0xa/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

proxy authentik and dav with sso

Browse source
This commit is contained in:
Grigory Shipunov 2025-01-21 00:16:31 +00:00
parent 3a98bf89b6
commit 5bbfdddaaa
4 changed files with 70 additions and 58 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
hosts/cloud/proxy/auth.nix
View file

@ -1,23 +1,35 @@
{ ... }: { ... }:
{ {
services.nginx.upstreams.keycloak = { services.nginx.upstreams.authentik = {
servers = { servers = {
"10.89.88.11:38080" = { }; "10.89.88.11:9000" = { };
"[fd31:185d:722f::11]:38080" = { }; "[fd31:185d:722f::11]:9000" = { };
}; };
extraConfig = ''
keepalive 10;
'';
}; };
services.nginx.virtualHosts."auth.oxapentane.com" = { services.nginx.virtualHosts."auth.oxapentane.com" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://keycloak"; proxyPass = "http://authentik";
extraConfig = '' extraConfig = ''
proxy_set_header X-Forwarded-Proto $scheme; # general proxy settings
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_http_version 1.1;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port 433; proxy_set_header X-Forwarded-Server $host;
# authentik specifik
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade_keepalive;
''; '';
}; };
}; };

17
hosts/cloud/proxy/dav-htaccess.nix
View file

@ -1,17 +0,0 @@
{ ... }:
{
services.nginx.upstreams.radicale = {
servers = {
"10.89.88.12:5232" = { };
"[fd31:185d:722f::12]:5232" = { };
};
};
services.nginx.virtualHosts."dav.oxapentane.com" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://radicale/";
};
};
}

70
hosts/cloud/proxy/dav.nix
View file

@ -10,39 +10,55 @@
services.nginx.virtualHosts."dav.oxapentane.com" = { services.nginx.virtualHosts."dav.oxapentane.com" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/oauth2/" = { # Radicale
proxyPass = "http://10.89.88.11:4180/";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
locations."/oauth2/auth" = {
proxyPass = "http://10.89.88.11:4180";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
locations."/" = { locations."/" = {
proxyPass = "http://radicale/"; proxyPass = "http://radicale";
extraConfig = '' extraConfig = ''
auth_request /oauth2/auth; # Radicale stuff
error_page 401 =403 /oauth2/sign_in; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade_keepalive;
auth_request_set $user $upstream_http_x_auth_request_user;
# authentik stuff
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie;
# add_header Set-Cookie $auth_cookie; proxy_set_header Set-Cookie $auth_cookie;
proxy_set_header X-Remote-User $user; # translate headers from the outposts back to the actual upstream
proxy_set_header X-User $user; auth_request_set $authentik_username $upstream_http_x_authentik_username;
proxy_set_header X-Real-IP $remote_addr; auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-Remote-User $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-entitlements $authentik_entitlements;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
'';
};
locations."/outpost.goauthentik.io" = {
proxyPass = "http://authentik/outpost.goauthentik.io";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
'';
};
locations."@goauthentik_proxy_signin" = {
extraConfig = ''
internal;
proxy_set_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
''; '';
}; };
}; };

11
hosts/cloud/proxy/default.nix
View file

@ -2,7 +2,7 @@
{ {
imports = [ imports = [
./auth.nix ./auth.nix
./dav-htaccess.nix ./dav.nix
]; ];
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
@ -16,14 +16,15 @@
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
recommendedProxySettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = '' appendHttpConfig = ''
proxy_buffers 4 256k; # upgrade websockets
proxy_buffer_size 128k; map $http_upgrade $connection_upgrade_keepalive {
proxy_busy_buffers_size 256k; default upgrade;
''' ''';
}
### TLS ### TLS
# Add HSTS header with preloading to HTTPS requests. # Add HSTS header with preloading to HTTPS requests.