yeet authentik, add keycloak and radicale

2025-01-14 21:24:05 +00:00 · 2025-01-14 21:24:05 +00:00 · 5c3f0886e5
commit 5c3f0886e5
parent 2f2318aaaa
15 changed files with 263 additions and 366 deletions
--- a/hosts/cloud/proxy/auth.nix
+++ b/hosts/cloud/proxy/auth.nix
@ -0,0 +1,24 @@
+{ ... }:
+{
+  services.nginx.upstreams.keycloak = {
+    servers = {
+      "10.89.88.11:38080" = {};
+      "[fd31:185d:722f::11]:38080" = {};
+    };
+  };
+
+  services.nginx.virtualHosts."auth.oxapentane.com" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://keycloak";
+      extraConfig = ''
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port 433;
+      '';
+    };
+  };
+}
--- a/hosts/cloud/proxy/authentik.nix
+++ b/hosts/cloud/proxy/authentik.nix
@ -1,31 +0,0 @@
-# TODO: integrade with oxalab-wg
-{ config, ... }:
-{
-  # authentik
-  services.nginx.upstreams.authentik = {
-    extraConfig = ''
-          keepalive 10;
-    '';
-    servers =
-      {
-        "10.89.88.2:9000" = { };
-        "[fd31:185d:722f::2]:9000" = { };
-      };
-    };
-
-    services.nginx.virtualHosts."sso.oxapentane.com" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyWebsockets = true;
-        proxyPass = "http://authentik";
-        extraConfig = ''
-          proxy_set_header X-Forwarded-Proto $scheme;
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header Host $host;
-          proxy_set_header Upgrade $http_upgrade;
-          proxy_set_header Connection $connection_upgrade;
-        '';
-      };
-    };
-  }
--- a/hosts/cloud/proxy/default.nix
+++ b/hosts/cloud/proxy/default.nix
@ -1,7 +1,7 @@
 { config, ... }:
 {
  imports = [
-    ./authentik.nix
+    ./auth.nix
  ];

  networking.firewall.allowedTCPPorts = [ 80 443 ];
@ -12,24 +12,11 @@
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedTlsSettings = true;
+    recommendedProxySettings = true;

    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

    appendHttpConfig = ''
-      ### recommendedProxySettings minus proxy_redirect (breaks authentik)
-      # proxy_redirect          off;
-      proxy_connect_timeout   60s;
-      proxy_send_timeout      60s;
-      proxy_read_timeout      60s;
-      proxy_http_version      1.1;
-      proxy_set_header        "Connection" "";
-      proxy_set_header        Host $host;
-      proxy_set_header        X-Real-IP $remote_addr;
-      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header        X-Forwarded-Proto $scheme;
-      proxy_set_header        X-Forwarded-Host $host;
-      proxy_set_header        X-Forwarded-Server $host;
-
      ### TLS
      # Add HSTS header with preloading to HTTPS requests.
      # Adding this header to HTTP requests is discouraged
@ -39,13 +26,13 @@
      add_header Strict-Transport-Security $hsts_header;

      # Enable CSP for your services.
-      add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+      # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

      # Minimize information leaked to other domains
      add_header 'Referrer-Policy' 'origin-when-cross-origin';

      # Disable embedding as a frame
-      add_header X-Frame-Options DENY;
+      # add_header X-Frame-Options DENY;

      # Prevent injection of code in other mime types (XSS Attacks)
      add_header X-Content-Type-Options nosniff;
@ -56,11 +43,7 @@
      enableACME = true;
      # default = true;
      locations."/" = {
-        return = "200 '<html><body><h1>¯\\_(ツ)_/¯</h1></body></html>'";
-        extraConfig = ''
-          default_type text/html;
-        '';
-
+        return = "503";
      };
    };
  };