From 3a112b821834d403d688313e9b58885e7b238705 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <hg@lukegb.com>
Date: Mon, 28 Dec 2020 15:54:43 +0000
Subject: [PATCH] clouvider-fra01: simplify

---
 ops/nixos/clouvider-fra01/default.nix | 44 ++++-----------------------
 web/int/index.html                    |  5 +--
 2 files changed, 9 insertions(+), 40 deletions(-)

diff --git a/ops/nixos/clouvider-fra01/default.nix b/ops/nixos/clouvider-fra01/default.nix
index 4c1bac695b..66743c7d5b 100644
--- a/ops/nixos/clouvider-fra01/default.nix
+++ b/ops/nixos/clouvider-fra01/default.nix
@@ -15,19 +15,17 @@ let
         "sonarr.int.lukegb.com" = "http://localhost:8989";
       };
       serve = _apply (value: { root = value; }) {
-        "login.int.lukegb.com" = depot.web.login-int;
         "int.lukegb.com" = depot.web.int;
       };
-      _apply = f: builtins.mapAttrs (name: value: lib.recursiveUpdate oauth2Host (f value));
+      _apply = f: builtins.mapAttrs (name: value: lib.recursiveUpdate hostBase (f value));
     };
   };
   vhosts = vhostsConfig.int.proxy // vhostsConfig.int.serve;
-  oauth2Host = {
-    locations."/".extraConfig = lib.mkBefore ''
-      error_page 401 = /oauth2/start?rd=https://$host$uri;
-    '';
-    useACMEHost = "int.lukegb.com";
-    forceSSL = true;
+  hostBase = {
+    listen = [{
+      addr = config.my.ip.tailscale;
+      port = 80;
+    }];
   };
 in {
   imports = [
@@ -169,40 +167,10 @@ in {
     enable = true;
   };
 
-  security.acme = {
-    acceptTerms = true;
-    email = "letsencrypt@lukegb.com";
-    certs."int.lukegb.com" = {
-      domain = "*.int.lukegb.com";
-      dnsProvider = "cloudflare";
-      credentialsFile = secrets.cloudflareCredentials;
-      extraDomainNames = ["int.lukegb.com"];
-      postRun = ''
-        systemctl reload nginx
-      '';
-    };
-  };
-
   services.nginx = {
     enable = true;
     virtualHosts = vhosts;
   };
-  services.oauth2_proxy = {
-    enable = true;
-    clientID = "136257844546-6q1mcg4jqc8fcjigutcr47ii8g04qbvt.apps.googleusercontent.com";
-    cookie.domain = ".int.lukegb.com";
-    email.domains = [ "lukegb.com" ];
-    google = {
-      adminEmail = "lukegb@lukegb.com";
-      serviceAccountJSON = machineSecrets.googleServiceAccount;
-    };
-    keyFile = machineSecrets.oauth2proxySecrets;
-    redirectURL = "https://login.int.lukegb.com/oauth2/callback";
-    nginx.virtualHosts = builtins.filter (value: value == "int.lukegb.com" || lib.hasSuffix ".int.lukegb.com" value) (builtins.attrNames vhosts);
-    extraConfig = {
-      whitelist-domain = ".int.lukegb.com,int.lukegb.com";
-    };
-  };
 
   system.stateVersion = "20.09";
 }
diff --git a/web/int/index.html b/web/int/index.html
index 13b9c79be1..ed4d43bb3d 100644
--- a/web/int/index.html
+++ b/web/int/index.html
@@ -16,6 +16,7 @@ SPDX-License-Identifier: Apache-2.0
 			<li><a href="https://radarr.int.lukegb.com">radarr</a></li>
 			<li><a href="https://deluge.int.lukegb.com">deluge</a></li>
 		</ul>
-		<p><a href="https://login.int.lukegb.com/oauth2/sign_out">Log out</a></p>
+		<!-- TODO(lukegb): pick a better redirect URI -->
+		<p><a href="/.pomerium/sign_out?pomerium_redirect_uri=https%3A%2F%2Fwww.google.com">Log out</a></p>
 	</body>
-</html>
\ No newline at end of file
+</html>