diff --git a/pki/gatekeeper_ca.pem b/pki/gatekeeper_ca.pem new file mode 100644 index 0000000..51c2de9 --- /dev/null +++ b/pki/gatekeeper_ca.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDijCCAnKgAwIBAgIUQCBAoFSQrYx063PnK3XKiOJSpvQwDQYJKoZIhvcNAQEL +BQAwKzEpMCcGA1UEAwwgcG9zaXhseWNvcnJlY3QuY29tIGdhdGVrZWVwZXIgQ0Ew +HhcNMjQwODAyMDcxNzE4WhcNMzQwNzMxMDcxNzE4WjArMSkwJwYDVQQDDCBwb3Np +eGx5Y29ycmVjdC5jb20gZ2F0ZWtlZXBlciBDQTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAKxjqIpRxIu2yPejUbyMixZACESrbmIGOhhxwUu1ys6aYPOZ +7yQMs5xuJXcgCuD7Oba1eBi+CpLhyvgZlyLrCfxoCzTdAeeXq0EB7YUn8IYEN3dR +e+yds//zkjRzbXAaIbUoAF8XaXgylOSIXLNrh0TTjNscC+TPYvKSbaDhdICOZ1ky +u08w5QdOoi1W8FNJd4LKIKWQZW3dMeNaBbKnt9R4mjL28tE5gP6ZYUvcCIoqYAbE +DSNq29lXsmDzbD914bN5wYoTP3A+k8QG6eYGb10YgaaJ0TBxeLzadVBq7gFylMt3 +1LTNmH/v+l73IYfiDV4O3d33cg0VOKqiD48WCnkCAwEAAaOBpTCBojAMBgNVHRME +BTADAQH/MB0GA1UdDgQWBBStVj4YoMTnD+XZ+doBI7Ao17Gg3DBmBgNVHSMEXzBd +gBStVj4YoMTnD+XZ+doBI7Ao17Gg3KEvpC0wKzEpMCcGA1UEAwwgcG9zaXhseWNv +cnJlY3QuY29tIGdhdGVrZWVwZXIgQ0GCFEAgQKBUkK2MdOtz5yt1yojiUqb0MAsG +A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAZgbpPdkhAbrbA7Y63WI2Bo26 +tPVCZpsEKiwpyEbDDC+NVrbOit1kQg/j26RuXLDVg19IfXk407FVFVGYVJNE+kXt +KjyKCGyyZUBQRebCN8kzFsCQ/AJSfzNKQhEK68rchSH66mbjtOtItkdVZRnq0pWI +7WXlTIxK8KTcAx2V/ijyalCENUpwRWfM4Qnkqsi82Dx9e8V0TRCLomW7IQok4dre +F6IolUHw9ZuSC10/T8n8+riqWBWEisBGLz79OrdETdHK9A5gpNHRF+sO9JAhVr/t +exBWTEJ33BeI0NX87d0Pneun4nss5FsLst+Ut7Y0F2QF2Iar1iERUalHVIjCtA== +-----END CERTIFICATE----- diff --git a/sys/srv/authentik.nix b/sys/srv/authentik.nix index 8b68fe3..43f0bc7 100644 --- a/sys/srv/authentik.nix +++ b/sys/srv/authentik.nix @@ -19,61 +19,31 @@ with lib; { default = false; type = bool; }; - locations = mkOption { - type = attrsOf ( - submodule { - config = mkIf config.enableAuthentik { - extraConfig = '' - auth_request /outpost.goauthentik.io/auth/nginx; - error_page 401 = @goauthentik_proxy_signin; - auth_request_set $auth_cookie $upstream_http_set_cookie; - add_header Set-Cookie $auth_cookie; - - # translate headers from the outposts back to the actual upstream - auth_request_set $authentik_username $upstream_http_x_authentik_username; - auth_request_set $authentik_groups $upstream_http_x_authentik_groups; - auth_request_set $authentik_email $upstream_http_x_authentik_email; - auth_request_set $authentik_name $upstream_http_x_authentik_name; - auth_request_set $authentik_uid $upstream_http_x_authentik_uid; - - proxy_set_header X-authentik-username $authentik_username; - proxy_set_header X-authentik-groups $authentik_groups; - proxy_set_header X-authentik-email $authentik_email; - proxy_set_header X-authentik-name $authentik_name; - proxy_set_header X-authentik-uid $authentik_uid; - ''; - }; - } - ); - }; }; config = mkIf config.enableAuthentik { extraConfig = '' + auth_request /outpost.goauthentik.io/auth/nginx; + error_page 401 = @goauthentik_proxy_signin; + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + + # translate headers from the outposts back to the actual upstream + auth_request_set $authentik_username $upstream_http_x_authentik_username; + auth_request_set $authentik_groups $upstream_http_x_authentik_groups; + auth_request_set $authentik_email $upstream_http_x_authentik_email; + auth_request_set $authentik_name $upstream_http_x_authentik_name; + auth_request_set $authentik_uid $upstream_http_x_authentik_uid; + + proxy_set_header X-authentik-username $authentik_username; + proxy_set_header X-authentik-groups $authentik_groups; + proxy_set_header X-authentik-email $authentik_email; + proxy_set_header X-authentik-name $authentik_name; + proxy_set_header X-authentik-uid $authentik_uid; + + proxy_redirect http:// $scheme://; + proxy_buffers 8 16k; proxy_buffer_size 32k; - - location /outpost.goauthentik.io { - proxy_pass http://localhost:9000/outpost.goauthentik.io; - # ensure the host of this vserver matches your external URL you've configured - # in authentik - proxy_set_header Host $host; - proxy_redirect http://localhost:9000 https://auth.posixlycorrect.com; - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - add_header Set-Cookie $auth_cookie; - auth_request_set $auth_cookie $upstream_http_set_cookie; - - # required for POST requests to work - proxy_pass_request_body off; - proxy_set_header Content-Length ""; - } - - location @goauthentik_proxy_signin { - internal; - add_header Set-Cookie $auth_cookie; - return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; - # For domain level, use the below error_page to redirect to your authentik server with the full redirect path - # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; - } ''; }; } @@ -84,6 +54,35 @@ with lib; { config = { services = { + nginx.virtualHosts."auth.posixlycorrect.com" = { + enableACME = true; + forceSSL = true; + locations = { + "/outpost.goauthentik.io" = { + proxyPass = "http://auth.posixlycorrect.com/outpost.goauthentik.io"; + extraConfig = '' + # ensure the host of this vserver matches your external URL you've configured + # in authentik + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + add_header Set-Cookie $auth_cookie; + auth_request_set $auth_cookie $upstream_http_set_cookie; + + # required for POST requests to work + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + ''; + }; + "@goauthentik_proxy_signin" = { + extraConfig = '' + internal; + add_header Set-Cookie $auth_cookie; + return 302 /outpost.goauthentik.io/start?rd=$request_uri; + ''; + }; + }; + }; + authentik = { enable = true; environmentFile = "/var/trust/authentik/authentik-env"; diff --git a/sys/srv/jitsi.nix b/sys/srv/jitsi.nix index 10f0c1a..42c62e6 100644 --- a/sys/srv/jitsi.nix +++ b/sys/srv/jitsi.nix @@ -9,10 +9,16 @@ with lib; { virtualHosts."meet.posixlycorrect.com" = { enableACME = true; forceSSL = true; - enableAuthentik = true; extraConfig = '' proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 128; + + ssl_verify_depth 1; + ssl_verify_client on; + ssl_client_certificate ${../../pki/gatekeeper_ca.pem}; + if ($ssl_client_verify != "SUCCESS") { + return 403; + } ''; }; }; diff --git a/sys/srv/mediawiki.nix b/sys/srv/mediawiki.nix index d07bd80..03f16e0 100644 --- a/sys/srv/mediawiki.nix +++ b/sys/srv/mediawiki.nix @@ -10,6 +10,7 @@ with lib; { virtualHosts."wiki.posixlycorrect.com" = { enableACME = true; forceSSL = true; + enableAuthentik = true; extraConfig = '' proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 128;