clouvider-fra01: add int.lukegb.com which points at oauth2proxy

This commit is contained in:
Luke Granger-Brown 2020-05-31 22:28:01 +00:00
parent 299893c475
commit e656191b7b
5 changed files with 94 additions and 0 deletions

View file

@ -14,6 +14,7 @@ in fix (self:
third_party = import ./third_party ch; third_party = import ./third_party ch;
ops = import ./ops ch; ops = import ./ops ch;
nix = import ./nix ch; nix = import ./nix ch;
web = import ./web ch;
lib = self.third_party.nixpkgs.lib; lib = self.third_party.nixpkgs.lib;

View file

@ -2,6 +2,29 @@
let let
inherit (depot.ops) secrets; inherit (depot.ops) secrets;
machineSecrets = secrets.machineSpecific.clouvider-fra01; machineSecrets = secrets.machineSpecific.clouvider-fra01;
proxyVirtualHosts = {
"deluge.int.lukegb.com" = "http://localhost:8112";
"radarr.int.lukegb.com" = "http://localhost:7878";
"sonarr.int.lukegb.com" = "http://localhost:8989";
};
oauth2Host = {
locations."/".extraConfig = lib.mkBefore ''
error_page 401 = /oauth2/start?rd=https://$host$uri;
'';
useACMEHost = "int.lukegb.com";
forceSSL = true;
};
intVirtualHosts = (builtins.mapAttrs (name: value: lib.recursiveUpdate oauth2Host {
locations."/".proxyPass = value;
}) proxyVirtualHosts) // {
"login.int.lukegb.com" = {
root = depot.web.login-int;
} // oauth2Host;
"int.lukegb.com" = {
root = depot.web.int;
} // oauth2Host;
};
in { in {
imports = [ imports = [
../lib/zfs.nix ../lib/zfs.nix
@ -143,5 +166,44 @@ in {
enable = true; enable = true;
}; };
security.acme = {
acceptTerms = true;
email = "letsencrypt@lukegb.com";
certs."int.lukegb.com" = {
domain = "*.int.lukegb.com";
dnsProvider = "cloudflare";
credentialsFile = machineSecrets.cloudflareCredentials;
user = config.services.nginx.user;
group = config.services.nginx.group;
extraDomains = {
"int.lukegb.com" = null;
};
postRun = ''
systemctl reload nginx
'';
};
};
services.nginx = {
enable = true;
virtualHosts = intVirtualHosts;
};
services.oauth2_proxy = {
enable = true;
clientID = "136257844546-6q1mcg4jqc8fcjigutcr47ii8g04qbvt.apps.googleusercontent.com";
cookie.domain = ".int.lukegb.com";
email.domains = [ "lukegb.com" ];
google = {
adminEmail = "lukegb@lukegb.com";
serviceAccountJSON = machineSecrets.googleServiceAccount;
};
keyFile = machineSecrets.oauth2proxySecrets;
redirectURL = "https://login.int.lukegb.com/oauth2/callback";
nginx.virtualHosts = builtins.filter (lib.hasSuffix ".int.lukegb.com") (builtins.attrNames intVirtualHosts);
extraConfig = {
whitelist-domain = ".int.lukegb.com,int.lukegb.com";
};
};
system.stateVersion = "20.03"; system.stateVersion = "20.03";
} }

5
web/default.nix Normal file
View file

@ -0,0 +1,5 @@
{ pkgs, ... }:
{
login-int = pkgs.copyPathToStore ./login-int;
int = pkgs.copyPathToStore ./int;
}

15
web/int/index.html Normal file
View file

@ -0,0 +1,15 @@
<!DOCTYPE html>
<html>
<head>
<title>int.lukegb.com</title>
</head>
<body>
<h1>int.lukegb.com</h1>
<ul>
<li><a href="https://sonarr.int.lukegb.com">sonarr</a></li>
<li><a href="https://radarr.int.lukegb.com">radarr</a></li>
<li><a href="https://deluge.int.lukegb.com">deluge</a></li>
</ul>
<p><a href="https://login.int.lukegb.com/oauth2/sign_out">Log out</a></p>
</body>
</html>

11
web/login-int/index.html Normal file
View file

@ -0,0 +1,11 @@
<!DOCTYPE html>
<html>
<head>
<title>login.int</title>
</head>
<body>
<h1>login</h1>
<p>Hello!</p>
<a href="/oauth2/sign_out">Log out?</a>
</body>
</html>