clouvider-fra01: simplify
This commit is contained in:
parent
721018520b
commit
3a112b8218
2 changed files with 9 additions and 40 deletions
|
@ -15,19 +15,17 @@ let
|
||||||
"sonarr.int.lukegb.com" = "http://localhost:8989";
|
"sonarr.int.lukegb.com" = "http://localhost:8989";
|
||||||
};
|
};
|
||||||
serve = _apply (value: { root = value; }) {
|
serve = _apply (value: { root = value; }) {
|
||||||
"login.int.lukegb.com" = depot.web.login-int;
|
|
||||||
"int.lukegb.com" = depot.web.int;
|
"int.lukegb.com" = depot.web.int;
|
||||||
};
|
};
|
||||||
_apply = f: builtins.mapAttrs (name: value: lib.recursiveUpdate oauth2Host (f value));
|
_apply = f: builtins.mapAttrs (name: value: lib.recursiveUpdate hostBase (f value));
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
vhosts = vhostsConfig.int.proxy // vhostsConfig.int.serve;
|
vhosts = vhostsConfig.int.proxy // vhostsConfig.int.serve;
|
||||||
oauth2Host = {
|
hostBase = {
|
||||||
locations."/".extraConfig = lib.mkBefore ''
|
listen = [{
|
||||||
error_page 401 = /oauth2/start?rd=https://$host$uri;
|
addr = config.my.ip.tailscale;
|
||||||
'';
|
port = 80;
|
||||||
useACMEHost = "int.lukegb.com";
|
}];
|
||||||
forceSSL = true;
|
|
||||||
};
|
};
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
|
@ -169,40 +167,10 @@ in {
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
security.acme = {
|
|
||||||
acceptTerms = true;
|
|
||||||
email = "letsencrypt@lukegb.com";
|
|
||||||
certs."int.lukegb.com" = {
|
|
||||||
domain = "*.int.lukegb.com";
|
|
||||||
dnsProvider = "cloudflare";
|
|
||||||
credentialsFile = secrets.cloudflareCredentials;
|
|
||||||
extraDomainNames = ["int.lukegb.com"];
|
|
||||||
postRun = ''
|
|
||||||
systemctl reload nginx
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
virtualHosts = vhosts;
|
virtualHosts = vhosts;
|
||||||
};
|
};
|
||||||
services.oauth2_proxy = {
|
|
||||||
enable = true;
|
|
||||||
clientID = "136257844546-6q1mcg4jqc8fcjigutcr47ii8g04qbvt.apps.googleusercontent.com";
|
|
||||||
cookie.domain = ".int.lukegb.com";
|
|
||||||
email.domains = [ "lukegb.com" ];
|
|
||||||
google = {
|
|
||||||
adminEmail = "lukegb@lukegb.com";
|
|
||||||
serviceAccountJSON = machineSecrets.googleServiceAccount;
|
|
||||||
};
|
|
||||||
keyFile = machineSecrets.oauth2proxySecrets;
|
|
||||||
redirectURL = "https://login.int.lukegb.com/oauth2/callback";
|
|
||||||
nginx.virtualHosts = builtins.filter (value: value == "int.lukegb.com" || lib.hasSuffix ".int.lukegb.com" value) (builtins.attrNames vhosts);
|
|
||||||
extraConfig = {
|
|
||||||
whitelist-domain = ".int.lukegb.com,int.lukegb.com";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
system.stateVersion = "20.09";
|
system.stateVersion = "20.09";
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,6 +16,7 @@ SPDX-License-Identifier: Apache-2.0
|
||||||
<li><a href="https://radarr.int.lukegb.com">radarr</a></li>
|
<li><a href="https://radarr.int.lukegb.com">radarr</a></li>
|
||||||
<li><a href="https://deluge.int.lukegb.com">deluge</a></li>
|
<li><a href="https://deluge.int.lukegb.com">deluge</a></li>
|
||||||
</ul>
|
</ul>
|
||||||
<p><a href="https://login.int.lukegb.com/oauth2/sign_out">Log out</a></p>
|
<!-- TODO(lukegb): pick a better redirect URI -->
|
||||||
|
<p><a href="/.pomerium/sign_out?pomerium_redirect_uri=https%3A%2F%2Fwww.google.com">Log out</a></p>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
|
Loading…
Reference in a new issue