From 768f6ed3b37688266886128b2311139e1c7c89a8 Mon Sep 17 00:00:00 2001 From: Henry-Hiles Date: Sun, 22 Jun 2025 02:55:01 -0400 Subject: [PATCH] oauth2 proxy --- clients/quadraticserver/caddy.nix | 7 ++++- clients/quadraticserver/searxng.nix | 47 +++++++++++++++++++++++++---- flake.lock | 46 ++++++++++++++-------------- modules/desktop/packages.nix | 4 +-- secrets/cookieSecret.age | 9 ++++++ secrets/oidcJwtSecret.age | 19 ++++++------ secrets/oidcJwtSecretEnv.age | 9 ++++++ secrets/searxngSecret.age | 15 ++++----- 8 files changed, 107 insertions(+), 49 deletions(-) create mode 100644 secrets/cookieSecret.age create mode 100644 secrets/oidcJwtSecretEnv.age diff --git a/clients/quadraticserver/caddy.nix b/clients/quadraticserver/caddy.nix index 6f7ddc5..a04d4e3 100644 --- a/clients/quadraticserver/caddy.nix +++ b/clients/quadraticserver/caddy.nix @@ -1,7 +1,12 @@ -{ +{pkgs, ...}: { services.caddy = { enable = true; email = "henry@henryhiles.com"; + + package = pkgs.caddy.withPlugins { + plugins = ["github.com/ggicci/caddy-jwt@v1.1.0"]; + hash = "sha256-sdhX/dAQ7lIxBo/ZW6XYX8SRuacLO9HobtIVKD/cw0o="; + }; }; networking.firewall.allowedTCPPorts = [2222 443 8448]; # Git SSH, HTTPS, and Matrix } diff --git a/clients/quadraticserver/searxng.nix b/clients/quadraticserver/searxng.nix index 74798b7..2cbd6c5 100644 --- a/clients/quadraticserver/searxng.nix +++ b/clients/quadraticserver/searxng.nix @@ -3,7 +3,10 @@ lib, ... }: { - services = with config.services.searx.settings.server; { + services = let + socket = "/var/run/searx/socket"; + domain = "search.federated.nexus"; + in { searx = { enable = true; environmentFile = config.age.secrets."searxngSecret.age".path; @@ -12,7 +15,6 @@ general = { instance_name = "Federated Nexus Search"; contact_url = "mailto:henry@henryhiles.com"; - debug = true; }; search = { autocomplete = "duckduckgo"; @@ -20,10 +22,10 @@ }; server = { - base_url = "search.federated.nexus"; + base_url = "https://${domain}"; - port = 80; - bind_address = "127.0.0.4"; + port = "8080"; + bind_address = "unix://${socket}"; }; engines = lib.mapAttrsToList (name: value: {inherit name;} // value) { @@ -31,6 +33,39 @@ }; }; }; - caddy.virtualHosts."${base_url}".extraConfig = "reverse_proxy ${bind_address}"; + + caddy = { + environmentFile = config.age.secrets."oidcJwtSecretEnv.age".path; + virtualHosts."