From 3a112b821834d403d688313e9b58885e7b238705 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown <hg@lukegb.com> Date: Mon, 28 Dec 2020 15:54:43 +0000 Subject: [PATCH] clouvider-fra01: simplify --- ops/nixos/clouvider-fra01/default.nix | 44 ++++----------------------- web/int/index.html | 5 +-- 2 files changed, 9 insertions(+), 40 deletions(-) diff --git a/ops/nixos/clouvider-fra01/default.nix b/ops/nixos/clouvider-fra01/default.nix index 4c1bac695b..66743c7d5b 100644 --- a/ops/nixos/clouvider-fra01/default.nix +++ b/ops/nixos/clouvider-fra01/default.nix @@ -15,19 +15,17 @@ let "sonarr.int.lukegb.com" = "http://localhost:8989"; }; serve = _apply (value: { root = value; }) { - "login.int.lukegb.com" = depot.web.login-int; "int.lukegb.com" = depot.web.int; }; - _apply = f: builtins.mapAttrs (name: value: lib.recursiveUpdate oauth2Host (f value)); + _apply = f: builtins.mapAttrs (name: value: lib.recursiveUpdate hostBase (f value)); }; }; vhosts = vhostsConfig.int.proxy // vhostsConfig.int.serve; - oauth2Host = { - locations."/".extraConfig = lib.mkBefore '' - error_page 401 = /oauth2/start?rd=https://$host$uri; - ''; - useACMEHost = "int.lukegb.com"; - forceSSL = true; + hostBase = { + listen = [{ + addr = config.my.ip.tailscale; + port = 80; + }]; }; in { imports = [ @@ -169,40 +167,10 @@ in { enable = true; }; - security.acme = { - acceptTerms = true; - email = "letsencrypt@lukegb.com"; - certs."int.lukegb.com" = { - domain = "*.int.lukegb.com"; - dnsProvider = "cloudflare"; - credentialsFile = secrets.cloudflareCredentials; - extraDomainNames = ["int.lukegb.com"]; - postRun = '' - systemctl reload nginx - ''; - }; - }; - services.nginx = { enable = true; virtualHosts = vhosts; }; - services.oauth2_proxy = { - enable = true; - clientID = "136257844546-6q1mcg4jqc8fcjigutcr47ii8g04qbvt.apps.googleusercontent.com"; - cookie.domain = ".int.lukegb.com"; - email.domains = [ "lukegb.com" ]; - google = { - adminEmail = "lukegb@lukegb.com"; - serviceAccountJSON = machineSecrets.googleServiceAccount; - }; - keyFile = machineSecrets.oauth2proxySecrets; - redirectURL = "https://login.int.lukegb.com/oauth2/callback"; - nginx.virtualHosts = builtins.filter (value: value == "int.lukegb.com" || lib.hasSuffix ".int.lukegb.com" value) (builtins.attrNames vhosts); - extraConfig = { - whitelist-domain = ".int.lukegb.com,int.lukegb.com"; - }; - }; system.stateVersion = "20.09"; } diff --git a/web/int/index.html b/web/int/index.html index 13b9c79be1..ed4d43bb3d 100644 --- a/web/int/index.html +++ b/web/int/index.html @@ -16,6 +16,7 @@ SPDX-License-Identifier: Apache-2.0 <li><a href="https://radarr.int.lukegb.com">radarr</a></li> <li><a href="https://deluge.int.lukegb.com">deluge</a></li> </ul> - <p><a href="https://login.int.lukegb.com/oauth2/sign_out">Log out</a></p> + <!-- TODO(lukegb): pick a better redirect URI --> + <p><a href="/.pomerium/sign_out?pomerium_redirect_uri=https%3A%2F%2Fwww.google.com">Log out</a></p> </body> -</html> \ No newline at end of file +</html>