yeet authentik, add keycloak and radicale

2025-01-14 21:24:05 +00:00 · 2025-01-14 21:24:05 +00:00 · 5c3f0886e5
commit 5c3f0886e5
parent 2f2318aaaa
15 changed files with 263 additions and 366 deletions
--- a/hosts/cloud/proxy/default.nix
+++ b/hosts/cloud/proxy/default.nix
@ -1,7 +1,7 @@
 { config, ... }:
 {
  imports = [
-    ./authentik.nix
+    ./auth.nix
  ];

  networking.firewall.allowedTCPPorts = [ 80 443 ];
@ -12,24 +12,11 @@
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedTlsSettings = true;
+    recommendedProxySettings = true;

    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

    appendHttpConfig = ''
-      ### recommendedProxySettings minus proxy_redirect (breaks authentik)
-      # proxy_redirect          off;
-      proxy_connect_timeout   60s;
-      proxy_send_timeout      60s;
-      proxy_read_timeout      60s;
-      proxy_http_version      1.1;
-      proxy_set_header        "Connection" "";
-      proxy_set_header        Host $host;
-      proxy_set_header        X-Real-IP $remote_addr;
-      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header        X-Forwarded-Proto $scheme;
-      proxy_set_header        X-Forwarded-Host $host;
-      proxy_set_header        X-Forwarded-Server $host;
-
      ### TLS
      # Add HSTS header with preloading to HTTPS requests.
      # Adding this header to HTTP requests is discouraged
@ -39,13 +26,13 @@
      add_header Strict-Transport-Security $hsts_header;

      # Enable CSP for your services.
-      add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+      # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

      # Minimize information leaked to other domains
      add_header 'Referrer-Policy' 'origin-when-cross-origin';

      # Disable embedding as a frame
-      add_header X-Frame-Options DENY;
+      # add_header X-Frame-Options DENY;

      # Prevent injection of code in other mime types (XSS Attacks)
      add_header X-Content-Type-Options nosniff;
@ -56,11 +43,7 @@
      enableACME = true;
      # default = true;
      locations."/" = {
-        return = "200 '<html><body><h1>¯\\_(ツ)_/¯</h1></body></html>'";
-        extraConfig = ''
-          default_type text/html;
-        '';
-
+        return = "503";
      };
    };
  };