oauth2 proxy

2025-06-22 02:55:01 -04:00 · 2025-06-22 02:55:01 -04:00 · 768f6ed3b3
commit 768f6ed3b3
parent 51538c1d61
8 changed files with 107 additions and 49 deletions
--- a/clients/quadraticserver/caddy.nix
+++ b/clients/quadraticserver/caddy.nix
@ -1,7 +1,12 @@
-{
+{pkgs, ...}: {
  services.caddy = {
    enable = true;
    email = "henry@henryhiles.com";
+
+    package = pkgs.caddy.withPlugins {
+      plugins = ["github.com/ggicci/caddy-jwt@v1.1.0"];
+      hash = "sha256-sdhX/dAQ7lIxBo/ZW6XYX8SRuacLO9HobtIVKD/cw0o=";
+    };
  };
  networking.firewall.allowedTCPPorts = [2222 443 8448]; # Git SSH, HTTPS, and Matrix
 }
--- a/clients/quadraticserver/searxng.nix
+++ b/clients/quadraticserver/searxng.nix
@ -3,7 +3,10 @@
  lib,
  ...
 }: {
-  services = with config.services.searx.settings.server; {
+  services = let
+    socket = "/var/run/searx/socket";
+    domain = "search.federated.nexus";
+  in {
    searx = {
      enable = true;
      environmentFile = config.age.secrets."searxngSecret.age".path;
@ -12,7 +15,6 @@
        general = {
          instance_name = "Federated Nexus Search";
          contact_url = "mailto:henry@henryhiles.com";
-          debug = true;
        };
        search = {
          autocomplete = "duckduckgo";
@ -20,10 +22,10 @@
        };

        server = {
-          base_url = "search.federated.nexus";
+          base_url = "https://${domain}";

-          port = 80;
-          bind_address = "127.0.0.4";
+          port = "8080";
+          bind_address = "unix://${socket}";
        };

        engines = lib.mapAttrsToList (name: value: {inherit name;} // value) {
@ -31,6 +33,39 @@
        };
      };
    };
-    caddy.virtualHosts."${base_url}".extraConfig = "reverse_proxy ${bind_address}";
+
+    caddy = {
+      environmentFile = config.age.secrets."oidcJwtSecretEnv.age".path;
+      virtualHosts."${domain}".extraConfig = let
+        auth = "https://auth.federated.nexus";
+      in ''
+        handle_errors 401 {
+          redir https://federated.nexus/login?redirect_uri=${auth}/bridge?redirect_uri=https://${domain}{uri} 302
+        }
+
+        route {
+          jwtauth {
+            from_header Authorization
+            sign_key {$JWK_SECRET}
+            sign_alg HS256
+            issuer_whitelist ${auth}
+            audience_whitelist proxy
+            user_claims sub
+          }
+
+          reverse_proxy unix/${socket}
+        }
+      '';
+    };
+  };
+  systemd.services = let
+    commonConfig = builtins.mapAttrs (_: value: lib.mkForce value) {
+      Group = "caddy";
+      RuntimeDirectoryMode = "0770";
+      UMask = "007";
+    };
+  in {
+    searx.serviceConfig = commonConfig;
+    searx-init.serviceConfig = commonConfig;
  };
 }