Compare commits
2 commits
289a1e953d
...
bfa94cc933
| Author | SHA1 | Date | |
|---|---|---|---|
 Fabian Montero
|
bfa94cc933
|
||
|
Fabian Montero
|
167c519a25
|
|
|
@ -1,21 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDijCCAnKgAwIBAgIUQCBAoFSQrYx063PnK3XKiOJSpvQwDQYJKoZIhvcNAQEL
|
||||
BQAwKzEpMCcGA1UEAwwgcG9zaXhseWNvcnJlY3QuY29tIGdhdGVrZWVwZXIgQ0Ew
|
||||
HhcNMjQwODAyMDcxNzE4WhcNMzQwNzMxMDcxNzE4WjArMSkwJwYDVQQDDCBwb3Np
|
||||
eGx5Y29ycmVjdC5jb20gZ2F0ZWtlZXBlciBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
|
||||
ggEPADCCAQoCggEBAKxjqIpRxIu2yPejUbyMixZACESrbmIGOhhxwUu1ys6aYPOZ
|
||||
7yQMs5xuJXcgCuD7Oba1eBi+CpLhyvgZlyLrCfxoCzTdAeeXq0EB7YUn8IYEN3dR
|
||||
e+yds//zkjRzbXAaIbUoAF8XaXgylOSIXLNrh0TTjNscC+TPYvKSbaDhdICOZ1ky
|
||||
u08w5QdOoi1W8FNJd4LKIKWQZW3dMeNaBbKnt9R4mjL28tE5gP6ZYUvcCIoqYAbE
|
||||
DSNq29lXsmDzbD914bN5wYoTP3A+k8QG6eYGb10YgaaJ0TBxeLzadVBq7gFylMt3
|
||||
1LTNmH/v+l73IYfiDV4O3d33cg0VOKqiD48WCnkCAwEAAaOBpTCBojAMBgNVHRME
|
||||
BTADAQH/MB0GA1UdDgQWBBStVj4YoMTnD+XZ+doBI7Ao17Gg3DBmBgNVHSMEXzBd
|
||||
gBStVj4YoMTnD+XZ+doBI7Ao17Gg3KEvpC0wKzEpMCcGA1UEAwwgcG9zaXhseWNv
|
||||
cnJlY3QuY29tIGdhdGVrZWVwZXIgQ0GCFEAgQKBUkK2MdOtz5yt1yojiUqb0MAsG
|
||||
A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAZgbpPdkhAbrbA7Y63WI2Bo26
|
||||
tPVCZpsEKiwpyEbDDC+NVrbOit1kQg/j26RuXLDVg19IfXk407FVFVGYVJNE+kXt
|
||||
KjyKCGyyZUBQRebCN8kzFsCQ/AJSfzNKQhEK68rchSH66mbjtOtItkdVZRnq0pWI
|
||||
7WXlTIxK8KTcAx2V/ijyalCENUpwRWfM4Qnkqsi82Dx9e8V0TRCLomW7IQok4dre
|
||||
F6IolUHw9ZuSC10/T8n8+riqWBWEisBGLz79OrdETdHK9A5gpNHRF+sO9JAhVr/t
|
||||
exBWTEJ33BeI0NX87d0Pneun4nss5FsLst+Ut7Y0F2QF2Iar1iERUalHVIjCtA==
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -19,37 +19,45 @@ with lib; {
|
|||
default = false;
|
||||
type = bool;
|
||||
};
|
||||
locations = mkOption {
|
||||
type = attrsOf (
|
||||
submodule {
|
||||
config = mkIf config.enableAuthentik {
|
||||
extraConfig = ''
|
||||
auth_request /outpost.goauthentik.io/auth/nginx;
|
||||
error_page 401 = @goauthentik_proxy_signin;
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
|
||||
# translate headers from the outposts back to the actual upstream
|
||||
auth_request_set $authentik_username $upstream_http_x_authentik_username;
|
||||
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
|
||||
auth_request_set $authentik_email $upstream_http_x_authentik_email;
|
||||
auth_request_set $authentik_name $upstream_http_x_authentik_name;
|
||||
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
|
||||
|
||||
proxy_set_header X-authentik-username $authentik_username;
|
||||
proxy_set_header X-authentik-groups $authentik_groups;
|
||||
proxy_set_header X-authentik-email $authentik_email;
|
||||
proxy_set_header X-authentik-name $authentik_name;
|
||||
proxy_set_header X-authentik-uid $authentik_uid;
|
||||
'';
|
||||
};
|
||||
}
|
||||
);
|
||||
};
|
||||
};
|
||||
config = mkIf config.enableAuthentik {
|
||||
extraConfig = ''
|
||||
auth_request /outpost.goauthentik.io/auth/nginx;
|
||||
error_page 401 = @goauthentik_proxy_signin;
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
|
||||
# translate headers from the outposts back to the actual upstream
|
||||
auth_request_set $authentik_username $upstream_http_x_authentik_username;
|
||||
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
|
||||
auth_request_set $authentik_email $upstream_http_x_authentik_email;
|
||||
auth_request_set $authentik_name $upstream_http_x_authentik_name;
|
||||
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
|
||||
|
||||
proxy_set_header X-authentik-username $authentik_username;
|
||||
proxy_set_header X-authentik-groups $authentik_groups;
|
||||
proxy_set_header X-authentik-email $authentik_email;
|
||||
proxy_set_header X-authentik-name $authentik_name;
|
||||
proxy_set_header X-authentik-uid $authentik_uid;
|
||||
|
||||
proxy_redirect http:// $scheme://;
|
||||
|
||||
proxy_buffers 8 16k;
|
||||
proxy_buffer_size 32k;
|
||||
|
||||
location /outpost.goauthentik.io {
|
||||
proxy_pass http://auth.posixlycorrect.com/outpost.goauthentik.io;
|
||||
proxy_pass http://localhost:9000/outpost.goauthentik.io;
|
||||
# ensure the host of this vserver matches your external URL you've configured
|
||||
# in authentik
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header Host $host;
|
||||
proxy_redirect http://localhost:9000 https://auth.posixlycorrect.com;
|
||||
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
|
|
@ -62,7 +70,7 @@ with lib; {
|
|||
location @goauthentik_proxy_signin {
|
||||
internal;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
|
||||
return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
|
||||
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
|
||||
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,16 +9,10 @@ with lib; {
|
|||
virtualHosts."meet.posixlycorrect.com" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
enableAuthentik = true;
|
||||
extraConfig = ''
|
||||
proxy_headers_hash_max_size 512;
|
||||
proxy_headers_hash_bucket_size 128;
|
||||
|
||||
ssl_verify_depth 1;
|
||||
ssl_verify_client on;
|
||||
ssl_client_certificate ${../../pki/gatekeeper_ca.pem};
|
||||
if ($ssl_client_verify != "SUCCESS") {
|
||||
return 403;
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -10,7 +10,6 @@ with lib; {
|
|||
virtualHosts."wiki.posixlycorrect.com" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
enableAuthentik = true;
|
||||
extraConfig = ''
|
||||
proxy_headers_hash_max_size 512;
|
||||
proxy_headers_hash_bucket_size 128;
|
||||
|
|
|
|||
Reference in a new issue