265 lines
9.8 KiB
Nix
265 lines
9.8 KiB
Nix
{ config, pkgs, ... }:
|
|
let host = "stuce.ch";
|
|
in {
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "lefabricesaucy@outlook.com";
|
|
};
|
|
services.nginx = {
|
|
enable = true;
|
|
# Use recommended settings
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
# Only allow PFS-enabled ciphers with AES256
|
|
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
|
|
|
virtualHosts."cal.${host}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
extraConfig =
|
|
" rewrite ^/.well-known/carddav / redirect;\n rewrite ^/.well-known/caldav / redirect;\n ";
|
|
locations."/" = {
|
|
proxyPass = "http://localhost:5232";
|
|
# extraConfig = ''
|
|
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
# proxy_set_header X-Forwarded-Host $host;
|
|
# proxy_set_header X-Forwarded-Port $server_port;
|
|
# proxy_set_header X-Forwarded-Proto $scheme;
|
|
# proxy_set_header Host $http_host;
|
|
# proxy_pass_header Authorization;
|
|
# '';
|
|
};
|
|
};
|
|
virtualHosts."eink.${host}" = {
|
|
forceSSL = true;
|
|
sslCertificateKey = "/etc/nginx/certs/ca.key";
|
|
sslCertificate = "/etc/nginx/certs/ca.crt";
|
|
extraConfig = "ssl_client_certificate /etc/nginx/certs/client.crt;";
|
|
locations."/" = {
|
|
# TODO fastcgi to the script
|
|
extraConfig = "return 200 'handshake worked !!!';";
|
|
};
|
|
};
|
|
|
|
virtualHosts."vault.${host}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
extraConfig = "include /etc/nginx/snippets/authelia-location.conf;";
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${
|
|
toString config.services.vaultwarden.config.ROCKET_PORT
|
|
}";
|
|
};
|
|
locations."/admin" = {
|
|
extraConfig = ''
|
|
include /etc/nginx/snippets/proxy.conf;
|
|
include /etc/nginx/snippets/authelia-authrequest.conf;
|
|
'';
|
|
proxyPass = "http://127.0.0.1:${
|
|
toString config.services.vaultwarden.config.ROCKET_PORT
|
|
}";
|
|
};
|
|
};
|
|
|
|
virtualHosts."armee.${host}" = {
|
|
root = "/var/www/armee";
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
extraConfig = "include /etc/nginx/snippets/authelia-location.conf;";
|
|
|
|
locations."/plans" = {
|
|
extraConfig = ''
|
|
autoindex on;
|
|
include /etc/nginx/snippets/proxy.conf;
|
|
include /etc/nginx/snippets/authelia-authrequest.conf;
|
|
'';
|
|
};
|
|
locations."/notes" = {
|
|
extraConfig = ''
|
|
include /etc/nginx/snippets/proxy.conf;
|
|
include /etc/nginx/snippets/authelia-authrequest.conf;
|
|
'';
|
|
};
|
|
};
|
|
|
|
virtualHosts."auth.${host}" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://localhost:9091";
|
|
proxyWebsockets = true;
|
|
extraConfig = "include /etc/nginx/snippets/proxy.conf;";
|
|
};
|
|
locations."/api/verify" = { proxyPass = "http://localhost:9091"; };
|
|
locations."/api/authz" = { proxyPass = "http://localhost:9091"; };
|
|
};
|
|
|
|
virtualHosts."ldap.${host}" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
extraConfig = "include /etc/nginx/snippets/authelia-location.conf;";
|
|
locations."/" = {
|
|
proxyPass = "http://localhost:17170";
|
|
extraConfig = "include /etc/nginx/snippets/proxy.conf;";
|
|
};
|
|
};
|
|
|
|
virtualHosts."git.${host}" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
extraConfig = ''
|
|
client_max_body_size 512M;
|
|
proxy_pass http://localhost:3000;
|
|
proxy_set_header Connection $http_connection;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
# TODO: make a simple script around here that lets you regenerate or update every value when needed
|
|
# NOTE: does not work as expected
|
|
# systemd.services.authelia-main.preStart = ''
|
|
# [ -f /var/lib/authelia-main/jwt-secret ] || {
|
|
# "${pkgs.openssl}/bin/openssl" rand -base64 32 > /var/lib/authelia-main/jwtSecret
|
|
# }
|
|
# [ -f /var/lib/authelia-main/storage-encryption-file ] || {
|
|
# "${pkgs.openssl}/bin/openssl" rand -base64 32 > /var/lib/authelia-main/storageEncryptionKeyFile
|
|
# }
|
|
# [ -f /var/lib/authelia-main/session-secret-file ] || {
|
|
# "${pkgs.openssl}/bin/openssl" rand -base64 32 > /var/lib/authelia-main/sessionSecretFile
|
|
# }
|
|
# [ -f /var/lib/authelia-main/hmac ] || {
|
|
# "${pkgs.openssl}/bin/openssl" rand -base64 64 > /var/lib/authelia-main/hmac
|
|
# }
|
|
# [ -f /var/lib/authelia-main/rsa.2048.key ] || {
|
|
# "${pkgs.openssl}/bin/openssl" genpkey -algorithm RSA -out /var/lib/authelia-main/rsa.2048.key -pkeyopt rsa_keygen_bits:2048
|
|
# }
|
|
# '';
|
|
|
|
environment.etc."nginx/snippets/authelia-location.conf" = {
|
|
user = "nginx";
|
|
group = "nginx";
|
|
text = ''
|
|
set $upstream_authelia http://localhost:9091/api/authz/auth-request;
