0xa/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

proxy authentik

Browse source
This commit is contained in:
Grigory Shipunov 2025-01-13 22:39:06 +00:00
parent 1d55b0facf
commit 9e256920bb
3 changed files with 47 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
hosts/cloud/proxy/authentik.nix Normal file
View file

@ -0,0 +1,31 @@
# TODO: integrade with oxalab-wg
{ config, ... }:
{
# authentik
services.nginx.upstreams.authentik = {
extraConfig = ''
keepalive 10;
'';
servers =
{
"10.89.88.2:9000" = { };
"[fd31:185d:722f::2]:9000" = { };
};
};
services.nginx.virtualHosts."sso.oxapentane.com" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://authentik";
extraConfig = ''
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
'';
};
};
}

18
hosts/cloud/proxy/default.nix
View file

@ -1,7 +1,7 @@
{ config, ... }: { config, ... }:
{ {
imports = [ imports = [
./proxy.nix ./authentik.nix
]; ];
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
@ -11,12 +11,26 @@
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = '' appendHttpConfig = ''
### recommendedProxySettings minus proxy_redirect (breaks authentik)
# proxy_redirect off;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_http_version 1.1;
proxy_set_header "Connection" "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
### TLS
# Add HSTS header with preloading to HTTPS requests. # Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged # Adding this header to HTTP requests is discouraged
map $scheme $hsts_header { map $scheme $hsts_header {

4
hosts/cloud/proxy/proxy.nix
View file

@ -1,4 +0,0 @@
{ ... }:
{
}