oauth2 proxy
This commit is contained in:
parent
51538c1d61
commit
768f6ed3b3
8 changed files with 107 additions and 49 deletions
|
|
@ -1,7 +1,12 @@
|
||||||
{
|
{pkgs, ...}: {
|
||||||
services.caddy = {
|
services.caddy = {
|
||||||
enable = true;
|
enable = true;
|
||||||
email = "henry@henryhiles.com";
|
email = "henry@henryhiles.com";
|
||||||
|
|
||||||
|
package = pkgs.caddy.withPlugins {
|
||||||
|
plugins = ["github.com/ggicci/caddy-jwt@v1.1.0"];
|
||||||
|
hash = "sha256-sdhX/dAQ7lIxBo/ZW6XYX8SRuacLO9HobtIVKD/cw0o=";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
networking.firewall.allowedTCPPorts = [2222 443 8448]; # Git SSH, HTTPS, and Matrix
|
networking.firewall.allowedTCPPorts = [2222 443 8448]; # Git SSH, HTTPS, and Matrix
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,10 @@
|
||||||
lib,
|
lib,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
services = with config.services.searx.settings.server; {
|
services = let
|
||||||
|
socket = "/var/run/searx/socket";
|
||||||
|
domain = "search.federated.nexus";
|
||||||
|
in {
|
||||||
searx = {
|
searx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
environmentFile = config.age.secrets."searxngSecret.age".path;
|
environmentFile = config.age.secrets."searxngSecret.age".path;
|
||||||
|
|
@ -12,7 +15,6 @@
|
||||||
general = {
|
general = {
|
||||||
instance_name = "Federated Nexus Search";
|
instance_name = "Federated Nexus Search";
|
||||||
contact_url = "mailto:henry@henryhiles.com";
|
contact_url = "mailto:henry@henryhiles.com";
|
||||||
debug = true;
|
|
||||||
};
|
};
|
||||||
search = {
|
search = {
|
||||||
autocomplete = "duckduckgo";
|
autocomplete = "duckduckgo";
|
||||||
|
|
@ -20,10 +22,10 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
server = {
|
server = {
|
||||||
base_url = "search.federated.nexus";
|
base_url = "https://${domain}";
|
||||||
|
|
||||||
port = 80;
|
port = "8080";
|
||||||
bind_address = "127.0.0.4";
|
bind_address = "unix://${socket}";
|
||||||
};
|
};
|
||||||
|
|
||||||
engines = lib.mapAttrsToList (name: value: {inherit name;} // value) {
|
engines = lib.mapAttrsToList (name: value: {inherit name;} // value) {
|
||||||
|
|
@ -31,6 +33,39 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
caddy.virtualHosts."${base_url}".extraConfig = "reverse_proxy ${bind_address}";
|
|
||||||
|
caddy = {
|
||||||
|
environmentFile = config.age.secrets."oidcJwtSecretEnv.age".path;
|
||||||
|
virtualHosts."${domain}".extraConfig = let
|
||||||
|
auth = "https://auth.federated.nexus";
|
||||||
|
in ''
|
||||||
|
handle_errors 401 {
|
||||||
|
redir https://federated.nexus/login?redirect_uri=${auth}/bridge?redirect_uri=https://${domain}{uri} 302
|
||||||
|
}
|
||||||
|
|
||||||
|
route {
|
||||||
|
jwtauth {
|
||||||
|
from_header Authorization
|
||||||
|
sign_key {$JWK_SECRET}
|
||||||
|
sign_alg HS256
|
||||||
|
issuer_whitelist ${auth}
|
||||||
|
audience_whitelist proxy
|
||||||
|
user_claims sub
|
||||||
|
}
|
||||||
|
|
||||||
|
reverse_proxy unix/${socket}
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd.services = let
|
||||||
|
commonConfig = builtins.mapAttrs (_: value: lib.mkForce value) {
|
||||||
|
Group = "caddy";
|
||||||
|
RuntimeDirectoryMode = "0770";
|
||||||
|
UMask = "007";
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
searx.serviceConfig = commonConfig;
|
||||||
|
searx-init.serviceConfig = commonConfig;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
46
flake.lock
generated
46
flake.lock
generated
|
|
@ -582,11 +582,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1750304462,
