clouvider-fra01: simplify

This commit is contained in:
Luke Granger-Brown 2020-12-28 15:54:43 +00:00
parent 721018520b
commit 3a112b8218
2 changed files with 9 additions and 40 deletions

View file

@ -15,19 +15,17 @@ let
"sonarr.int.lukegb.com" = "http://localhost:8989"; "sonarr.int.lukegb.com" = "http://localhost:8989";
}; };
serve = _apply (value: { root = value; }) { serve = _apply (value: { root = value; }) {
"login.int.lukegb.com" = depot.web.login-int;
"int.lukegb.com" = depot.web.int; "int.lukegb.com" = depot.web.int;
}; };
_apply = f: builtins.mapAttrs (name: value: lib.recursiveUpdate oauth2Host (f value)); _apply = f: builtins.mapAttrs (name: value: lib.recursiveUpdate hostBase (f value));
}; };
}; };
vhosts = vhostsConfig.int.proxy // vhostsConfig.int.serve; vhosts = vhostsConfig.int.proxy // vhostsConfig.int.serve;
oauth2Host = { hostBase = {
locations."/".extraConfig = lib.mkBefore '' listen = [{
error_page 401 = /oauth2/start?rd=https://$host$uri; addr = config.my.ip.tailscale;
''; port = 80;
useACMEHost = "int.lukegb.com"; }];
forceSSL = true;
}; };
in { in {
imports = [ imports = [
@ -169,40 +167,10 @@ in {
enable = true; enable = true;
}; };
security.acme = {
acceptTerms = true;
email = "letsencrypt@lukegb.com";
certs."int.lukegb.com" = {
domain = "*.int.lukegb.com";
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
extraDomainNames = ["int.lukegb.com"];
postRun = ''
systemctl reload nginx
'';
};
};
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts = vhosts; virtualHosts = vhosts;
}; };
services.oauth2_proxy = {
enable = true;
clientID = "136257844546-6q1mcg4jqc8fcjigutcr47ii8g04qbvt.apps.googleusercontent.com";
cookie.domain = ".int.lukegb.com";
email.domains = [ "lukegb.com" ];
google = {
adminEmail = "lukegb@lukegb.com";
serviceAccountJSON = machineSecrets.googleServiceAccount;
};
keyFile = machineSecrets.oauth2proxySecrets;
redirectURL = "https://login.int.lukegb.com/oauth2/callback";
nginx.virtualHosts = builtins.filter (value: value == "int.lukegb.com" || lib.hasSuffix ".int.lukegb.com" value) (builtins.attrNames vhosts);
extraConfig = {
whitelist-domain = ".int.lukegb.com,int.lukegb.com";
};
};
system.stateVersion = "20.09"; system.stateVersion = "20.09";
} }

View file

@ -16,6 +16,7 @@ SPDX-License-Identifier: Apache-2.0
<li><a href="https://radarr.int.lukegb.com">radarr</a></li> <li><a href="https://radarr.int.lukegb.com">radarr</a></li>
<li><a href="https://deluge.int.lukegb.com">deluge</a></li> <li><a href="https://deluge.int.lukegb.com">deluge</a></li>
</ul> </ul>
<p><a href="https://login.int.lukegb.com/oauth2/sign_out">Log out</a></p> <!-- TODO(lukegb): pick a better redirect URI -->
<p><a href="/.pomerium/sign_out?pomerium_redirect_uri=https%3A%2F%2Fwww.google.com">Log out</a></p>
</body> </body>
</html> </html>