${domain}".extraConfig = let + auth = "https://auth.federated.nexus"; + in '' + handle_errors 401 { + redir https://federated.nexus/login?redirect_uri=${auth}/bridge?redirect_uri=https://${domain}{uri} 302 + } + + route { + jwtauth { + from_header Authorization + sign_key {$JWK_SECRET} + sign_alg HS256 + issuer_whitelist ${auth} + audience_whitelist proxy + user_claims sub + } + + reverse_proxy unix/${socket} + } + ''; + }; + }; + systemd.services = let + commonConfig = builtins.mapAttrs (_: value: lib.mkForce value) { + Group = "caddy"; + RuntimeDirectoryMode = "0770"; + UMask = "007"; + }; + in { + searx.serviceConfig = commonConfig; + searx-init.serviceConfig = commonConfig; }; } diff --git a/flake.lock b/flake.lock index 58e1982..caa872e 100644 --- a/flake.lock +++ b/flake.lock @@ -582,11 +582,11 @@ ] }, "locked": { - "lastModified": 1750304462, - "narHash": "sha256-Mj5t4yX05/rXnRqJkpoLZTWqgStB88Mr/fegTRqyiWc=", + "lastModified": 1750614446, + "narHash": "sha256-6WH0aRFay79r775RuTqUcnoZNm6A4uHxU1sbcNIk63s=", "owner": "nix-community", "repo": "home-manager", - "rev": "863842639722dd12ae9e37ca83bcb61a63b36f6c", + "rev": "7c35504839f915abec86a96435b881ead7eb6a2b", "type": "github" }, "original": { @@ -624,11 +624,11 @@ ] }, "locked": { - "lastModified": 1750446454, - "narHash": "sha256-Xaa1xkseAkP0o7TCWge1l6RE6NpJEOy4s1Wtx+bzlkk=", + "lastModified": 1750616153, + "narHash": "sha256-EpOssz6cLEep63pBuOR8jAW9v6hxjytgWVjGIhac8VQ=", "ref": "refs/heads/main", - "rev": "f875ef407195b12fc19e5ddd7d896278c1b98a3f", - "revCount": 18, + "rev": "32ec721e23606a6ce0616441b0a22a8300e59a92", + "revCount": 25, "type": "git", "url": "https://git.federated.nexus/Henry-Hiles/matrixoidc" }, @@ -644,11 +644,11 @@ ] }, "locked": { - "lastModified": 1750263362, - "narHash": "sha256-n5XvEaSanFe9g1AF6l2o+6OE8THpErU44pu6tt0c9PE=", + "lastModified": 1750610317, + "narHash": "sha256-tArf9ek4DoR+5lcDlshGS/CjMjX8vMNfpZ1Ys98UrZM=", "owner": "nix-community", "repo": "nh", - "rev": "4b39f8496d5bc4f86d0f256ca4b2d7dbcbd9fc00", + "rev": "e5dbcf9d48257f4a116bc4746e0c59c78e08e161", "type": "github" }, "original": { @@ -829,17 +829,17 @@ ] }, "locked": { - "lastModified": 1750513223, + "lastModified": 1750514805, "narHash": "sha256-BcHbwm7cVfxb0ocicnn21PNE7ijyLlUZk1utzrR06Ys=", "ref": "refs/heads/master", - "rev": "236f3406c2a79887cfc010e29ba83c63c330695c", + "rev": "1bf1950bdea07f72b699ac105800f5bb437a70fd", "revCount": 15, "type": "git", - "url": "https://git.federated.nexus/Henry-Hiles/OOYE-module" + "url": "https://cgit.rory.gay/nix/OOYE-module.git" }, "original": { "type": "git", - "url": "https://git.federated.nexus/Henry-Hiles/OOYE-module" + "url": "https://cgit.rory.gay/nix/OOYE-module.git" } }, "programsdb": { @@ -850,11 +850,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1750512214, - "narHash": "sha256-qb6BTAyIrzMa47Wa9T++AUbO6On4c3p9npHbLlrvJ9I=", + "lastModified": 