|
"lastModified": 1750614446,
|
||||||
"narHash": "sha256-Mj5t4yX05/rXnRqJkpoLZTWqgStB88Mr/fegTRqyiWc=",
|
"narHash": "sha256-6WH0aRFay79r775RuTqUcnoZNm6A4uHxU1sbcNIk63s=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "863842639722dd12ae9e37ca83bcb61a63b36f6c",
|
"rev": "7c35504839f915abec86a96435b881ead7eb6a2b",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
@ -624,11 +624,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1750446454,
|
"lastModified": 1750616153,
|
||||||
"narHash": "sha256-Xaa1xkseAkP0o7TCWge1l6RE6NpJEOy4s1Wtx+bzlkk=",
|
"narHash": "sha256-EpOssz6cLEep63pBuOR8jAW9v6hxjytgWVjGIhac8VQ=",
|
||||||
"ref": "refs/heads/main",
|
"ref": "refs/heads/main",
|
||||||
"rev": "f875ef407195b12fc19e5ddd7d896278c1b98a3f",
|
"rev": "32ec721e23606a6ce0616441b0a22a8300e59a92",
|
||||||
"revCount": 18,
|
"revCount": 25,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.federated.nexus/Henry-Hiles/matrixoidc"
|
"url": "https://git.federated.nexus/Henry-Hiles/matrixoidc"
|
||||||
},
|
},
|
||||||
|
|
@ -644,11 +644,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1750263362,
|
"lastModified": 1750610317,
|
||||||
"narHash": "sha256-n5XvEaSanFe9g1AF6l2o+6OE8THpErU44pu6tt0c9PE=",
|
"narHash": "sha256-tArf9ek4DoR+5lcDlshGS/CjMjX8vMNfpZ1Ys98UrZM=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "nh",
|
"repo": "nh",
|
||||||
"rev": "4b39f8496d5bc4f86d0f256ca4b2d7dbcbd9fc00",
|
"rev": "e5dbcf9d48257f4a116bc4746e0c59c78e08e161",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
@ -829,17 +829,17 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1750513223,
|
"lastModified": 1750514805,
|
||||||
"narHash": "sha256-BcHbwm7cVfxb0ocicnn21PNE7ijyLlUZk1utzrR06Ys=",
|
"narHash": "sha256-BcHbwm7cVfxb0ocicnn21PNE7ijyLlUZk1utzrR06Ys=",
|
||||||
"ref": "refs/heads/master",
|
"ref": "refs/heads/master",
|
||||||
"rev": "236f3406c2a79887cfc010e29ba83c63c330695c",
|
"rev": "1bf1950bdea07f72b699ac105800f5bb437a70fd",
|
||||||
"revCount": 15,
|
"revCount": 15,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.federated.nexus/Henry-Hiles/OOYE-module"
|
"url": "https://cgit.rory.gay/nix/OOYE-module.git"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.federated.nexus/Henry-Hiles/OOYE-module"
|
"url": "https://cgit.rory.gay/nix/OOYE-module.git"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"programsdb": {
|
"programsdb": {
|
||||||
|
|
@ -850,11 +850,11 @@
|
||||||
"utils": "utils"
|
"utils": "utils"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1750512214,
|
"lastModified": 1750602466,
|
||||||
"narHash": "sha256-qb6BTAyIrzMa47Wa9T++AUbO6On4c3p9npHbLlrvJ9I=",
|
"narHash": "sha256-7hrX64drp6NArt+vzGq9jSNBkGA6XEFvxmSrsFzRCDU=",
|
||||||
"owner": "wamserma",
|
"owner": "wamserma",
|
||||||
"repo": "flake-programs-sqlite",
|
"repo": "flake-programs-sqlite",
|
||||||
"rev": "9fd1ee32264cea8782dd7127156a3d42ad77fde8",
|
"rev": "7fe4aa40ccbd1630e0447bbf49d9026cf9e6cb57",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
@ -938,11 +938,11 @@
|
||||||
"tinted-zed": "tinted-zed"
|
"tinted-zed": "tinted-zed"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1750459519,
|
"lastModified": 1750562714,
|
||||||
"narHash": "sha256-5r+n+UspGQmATwiaA/HPoHgLWkmlIFEweHC3A4fqk80=",
|
"narHash": "sha256-GEQdMsWrij7y1UjuONVZYWLBo1OPIt709KcyCxcDfxU=",
|
||||||
"owner": "danth",
|
"owner": "danth",
|
||||||
"repo": "stylix",
|
"repo": "stylix",
|
||||||
"rev": "faa5a34c3fd533b289ed082ff2b0e579634e3e4f",
|
"rev": "100b968012804d6526c5f48a32c30680916bc474",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