|
|
|
|
## Virtual endpoint created by nginx to forward auth requests.
|
|
location /internal/authelia/authz {
|
|
## Essential Proxy Configuration
|
|
internal;
|
|
proxy_pass $upstream_authelia;
|
|
|
|
## Headers
|
|
## The headers starting with X-* are required.
|
|
proxy_set_header X-Original-Method $request_method;
|
|
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header Content-Length "";
|
|
proxy_set_header Connection "";
|
|
|
|
## Basic Proxy Configuration
|
|
proxy_pass_request_body off;
|
|
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
|
|
proxy_redirect http:// $scheme://;
|
|
#proxy_http_version 1.1;
|
|
proxy_cache_bypass $cookie_session;
|
|
proxy_no_cache $cookie_session;
|
|
proxy_buffers 4 32k;
|
|
client_body_buffer_size 128k;
|
|
|
|
## Advanced Proxy Configuration
|
|
send_timeout 5m;
|
|
proxy_read_timeout 240;
|
|
proxy_send_timeout 240;
|
|
proxy_connect_timeout 240;
|
|
}
|
|
'';
|
|
};
|
|
environment.etc."nginx/snippets/authelia-authrequest.conf" = {
|
|
user = "nginx";
|
|
group = "nginx";
|
|
text = ''
|
|
## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
|
|
auth_request /internal/authelia/authz;
|
|
|
|
## Save the upstream metadata response headers from Authelia to variables.
|
|
auth_request_set $user $upstream_http_remote_user;
|
|
auth_request_set $groups $upstream_http_remote_groups;
|
|
auth_request_set $name $upstream_http_remote_name;
|
|
auth_request_set $email $upstream_http_remote_email;
|
|
|
|
## Inject the metadata response headers from the variables into the request made to the backend.
|
|
proxy_set_header Remote-User $user;
|
|
proxy_set_header Remote-Groups $groups;
|
|
proxy_set_header Remote-Email $email;
|
|
proxy_set_header Remote-Name $name;
|
|
|
|
## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
|
|
## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
|
|
## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.
|
|
|
|
## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint.
|
|
auth_request_set $redirection_url $upstream_http_location;
|
|
|
|
## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url.
|
|
error_page 401 =302 $redirection_url;
|
|
|
|
## Legacy Method: Set $target_url to the original requested URL.
|
|
## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module.
|
|
# set_escape_uri $target_url $scheme://$http_host$request_uri;
|
|
|
|
## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd'
|
|
## URL parameter set to $target_url. This requires users update 'auth.stuce.com/' with their external authelia URL.
|
|
# error_page 401 =302 https://auth.stuce.com/?rd=$target_url;
|
|
'';
|
|
};
|
|
|
|
environment.etc."nginx/snippets/proxy.conf" = {
|
|
user = "nginx";
|
|
group = "nginx";
|
|
text = ''
|
|
## Headers
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Host $http_host;
|
|
proxy_set_header X-Forwarded-URI $request_uri;
|
|
proxy_set_header X-Forwarded-Ssl on;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
## Basic Proxy Configuration
|
|
client_body_buffer_size 128k;
|
|
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
|
|
proxy_redirect http:// $scheme://;
|
|
#proxy_http_version 1.1;
|
|
proxy_cache_bypass $cookie_session;
|
|
proxy_no_cache $cookie_session;
|
|
proxy_buffers 64 256k;
|
|
|
|
## Trusted Proxies Configuration
|
|
## Please read the following documentation before configuring this:
|
|
## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
|
|
# set_real_ip_from 10.0.0.0/8;
|
|
# set_real_ip_from 172.16.0.0/12;
|
|
# set_real_ip_from 192.168.0.0/16;
|
|
# set_real_ip_from fc00::/7;
|
|
real_ip_header X-Forwarded-For;
|
|
real_ip_recursive on;
|
|
|
|
## Advanced Proxy Configuration
|
|
send_timeout 5m;
|
|
proxy_read_timeout 360;
|
|
proxy_send_timeout 360;
|
|
proxy_connect_timeout 360;
|
|
'';
|
|
};
|
|
|
|
}
|