diff --git a/default.nix b/default.nix index 6d782bc9cb..e0aee6c4b5 100644 --- a/default.nix +++ b/default.nix @@ -14,6 +14,7 @@ in fix (self: third_party = import ./third_party ch; ops = import ./ops ch; nix = import ./nix ch; + web = import ./web ch; lib = self.third_party.nixpkgs.lib; diff --git a/ops/nixos/clouvider-fra01/default.nix b/ops/nixos/clouvider-fra01/default.nix index fa26ba0e9b..fe9d03d264 100644 --- a/ops/nixos/clouvider-fra01/default.nix +++ b/ops/nixos/clouvider-fra01/default.nix @@ -2,6 +2,29 @@ let inherit (depot.ops) secrets; machineSecrets = secrets.machineSpecific.clouvider-fra01; + + proxyVirtualHosts = { + "deluge.int.lukegb.com" = "http://localhost:8112"; + "radarr.int.lukegb.com" = "http://localhost:7878"; + "sonarr.int.lukegb.com" = "http://localhost:8989"; + }; + oauth2Host = { + locations."/".extraConfig = lib.mkBefore '' + error_page 401 = /oauth2/start?rd=https://$host$uri; + ''; + useACMEHost = "int.lukegb.com"; + forceSSL = true; + }; + intVirtualHosts = (builtins.mapAttrs (name: value: lib.recursiveUpdate oauth2Host { + locations."/".proxyPass = value; + }) proxyVirtualHosts) // { + "login.int.lukegb.com" = { + root = depot.web.login-int; + } // oauth2Host; + "int.lukegb.com" = { + root = depot.web.int; + } // oauth2Host; + }; in { imports = [ ../lib/zfs.nix @@ -143,5 +166,44 @@ in { enable = true; }; + security.acme = { + acceptTerms = true; + email = "letsencrypt@lukegb.com"; + certs."int.lukegb.com" = { + domain = "*.int.lukegb.com"; + dnsProvider = "cloudflare"; + credentialsFile = machineSecrets.cloudflareCredentials; + user = config.services.nginx.user; + group = config.services.nginx.group; + extraDomains = { + "int.lukegb.com" = null; + }; + postRun = '' + systemctl reload nginx + ''; + }; + }; + + services.nginx = { + enable = true; + virtualHosts = intVirtualHosts; + }; + services.oauth2_proxy = { + enable = true; + clientID = "136257844546-6q1mcg4jqc8fcjigutcr47ii8g04qbvt.apps.googleusercontent.com"; + cookie.domain = ".int.lukegb.com"; + email.domains = [ "lukegb.com" ]; + google = { + adminEmail = "lukegb@lukegb.com"; + serviceAccountJSON = machineSecrets.googleServiceAccount; + }; + keyFile = machineSecrets.oauth2proxySecrets; + redirectURL = "https://login.int.lukegb.com/oauth2/callback"; + nginx.virtualHosts = builtins.filter (lib.hasSuffix ".int.lukegb.com") (builtins.attrNames intVirtualHosts); + extraConfig = { + whitelist-domain = ".int.lukegb.com,int.lukegb.com"; + }; + }; + system.stateVersion = "20.03"; } diff --git a/web/default.nix b/web/default.nix new file mode 100644 index 0000000000..bffa90139d --- /dev/null +++ b/web/default.nix @@ -0,0 +1,5 @@ +{ pkgs, ... }: +{ + login-int = pkgs.copyPathToStore ./login-int; + int = pkgs.copyPathToStore ./int; +} diff --git a/web/int/index.html b/web/int/index.html new file mode 100644 index 0000000000..8027a8bf01 --- /dev/null +++ b/web/int/index.html @@ -0,0 +1,15 @@ + + +
+Hello!
+ Log out? + +