1750602466, + "narHash": "sha256-7hrX64drp6NArt+vzGq9jSNBkGA6XEFvxmSrsFzRCDU=", "owner": "wamserma", "repo": "flake-programs-sqlite", - "rev": "9fd1ee32264cea8782dd7127156a3d42ad77fde8", + "rev": "7fe4aa40ccbd1630e0447bbf49d9026cf9e6cb57", "type": "github" }, "original": { @@ -938,11 +938,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1750459519, - "narHash": "sha256-5r+n+UspGQmATwiaA/HPoHgLWkmlIFEweHC3A4fqk80=", + "lastModified": 1750562714, + "narHash": "sha256-GEQdMsWrij7y1UjuONVZYWLBo1OPIt709KcyCxcDfxU=", "owner": "danth", "repo": "stylix", - "rev": "faa5a34c3fd533b289ed082ff2b0e579634e3e4f", + "rev": "100b968012804d6526c5f48a32c30680916bc474", "type": "github" }, "original": { @@ -1131,11 +1131,11 @@ }, "wrapper-manager": { "locked": { - "lastModified": 1750422615, - "narHash": "sha256-+HCOFcrVM+cvvivuQxW9vMOon3T8b1sGtlPze5vLGCI=", + "lastModified": 1750605920, + "narHash": "sha256-H7aKzVWtX2Efp8DwCuMrZex+IiXII2/PF5rO+Mu5oYU=", "owner": "viperML", "repo": "wrapper-manager", - "rev": "754ed625186e67f588d6dd664afbbfda8128a7e3", + "rev": "238d49c10383cd1db56d694bff9d573684c71526", "type": "github" }, "original": { diff --git a/modules/desktop/packages.nix b/modules/desktop/packages.nix index ed124cd..bd9b666 100644 --- a/modules/desktop/packages.nix +++ b/modules/desktop/packages.nix @@ -4,12 +4,11 @@ tuba gimp deno - ptyxis heroic aspell + ptyxis muzika foliate - fractal gapless inkscape r2modman @@ -19,6 +18,7 @@ wl-clipboard prismlauncher authenticator + cinny-desktop # nexusmods-app-unfree hunspellDicts.en_CA-large ]; diff --git a/secrets/cookieSecret.age b/secrets/cookieSecret.age new file mode 100644 index 0000000..2caf0ce --- /dev/null +++ b/secrets/cookieSecret.age @@ -0,0 +1,9 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSBXVC9Y +ejZDRVFXa0dHeXpaVTFPaTlRUkNkR29WTkpuRGhSS2RCZmlMN0E0CkU4WFQwN0RL +Z2VMM29waDRDMi95bVpHNnk0ZVB4RlZLOUxzUlJHSE9JdlUKLT4gPC1ncmVhc2Ug +SzZzN3tJPyBmVVdJWApudwotLS0gTnZYRGdzQmpYM2VhZW1tWFo3V21LKzVSRXBV +cXZSYkQwVEhLOGlWcnJKawomBD/OVJ+bpe4aczYDXDRMYNdLrVbOVBTjUajac4rZ +kzd+VOjYYk319QbmrsPGX3D6I15YcCGdY+tfXjiO5UnTm+wUx5IqiSxCBMQVgDAC +h3X5aRXBELvC8iwoR/gy +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/oidcJwtSecret.age b/secrets/oidcJwtSecret.age index 343bf19..69482f8 100644 --- a/secrets/oidcJwtSecret.age +++ b/secrets/oidcJwtSecret.age @@ -1,12 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSBOUTRE -WFRYRXFXQ2h4U0xoVmt1MXF5WVhNcHJLTDZyOHdKUEVncWRwN0ZVCkhBUVp2TFlG -OTBocE1xM0ZhblhCaUhFVTdpSUwrcmlmWmRiR3llbDE5SWMKLT4gPUgtZ3JlYXNl -IEkvR3AgQHlCQDJgWSA3ZjtnKUhJCjdmalZjNWpvendTNWdqYTh6TU5QOS9IT3g5 -QWFuN0pGQWVqMUlLSTRhdlRaWjY5bEg0SnNqSDdpazc2U1BBMzUKK1g0bFJIZWhI -aWI5QlRScGFHOEhZRHpaV291ajg3YWpzUFh3djFZVHc0RQotLS0gUWJYQW1VaEFV -Y3grQ3kzSUY0SWk2UWo1WUM5M2tUV2lhQTY5T1hIQUxqRQqmwjz0Y6d7mAuEWPO3 -UGfQsIaGnQ2JAHuwtR3J8LtFmI9hyNdU4lpfs611QMX+7Calx707XEG5xrKWtT6F -tQRWIvAGu2FVzxow8deDAlWVs8lNnr8url4N4Ii5XMkLFyW0BTgZ5t8cSy6tKvW6 -SN8o +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSBxL1BV +NHlkckQvbnhKNVRodU0yQ0p6LzZKS1E3UHJoSDZvay9iVWZqaVMwCjJKMDZkN0No +alJ4Z1pOTHpvQ2cyMHB2OGloWW14ZnFOWktoUnJvRWs1QncKLT4gQS1ncmVhc2Ug +WHAKQ0ZYaHZoZjVWbm1qV00vR0pUcElLam55WlVibUk0ekpTZHZDaTJrbm5WVGFw +QWlWWmI0Z3VXMGtJVTBIdEh4Twp5cVdiTXFZZkRWaVQvL000ZnE3cFByT2xlOUQx +M3J3Ci0tLSBobVB5TVYvVGl5ZGM5VTkwckNDcFkwa20yMFJ4NFM5V1lrbHNub3dE +OG13CvoG3JJMeKhyYscnS7TVzdP22vTVt3KA4+weyMLeM0bPIG8Zy4pMcNonsxCD +MnAi7NFjYWx1mdWWC69JX/QbLmBab/gnzsgn1L+lw/7V6VSYg2gm9U5ekvTWCU8e +riBaAGo= -----END AGE ENCRYPTED FILE----- diff --git a/secrets/oidcJwtSecretEnv.age b/secrets/oidcJwtSecretEnv.age new file mode 100644 index 0000000..044ab9e --- /dev/null +++ b/secrets/oidcJwtSecretEnv.age @@ -0,0 +1,9 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSAvc0Js +TkdoaHNQY2JKK3liaWZRTjUrVmJqbWRUZHdTRlJ5emE3bXJCTEFvCitBL0MwazVD +TDV0eThLU2ttOXBVQkFqWFVjbjViMllJYngrODZPRjZuaFUKLT4gIy1ncmVhc2Ug +azFQKSB2dyRBeXAuaSAvICdESU4zO1MKQmxFeWhXZ1oKLS0tIFFuNjRuN2g0TXIx +eHlSbGI0c0MxLzdMWVY3S21jbzgreHQwd2dFUzJuYlEKWCr+LzEM1dxB3+E3TFfX +uWJOgQOc6SKNutMSrSw7G/RJZev3EBp9NkJvdSbrSYEVzv3FEUytZFV7EfC9TmXR +WoabHyMxaZ0I6IdV0FYaGVQPBf4PT5FPyLKAkWF9bjHBvtwxOCJ+/XT1bzBRLRk= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/searxngSecret.age b/secrets/searxngSecret.age index 8053e0d..2403d4b 100644 --- a/secrets/searxngSecret.age +++ b/secrets/searxngSecret.age @@ -1,9 +1,10 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSBxZjYy -dkxESEMxdUswVDNXZFZ2b1RubTIraFJ6bU9oUXFPNmoxVG41SkRjCkR1cHZBcS9B -OUdyZXNmS3hHcVBQb0tPMHM4K1lOZXY1SEgwdGNPZHA0ckkKLT4gfTxQVS0tZ3Jl -YXNlIGotIHBJfGoydApIbERyaXdVZ0xYc3ZCaXE2d3VYWlFoSkF2TmZDR0VuOHpK -dU5QaFUvclRvMU9BCi0tLSBNV2tTRm1Yb1BMUE1qd1o3ZXRoblpEMFVKd1dCeHJC -bGVYZFMrblQ1TC9RCkgi4Jlqkr7NYUx5CBZSFbcWUxNqrx59p5zFpshzNFwJic3B -syvn9t+u22kDcP8QcsfAHrY9WbwOCR4iDJ1z +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSB5a0NN +bUFxRXJ6TnJlTTM5d1JJbG9DSjNNc1hLRWVTTDZNU21tMEVQNlhFCnpjeGtVRFo4 +WGNPaml5Ym00dXBlemVXaTdGSm9zVjNHZGVVMnE1WFpCQmMKLT4gT1QrLWdyZWFz +ZSA3JTA5fTFTIC1KL3JuNwpRYndkeUhvMTF6VjdPTWpDbUNqaEZiYUd6aEdlZlNO +dWtnVjYvMFRnWDBicWJDVTAzZXRPeVdnZVVxekFadlNFCmlsajgyeTgvU0hCMlh6 +ZU1yTXMKLS0tIC8yL3BMdUNXc3VIc0JCMDFlaTg1ZTRNR3FENEZ6ZjF4Ym5idHpu +eitWaEkKgTzeyWefh3JvEbGyw4HTzj+IJplwk9uOuSnXyJhB3XbfChdQsNyQ92K0 +XQo4yefB1+QKXWYX2/gJNVcKAbhcs/EF+XI6qg== -----END AGE ENCRYPTED FILE-----