From 9e256920bb728efc83dc556f7b5249104e2a1dc7 Mon Sep 17 00:00:00 2001
From: Grigory Shipunov <blame@oxapentane.com>
Date: Mon, 13 Jan 2025 22:39:06 +0000
Subject: [PATCH] proxy authentik

---
 hosts/cloud/proxy/authentik.nix | 31 +++++++++++++++++++++++++++++++
 hosts/cloud/proxy/default.nix   | 18 ++++++++++++++++--
 hosts/cloud/proxy/proxy.nix     |  4 ----
 3 files changed, 47 insertions(+), 6 deletions(-)
 create mode 100644 hosts/cloud/proxy/authentik.nix
 delete mode 100644 hosts/cloud/proxy/proxy.nix

diff --git a/hosts/cloud/proxy/authentik.nix b/hosts/cloud/proxy/authentik.nix
new file mode 100644
index 0000000..c6c9685
--- /dev/null
+++ b/hosts/cloud/proxy/authentik.nix
@@ -0,0 +1,31 @@
+# TODO: integrade with oxalab-wg
+{ config, ... }:
+{
+  # authentik
+  services.nginx.upstreams.authentik = {
+    extraConfig = ''
+          keepalive 10;
+    '';
+    servers =
+      {
+        "10.89.88.2:9000" = { };
+        "[fd31:185d:722f::2]:9000" = { };
+      };
+    };
+
+    services.nginx.virtualHosts."sso.oxapentane.com" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyWebsockets = true;
+        proxyPass = "http://authentik";
+        extraConfig = ''
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header Host $host;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection $connection_upgrade;
+        '';
+      };
+    };
+  }
diff --git a/hosts/cloud/proxy/default.nix b/hosts/cloud/proxy/default.nix
index 6d58845..046c807 100644
--- a/hosts/cloud/proxy/default.nix
+++ b/hosts/cloud/proxy/default.nix
@@ -1,7 +1,7 @@
 { config, ... }:
 {
   imports = [
-    ./proxy.nix
+    ./authentik.nix
   ];
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
@@ -11,12 +11,26 @@
 
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
-    recommendedProxySettings = true;
     recommendedTlsSettings = true;
 
     sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
 
     appendHttpConfig = ''
+      ### recommendedProxySettings minus proxy_redirect (breaks authentik)
+      # proxy_redirect          off;
+      proxy_connect_timeout   60s;
+      proxy_send_timeout      60s;
+      proxy_read_timeout      60s;
+      proxy_http_version      1.1;
+      proxy_set_header        "Connection" "";
+      proxy_set_header        Host $host;
+      proxy_set_header        X-Real-IP $remote_addr;
+      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header        X-Forwarded-Proto $scheme;
+      proxy_set_header        X-Forwarded-Host $host;
+      proxy_set_header        X-Forwarded-Server $host;
+
+      ### TLS
       # Add HSTS header with preloading to HTTPS requests.
       # Adding this header to HTTP requests is discouraged
       map $scheme $hsts_header {
diff --git a/hosts/cloud/proxy/proxy.nix b/hosts/cloud/proxy/proxy.nix
deleted file mode 100644
index facb35d..0000000
--- a/hosts/cloud/proxy/proxy.nix
+++ /dev/null
@@ -1,4 +0,0 @@
-{ ... }:
-{
-
-}