From 289a1e953d8c8592e03bb3dfb653457590521be3 Mon Sep 17 00:00:00 2001 From: Fabian Montero Date: Sun, 25 Aug 2024 04:38:59 -0600 Subject: [PATCH 1/3] pull locations out of extraconfig --- sys/srv/authentik.nix | 51 ++++++++++++++++++++++++------------------- 1 file changed, 29 insertions(+), 22 deletions(-) diff --git a/sys/srv/authentik.nix b/sys/srv/authentik.nix index bc7e1e6..43f0bc7 100644 --- a/sys/srv/authentik.nix +++ b/sys/srv/authentik.nix @@ -44,28 +44,6 @@ with lib; { proxy_buffers 8 16k; proxy_buffer_size 32k; - - location /outpost.goauthentik.io { - proxy_pass http://auth.posixlycorrect.com/outpost.goauthentik.io; - # ensure the host of this vserver matches your external URL you've configured - # in authentik - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - add_header Set-Cookie $auth_cookie; - auth_request_set $auth_cookie $upstream_http_set_cookie; - - # required for POST requests to work - proxy_pass_request_body off; - proxy_set_header Content-Length ""; - } - - location @goauthentik_proxy_signin { - internal; - add_header Set-Cookie $auth_cookie; - return 302 /outpost.goauthentik.io/start?rd=$request_uri; - # For domain level, use the below error_page to redirect to your authentik server with the full redirect path - # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; - } ''; }; } @@ -76,6 +54,35 @@ with lib; { config = { services = { + nginx.virtualHosts."auth.posixlycorrect.com" = { + enableACME = true; + forceSSL = true; + locations = { + "/outpost.goauthentik.io" = { + proxyPass = "http://auth.posixlycorrect.com/outpost.goauthentik.io"; + extraConfig = '' + # ensure the host of this vserver matches your external URL you've configured + # in authentik + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + add_header Set-Cookie $auth_cookie; + auth_request_set $auth_cookie $upstream_http_set_cookie; + + # required for POST requests to work + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + ''; + }; + "@goauthentik_proxy_signin" = { + extraConfig = '' + internal; + add_header Set-Cookie $auth_cookie; + return 302 /outpost.goauthentik.io/start?rd=$request_uri; + ''; + }; + }; + }; + authentik = { enable = true; environmentFile = "/var/trust/authentik/authentik-env"; From 167c519a25bf3fa57f9871c5835e11caece9909f Mon Sep 17 00:00:00 2001 From: Fabian Montero Date: Sun, 25 Aug 2024 14:47:29 -0600 Subject: [PATCH 2/3] works! --- sys/srv/authentik.nix | 54 +++++++++++++++++++++++++------------------ 1 file changed, 31 insertions(+), 23 deletions(-) diff --git a/sys/srv/authentik.nix b/sys/srv/authentik.nix index bc7e1e6..8b68fe3 100644 --- a/sys/srv/authentik.nix +++ b/sys/srv/authentik.nix @@ -19,37 +19,45 @@ with lib; { default = false; type = bool; }; + locations = mkOption { + type = attrsOf ( + submodule { + config = mkIf config.enableAuthentik { + extraConfig = '' + auth_request /outpost.goauthentik.io/auth/nginx; + error_page 401 = @goauthentik_proxy_signin; + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + + # translate headers from the outposts back to the actual upstream + auth_request_set $authentik_username $upstream_http_x_authentik_username; + auth_request_set $authentik_groups $upstream_http_x_authentik_groups; + auth_request_set $authentik_email $upstream_http_x_authentik_email; + auth_request_set $authentik_name $upstream_http_x_authentik_name; + auth_request_set $authentik_uid $upstream_http_x_authentik_uid; + + proxy_set_header X-authentik-username $authentik_username; + proxy_set_header X-authentik-groups $authentik_groups; + proxy_set_header X-authentik-email $authentik_email; + proxy_set_header X-authentik-name $authentik_name; + proxy_set_header X-authentik-uid $authentik_uid; + ''; + }; + } + ); + }; }; config = mkIf config.enableAuthentik { extraConfig = '' - auth_request /outpost.goauthentik.io/auth/nginx; - error_page 401 = @goauthentik_proxy_signin; - auth_request_set $auth_cookie $upstream_http_set_cookie; - add_header Set-Cookie $auth_cookie; - - # translate headers from the outposts back to the actual upstream - auth_request_set $authentik_username $upstream_http_x_authentik_username; - auth_request_set $authentik_groups $upstream_http_x_authentik_groups; - auth_request_set $authentik_email $upstream_http_x_authentik_email; - auth_request_set $authentik_name $upstream_http_x_authentik_name; - auth_request_set $authentik_uid $upstream_http_x_authentik_uid; - - proxy_set_header X-authentik-username $authentik_username; - proxy_set_header X-authentik-groups $authentik_groups; - proxy_set_header X-authentik-email $authentik_email; - proxy_set_header X-authentik-name $authentik_name; - proxy_set_header X-authentik-uid $authentik_uid; - - proxy_redirect http:// $scheme://; - proxy_buffers 8 16k; proxy_buffer_size 32k; location /outpost.goauthentik.io { - proxy_pass http://auth.posixlycorrect.com/outpost.goauthentik.io; + proxy_pass http://localhost:9000/outpost.goauthentik.io; # ensure the host of this vserver matches your external URL you've configured # in authentik - proxy_set_header X-Forwarded-Host $host; + proxy_set_header Host $host; + proxy_redirect http://localhost:9000 https://auth.posixlycorrect.com; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; @@ -62,7 +70,7 @@ with lib; { location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; - return 302 /outpost.goauthentik.io/start?rd=$request_uri; + return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; } From bfa94cc93372dc1487ac79fc663901d8eb86db5d Mon Sep 17 00:00:00 2001 From: Fabian Montero Date: Sun, 25 Aug 2024 15:33:21 -0600 Subject: [PATCH 3/3] now we have to make jitsi work --- pki/gatekeeper_ca.pem | 21 --------------------- sys/srv/jitsi.nix | 8 +------- sys/srv/mediawiki.nix | 1 - 3 files changed, 1 insertion(+), 29 deletions(-) delete mode 100644 pki/gatekeeper_ca.pem diff --git a/pki/gatekeeper_ca.pem b/pki/gatekeeper_ca.pem deleted file mode 100644 index 51c2de9..0000000 --- a/pki/gatekeeper_ca.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDijCCAnKgAwIBAgIUQCBAoFSQrYx063PnK3XKiOJSpvQwDQYJKoZIhvcNAQEL -BQAwKzEpMCcGA1UEAwwgcG9zaXhseWNvcnJlY3QuY29tIGdhdGVrZWVwZXIgQ0Ew -HhcNMjQwODAyMDcxNzE4WhcNMzQwNzMxMDcxNzE4WjArMSkwJwYDVQQDDCBwb3Np -eGx5Y29ycmVjdC5jb20gZ2F0ZWtlZXBlciBDQTCCASIwDQYJKoZIhvcNAQEBBQAD -ggEPADCCAQoCggEBAKxjqIpRxIu2yPejUbyMixZACESrbmIGOhhxwUu1ys6aYPOZ -7yQMs5xuJXcgCuD7Oba1eBi+CpLhyvgZlyLrCfxoCzTdAeeXq0EB7YUn8IYEN3dR -e+yds//zkjRzbXAaIbUoAF8XaXgylOSIXLNrh0TTjNscC+TPYvKSbaDhdICOZ1ky -u08w5QdOoi1W8FNJd4LKIKWQZW3dMeNaBbKnt9R4mjL28tE5gP6ZYUvcCIoqYAbE -DSNq29lXsmDzbD914bN5wYoTP3A+k8QG6eYGb10YgaaJ0TBxeLzadVBq7gFylMt3 -1LTNmH/v+l73IYfiDV4O3d33cg0VOKqiD48WCnkCAwEAAaOBpTCBojAMBgNVHRME -BTADAQH/MB0GA1UdDgQWBBStVj4YoMTnD+XZ+doBI7Ao17Gg3DBmBgNVHSMEXzBd -gBStVj4YoMTnD+XZ+doBI7Ao17Gg3KEvpC0wKzEpMCcGA1UEAwwgcG9zaXhseWNv -cnJlY3QuY29tIGdhdGVrZWVwZXIgQ0GCFEAgQKBUkK2MdOtz5yt1yojiUqb0MAsG -A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAZgbpPdkhAbrbA7Y63WI2Bo26 -tPVCZpsEKiwpyEbDDC+NVrbOit1kQg/j26RuXLDVg19IfXk407FVFVGYVJNE+kXt -KjyKCGyyZUBQRebCN8kzFsCQ/AJSfzNKQhEK68rchSH66mbjtOtItkdVZRnq0pWI -7WXlTIxK8KTcAx2V/ijyalCENUpwRWfM4Qnkqsi82Dx9e8V0TRCLomW7IQok4dre -F6IolUHw9ZuSC10/T8n8+riqWBWEisBGLz79OrdETdHK9A5gpNHRF+sO9JAhVr/t -exBWTEJ33BeI0NX87d0Pneun4nss5FsLst+Ut7Y0F2QF2Iar1iERUalHVIjCtA== ------END CERTIFICATE----- diff --git a/sys/srv/jitsi.nix b/sys/srv/jitsi.nix index 42c62e6..10f0c1a 100644 --- a/sys/srv/jitsi.nix +++ b/sys/srv/jitsi.nix @@ -9,16 +9,10 @@ with lib; { virtualHosts."meet.posixlycorrect.com" = { enableACME = true; forceSSL = true; + enableAuthentik = true; extraConfig = '' proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 128; - - ssl_verify_depth 1; - ssl_verify_client on; - ssl_client_certificate ${../../pki/gatekeeper_ca.pem}; - if ($ssl_client_verify != "SUCCESS") { - return 403; - } ''; }; }; diff --git a/sys/srv/mediawiki.nix b/sys/srv/mediawiki.nix index 03f16e0..d07bd80 100644 --- a/sys/srv/mediawiki.nix +++ b/sys/srv/mediawiki.nix @@ -10,7 +10,6 @@ with lib; { virtualHosts."wiki.posixlycorrect.com" = { enableACME = true; forceSSL = true; - enableAuthentik = true; extraConfig = '' proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 128;