depot-wide: create logged-out.int.lukegb.com

2020-12-30 00:57:53 +00:00 · 2020-12-30 00:57:53 +00:00 · 26e379dfb7
commit 26e379dfb7
parent e0ab7d9ea4
5 changed files with 31 additions and 9 deletions
--- a/nix/pkgs/pomerium/module.nix
+++ b/nix/pkgs/pomerium/module.nix
@ -362,6 +362,11 @@ in
            default = false;
            description = "If set, the TLS connection to the storage backend will not be verified.";
          };
+          signout_redirect_url = mkOption {
+            type = with types; nullOr str;
+            default = null;
+            description = "Signout redirect url is the url user will be redirected to after signing out.";
+          };

          policy = mkOption {
            type = types.listOf (types.submodule {
@ -406,11 +411,6 @@ in
                  default = null;
                  description = "Use this token to authenticate requests to a Kubernetes API server. Pomerium will impersonate the Pomerium user's identity, and Kubernetes RBAC can be applied to IdP user and groups.";
                };
-                signout_redirect_url = mkOption {
-                  type = with types; nullOr str;
-                  default = null;
-                  description = "Signout redirect url is the url user will be redirected to after signing out.";
-                };
                path = mkOption {
                  type = with types; nullOr str;
                  default = null;
--- a/ops/nixos/clouvider-fra01/default.nix
+++ b/ops/nixos/clouvider-fra01/default.nix
@ -16,6 +16,7 @@ let
      };
      serve = _apply (value: { root = value; }) {
        "int.lukegb.com" = depot.web.int;
+        "logged-out.int.lukegb.com" = depot.web.logged-out-int;
      };
      _apply = f: builtins.mapAttrs (name: value: lib.recursiveUpdate hostBase (f value));
    };
--- a/ops/nixos/etheroute-lon01/default.nix
+++ b/ops/nixos/etheroute-lon01/default.nix
@ -196,6 +196,7 @@ in {

      forward_auth_url = "https://fwdauth.int.lukegb.com";
      authenticate_service_url = "https://auth.int.lukegb.com";
+      signout_redirect_url = "https://logged-out.int.lukegb.com";

      policy = let
        baseConfig = {
@ -211,19 +212,22 @@ in {
          to = "https://${server}";
          tls_server_name = hostName;
        } // extraConfig);
+        public = extraConfig: {
+          allow_public_unauthenticated_access = true;
+          allowed_domains = null;
+        } // extraConfig;
      in [
        (service "clouvider-fra01" "int.lukegb.com" {})
+        (service "clouvider-fra01" "logged-out.int.lukegb.com" (public {}))
        (service "clouvider-fra01" "sonarr.int.lukegb.com" {})
        (service "clouvider-fra01" "radarr.int.lukegb.com" {})
        (service "clouvider-fra01" "deluge.int.lukegb.com" {})
        (service "totoro:9090" "prometheus.int.lukegb.com" {})
        (service "totoro:9093" "alertmanager.int.lukegb.com" {})
        (service "totoro:3000" "grafana.int.lukegb.com" {})
-        (secureService "totoro" "invoices.lukegb.com" {
-          allow_public_unauthenticated_access = true;
-          allowed_domains = null;
+        (secureService "totoro" "invoices.lukegb.com" (public {
          regex = "^/((third_party|ajax|client_area|pdf)/.*|[a-zA-Z0-9]{8})$";
-        })
+        }))
        (secureService "totoro" "invoices.lukegb.com" {})
        (baseConfig // {
          from = "https://httpbin.int.lukegb.com";
--- a/web/default.nix
+++ b/web/default.nix
@ -5,4 +5,5 @@
 { pkgs, ... }:
 {
  int = pkgs.copyPathToStore ./int;
+  logged-out-int = pkgs.copyPathToStore ./logged-out-int;
 }
--- a/web/logged-out-int/index.html
+++ b/web/logged-out-int/index.html
@ -0,0 +1,16 @@
+<!--
+SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
+
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<!DOCTYPE html>
+<html>
+	<head>
+		<title>Logged out</title>
+	</head>
+	<body>
+		<h1>Congrats! You're logged out.</h1>
+		<a href="https://int.lukegb.com">Log in again</a>
+	</body>
+</html>