clouvider-fra01: simplify
This commit is contained in:
parent
721018520b
commit
3a112b8218
2 changed files with 9 additions and 40 deletions
|
@ -15,19 +15,17 @@ let
|
|||
"sonarr.int.lukegb.com" = "http://localhost:8989";
|
||||
};
|
||||
serve = _apply (value: { root = value; }) {
|
||||
"login.int.lukegb.com" = depot.web.login-int;
|
||||
"int.lukegb.com" = depot.web.int;
|
||||
};
|
||||
_apply = f: builtins.mapAttrs (name: value: lib.recursiveUpdate oauth2Host (f value));
|
||||
_apply = f: builtins.mapAttrs (name: value: lib.recursiveUpdate hostBase (f value));
|
||||
};
|
||||
};
|
||||
vhosts = vhostsConfig.int.proxy // vhostsConfig.int.serve;
|
||||
oauth2Host = {
|
||||
locations."/".extraConfig = lib.mkBefore ''
|
||||
error_page 401 = /oauth2/start?rd=https://$host$uri;
|
||||
'';
|
||||
useACMEHost = "int.lukegb.com";
|
||||
forceSSL = true;
|
||||
hostBase = {
|
||||
listen = [{
|
||||
addr = config.my.ip.tailscale;
|
||||
port = 80;
|
||||
}];
|
||||
};
|
||||
in {
|
||||
imports = [
|
||||
|
@ -169,40 +167,10 @@ in {
|
|||
enable = true;
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
email = "letsencrypt@lukegb.com";
|
||||
certs."int.lukegb.com" = {
|
||||
domain = "*.int.lukegb.com";
|
||||
dnsProvider = "cloudflare";
|
||||
credentialsFile = secrets.cloudflareCredentials;
|
||||
extraDomainNames = ["int.lukegb.com"];
|
||||
postRun = ''
|
||||
systemctl reload nginx
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts = vhosts;
|
||||
};
|
||||
services.oauth2_proxy = {
|
||||
enable = true;
|
||||
clientID = "136257844546-6q1mcg4jqc8fcjigutcr47ii8g04qbvt.apps.googleusercontent.com";
|
||||
cookie.domain = ".int.lukegb.com";
|
||||
email.domains = [ "lukegb.com" ];
|
||||
google = {
|
||||
adminEmail = "lukegb@lukegb.com";
|
||||
serviceAccountJSON = machineSecrets.googleServiceAccount;
|
||||
};
|
||||
keyFile = machineSecrets.oauth2proxySecrets;
|
||||
redirectURL = "https://login.int.lukegb.com/oauth2/callback";
|
||||
nginx.virtualHosts = builtins.filter (value: value == "int.lukegb.com" || lib.hasSuffix ".int.lukegb.com" value) (builtins.attrNames vhosts);
|
||||
extraConfig = {
|
||||
whitelist-domain = ".int.lukegb.com,int.lukegb.com";
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "20.09";
|
||||
}
|
||||
|
|
|
@ -16,6 +16,7 @@ SPDX-License-Identifier: Apache-2.0
|
|||
<li><a href="https://radarr.int.lukegb.com">radarr</a></li>
|
||||
<li><a href="https://deluge.int.lukegb.com">deluge</a></li>
|
||||
</ul>
|
||||
<p><a href="https://login.int.lukegb.com/oauth2/sign_out">Log out</a></p>
|
||||
<!-- TODO(lukegb): pick a better redirect URI -->
|
||||
<p><a href="/.pomerium/sign_out?pomerium_redirect_uri=https%3A%2F%2Fwww.google.com">Log out</a></p>
|
||||
</body>
|
||||
</html>
|
Loading…
Reference in a new issue