass $beyondspace_upstream_proto://$host$request_uri;
        '';
    };
  };

  services.nginx.virtualHosts."*.waw.hackerspace.pl" = {
    default = true;
    locations."/".root = ./default-vhost;
  };
}