proxy authentik and dav with sso

hosts/cloud/proxy/auth.nix

@@ -1,23 +1,35 @@
 { ... }:
 {
-  services.nginx.upstreams.keycloak = {
+  services.nginx.upstreams.authentik = {
     servers = {
-      "10.89.88.11:38080" = { };
-      "[fd31:185d:722f::11]:38080" = { };
+      "10.89.88.11:9000" = { };
+      "[fd31:185d:722f::11]:9000" = { };
     };
+    extraConfig = ''
+      keepalive 10;
+    '';
   };
 
   services.nginx.virtualHosts."auth.oxapentane.com" = {
     forceSSL = true;
     enableACME = true;
     locations."/" = {
-      proxyPass = "http://keycloak";
+      proxyPass = "http://authentik";
       extraConfig = ''
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Port 433;
+        # general proxy settings
+	    proxy_connect_timeout   60s;
+	    proxy_send_timeout      60s;
+	    proxy_read_timeout      60s;
+	    proxy_http_version      1.1;
+        proxy_set_header        Host $host;
+        proxy_set_header        X-Real-IP $remote_addr;
+        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Proto $scheme;
+        proxy_set_header        X-Forwarded-Host $host;
+        proxy_set_header        X-Forwarded-Server $host;
+        # authentik specifik
+        proxy_set_header        Upgrade $http_upgrade;
+        proxy_set_header        Connection $connection_upgrade_keepalive;
       '';
     };
   };

hosts/cloud/proxy/dav-htaccess.nix

@@ -1,17 +0,0 @@
-{ ... }:
-{
-  services.nginx.upstreams.radicale = {
-    servers = {
-      "10.89.88.12:5232" = { };
-      "[fd31:185d:722f::12]:5232" = { };
-    };
-  };
-
-  services.nginx.virtualHosts."dav.oxapentane.com" = {
-    forceSSL = true;
-    enableACME = true;
-    locations."/" = {
-      proxyPass = "http://radicale/";
-    };
-  };
-}

hosts/cloud/proxy/dav.nix

@@ -10,39 +10,55 @@
   services.nginx.virtualHosts."dav.oxapentane.com" = {
     forceSSL = true;
     enableACME = true;
-    locations."/oauth2/" = {
-      proxyPass = "http://10.89.88.11:4180/";
-      extraConfig = ''
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
-      '';
-    };
-    locations."/oauth2/auth" = {
-      proxyPass = "http://10.89.88.11:4180";
-      extraConfig = ''
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-Uri $request_uri;
-        proxy_set_header Content-Length "";
-        proxy_pass_request_body off;
-      '';
-    };
+    # Radicale
     locations."/" = {
-      proxyPass = "http://radicale/";
+      proxyPass = "http://radicale";
       extraConfig = ''
-        auth_request /oauth2/auth;
-        error_page 401 =403 /oauth2/sign_in;
-
-        auth_request_set $user $upstream_http_x_auth_request_user;
+        # Radicale stuff
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade_keepalive;
 
+        # authentik stuff
+        auth_request     /outpost.goauthentik.io/auth/nginx;
+        error_page       401 = @goauthentik_proxy_signin;
         auth_request_set $auth_cookie $upstream_http_set_cookie;
-        # add_header Set-Cookie $auth_cookie;
+        proxy_set_header       Set-Cookie $auth_cookie;
 
-        proxy_set_header X-Remote-User $user;
-        proxy_set_header X-User $user;
-        proxy_set_header X-Real-IP $remote_addr;
+        # translate headers from the outposts back to the actual upstream
+        auth_request_set $authentik_username $upstream_http_x_authentik_username;
+        auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+        auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
+        auth_request_set $authentik_email $upstream_http_x_authentik_email;
+        auth_request_set $authentik_name $upstream_http_x_authentik_name;
+        auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
 
+        proxy_set_header X-authentik-username $authentik_username;
+        proxy_set_header X-Remote-User $authentik_username;
+        proxy_set_header X-authentik-groups $authentik_groups;
+        proxy_set_header X-authentik-entitlements $authentik_entitlements;
+        proxy_set_header X-authentik-email $authentik_email;
+        proxy_set_header X-authentik-name $authentik_name;
+        proxy_set_header X-authentik-uid $authentik_uid;
+      '';
+    };
+
+
+    locations."/outpost.goauthentik.io" = {
+      proxyPass = "http://authentik/outpost.goauthentik.io";
+      extraConfig = ''
+        proxy_set_header Host $host;
+        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+        proxy_set_header Set-Cookie $auth_cookie;
+        auth_request_set $auth_cookie $upstream_http_set_cookie;
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+      '';
+    };
+    locations."@goauthentik_proxy_signin" = {
+      extraConfig = ''
+        internal;
+        proxy_set_header Set-Cookie $auth_cookie;
+        return 302 /outpost.goauthentik.io/start?rd=$request_uri;
       '';
     };
   };

hosts/cloud/proxy/default.nix

@@ -2,7 +2,7 @@
 {
   imports = [
     ./auth.nix
-    ./dav-htaccess.nix
+    ./dav.nix
   ];
 
   networking.firewall.allowedTCPPorts = [
@@ -16,14 +16,15 @@
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
     recommendedTlsSettings = true;
-    recommendedProxySettings = true;
 
     sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
 
     appendHttpConfig = ''
-      proxy_buffers 4 256k;
-      proxy_buffer_size 128k;
-      proxy_busy_buffers_size 256k;
+      # upgrade websockets
+      map $http_upgrade $connection_upgrade_keepalive {
+        default upgrade;
+        '''      ''';
+      }
 
       ### TLS
       # Add HSTS header with preloading to HTTPS requests.