diff --git a/nix/pkgs/pomerium/module.nix b/nix/pkgs/pomerium/module.nix index 4345e4ed77..dd886185bf 100644 --- a/nix/pkgs/pomerium/module.nix +++ b/nix/pkgs/pomerium/module.nix @@ -362,6 +362,11 @@ in default = false; description = "If set, the TLS connection to the storage backend will not be verified."; }; + signout_redirect_url = mkOption { + type = with types; nullOr str; + default = null; + description = "Signout redirect url is the url user will be redirected to after signing out."; + }; policy = mkOption { type = types.listOf (types.submodule { @@ -406,11 +411,6 @@ in default = null; description = "Use this token to authenticate requests to a Kubernetes API server. Pomerium will impersonate the Pomerium user's identity, and Kubernetes RBAC can be applied to IdP user and groups."; }; - signout_redirect_url = mkOption { - type = with types; nullOr str; - default = null; - description = "Signout redirect url is the url user will be redirected to after signing out."; - }; path = mkOption { type = with types; nullOr str; default = null; diff --git a/ops/nixos/clouvider-fra01/default.nix b/ops/nixos/clouvider-fra01/default.nix index b8d8e81848..c2109dfad8 100644 --- a/ops/nixos/clouvider-fra01/default.nix +++ b/ops/nixos/clouvider-fra01/default.nix @@ -16,6 +16,7 @@ let }; serve = _apply (value: { root = value; }) { "int.lukegb.com" = depot.web.int; + "logged-out.int.lukegb.com" = depot.web.logged-out-int; }; _apply = f: builtins.mapAttrs (name: value: lib.recursiveUpdate hostBase (f value)); }; diff --git a/ops/nixos/etheroute-lon01/default.nix b/ops/nixos/etheroute-lon01/default.nix index 90f2f3ade4..8cc4ffc8d9 100644 --- a/ops/nixos/etheroute-lon01/default.nix +++ b/ops/nixos/etheroute-lon01/default.nix @@ -196,6 +196,7 @@ in { forward_auth_url = "https://fwdauth.int.lukegb.com"; authenticate_service_url = "https://auth.int.lukegb.com"; + signout_redirect_url = "https://logged-out.int.lukegb.com"; policy = let baseConfig = { @@ -211,19 +212,22 @@ in { to = "https://${server}"; tls_server_name = hostName; } // extraConfig); + public = extraConfig: { + allow_public_unauthenticated_access = true; + allowed_domains = null; + } // extraConfig; in [ (service "clouvider-fra01" "int.lukegb.com" {}) + (service "clouvider-fra01" "logged-out.int.lukegb.com" (public {})) (service "clouvider-fra01" "sonarr.int.lukegb.com" {}) (service "clouvider-fra01" "radarr.int.lukegb.com" {}) (service "clouvider-fra01" "deluge.int.lukegb.com" {}) (service "totoro:9090" "prometheus.int.lukegb.com" {}) (service "totoro:9093" "alertmanager.int.lukegb.com" {}) (service "totoro:3000" "grafana.int.lukegb.com" {}) - (secureService "totoro" "invoices.lukegb.com" { - allow_public_unauthenticated_access = true; - allowed_domains = null; + (secureService "totoro" "invoices.lukegb.com" (public { regex = "^/((third_party|ajax|client_area|pdf)/.*|[a-zA-Z0-9]{8})$"; - }) + })) (secureService "totoro" "invoices.lukegb.com" {}) (baseConfig // { from = "https://httpbin.int.lukegb.com"; diff --git a/web/default.nix b/web/default.nix index d9aa62e515..ff779654d4 100644 --- a/web/default.nix +++ b/web/default.nix @@ -5,4 +5,5 @@ { pkgs, ... }: { int = pkgs.copyPathToStore ./int; + logged-out-int = pkgs.copyPathToStore ./logged-out-int; } diff --git a/web/logged-out-int/index.html b/web/logged-out-int/index.html new file mode 100644 index 0000000000..302a17edb5 --- /dev/null +++ b/web/logged-out-int/index.html @@ -0,0 +1,16 @@ + + + + +
+