@ -1131,11 +1131,11 @@
|
||||||
},
|
},
|
||||||
"wrapper-manager": {
|
"wrapper-manager": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1750422615,
|
"lastModified": 1750605920,
|
||||||
"narHash": "sha256-+HCOFcrVM+cvvivuQxW9vMOon3T8b1sGtlPze5vLGCI=",
|
"narHash": "sha256-H7aKzVWtX2Efp8DwCuMrZex+IiXII2/PF5rO+Mu5oYU=",
|
||||||
"owner": "viperML",
|
"owner": "viperML",
|
||||||
"repo": "wrapper-manager",
|
"repo": "wrapper-manager",
|
||||||
"rev": "754ed625186e67f588d6dd664afbbfda8128a7e3",
|
"rev": "238d49c10383cd1db56d694bff9d573684c71526",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
||||||
|
|
@ -4,12 +4,11 @@
|
||||||
tuba
|
tuba
|
||||||
gimp
|
gimp
|
||||||
deno
|
deno
|
||||||
ptyxis
|
|
||||||
heroic
|
heroic
|
||||||
aspell
|
aspell
|
||||||
|
ptyxis
|
||||||
muzika
|
muzika
|
||||||
foliate
|
foliate
|
||||||
fractal
|
|
||||||
gapless
|
gapless
|
||||||
inkscape
|
inkscape
|
||||||
r2modman
|
r2modman
|
||||||
|
|
@ -19,6 +18,7 @@
|
||||||
wl-clipboard
|
wl-clipboard
|
||||||
prismlauncher
|
prismlauncher
|
||||||
authenticator
|
authenticator
|
||||||
|
cinny-desktop
|
||||||
# nexusmods-app-unfree
|
# nexusmods-app-unfree
|
||||||
hunspellDicts.en_CA-large
|
hunspellDicts.en_CA-large
|
||||||
];
|
];
|
||||||
|
|
|
||||||
9
secrets/cookieSecret.age
Normal file
9
secrets/cookieSecret.age
Normal file
|
|
@ -0,0 +1,9 @@
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSBXVC9Y
|
||||||
|
ejZDRVFXa0dHeXpaVTFPaTlRUkNkR29WTkpuRGhSS2RCZmlMN0E0CkU4WFQwN0RL
|
||||||
|
Z2VMM29waDRDMi95bVpHNnk0ZVB4RlZLOUxzUlJHSE9JdlUKLT4gPC1ncmVhc2Ug
|
||||||
|
SzZzN3tJPyBmVVdJWApudwotLS0gTnZYRGdzQmpYM2VhZW1tWFo3V21LKzVSRXBV
|
||||||
|
cXZSYkQwVEhLOGlWcnJKawomBD/OVJ+bpe4aczYDXDRMYNdLrVbOVBTjUajac4rZ
|
||||||
|
kzd+VOjYYk319QbmrsPGX3D6I15YcCGdY+tfXjiO5UnTm+wUx5IqiSxCBMQVgDAC
|
||||||
|
h3X5aRXBELvC8iwoR/gy
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
|
@ -1,12 +1,11 @@
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSBOUTRE
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSBxL1BV
|
||||||
WFRYRXFXQ2h4U0xoVmt1MXF5WVhNcHJLTDZyOHdKUEVncWRwN0ZVCkhBUVp2TFlG
|
NHlkckQvbnhKNVRodU0yQ0p6LzZKS1E3UHJoSDZvay9iVWZqaVMwCjJKMDZkN0No
|
||||||
OTBocE1xM0ZhblhCaUhFVTdpSUwrcmlmWmRiR3llbDE5SWMKLT4gPUgtZ3JlYXNl
|
alJ4Z1pOTHpvQ2cyMHB2OGloWW14ZnFOWktoUnJvRWs1QncKLT4gQS1ncmVhc2Ug
|
||||||
IEkvR3AgQHlCQDJgWSA3ZjtnKUhJCjdmalZjNWpvendTNWdqYTh6TU5QOS9IT3g5
|
WHAKQ0ZYaHZoZjVWbm1qV00vR0pUcElLam55WlVibUk0ekpTZHZDaTJrbm5WVGFw
|
||||||
QWFuN0pGQWVqMUlLSTRhdlRaWjY5bEg0SnNqSDdpazc2U1BBMzUKK1g0bFJIZWhI
|
QWlWWmI0Z3VXMGtJVTBIdEh4Twp5cVdiTXFZZkRWaVQvL000ZnE3cFByT2xlOUQx
|
||||||
aWI5QlRScGFHOEhZRHpaV291ajg3YWpzUFh3djFZVHc0RQotLS0gUWJYQW1VaEFV
|
M3J3Ci0tLSBobVB5TVYvVGl5ZGM5VTkwckNDcFkwa20yMFJ4NFM5V1lrbHNub3dE
|
||||||
Y3grQ3kzSUY0SWk2UWo1WUM5M2tUV2lhQTY5T1hIQUxqRQqmwjz0Y6d7mAuEWPO3
|
OG13CvoG3JJMeKhyYscnS7TVzdP22vTVt3KA4+weyMLeM0bPIG8Zy4pMcNonsxCD
|
||||||
UGfQsIaGnQ2JAHuwtR3J8LtFmI9hyNdU4lpfs611QMX+7Calx707XEG5xrKWtT6F
|
MnAi7NFjYWx1mdWWC69JX/QbLmBab/gnzsgn1L+lw/7V6VSYg2gm9U5ekvTWCU8e
|
||||||
tQRWIvAGu2FVzxow8deDAlWVs8lNnr8url4N4Ii5XMkLFyW0BTgZ5t8cSy6tKvW6
|
riBaAGo=
|
||||||
SN8o
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
|
|
||||||
9
secrets/oidcJwtSecretEnv.age
Normal file
9
secrets/oidcJwtSecretEnv.age
Normal file
|
|
@ -0,0 +1,9 @@
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSAvc0Js
|
||||||
|
TkdoaHNQY2JKK3liaWZRTjUrVmJqbWRUZHdTRlJ5emE3bXJCTEFvCitBL0MwazVD
|
||||||
|
TDV0eThLU2ttOXBVQkFqWFVjbjViMllJYngrODZPRjZuaFUKLT4gIy1ncmVhc2Ug
|
||||||
|
azFQKSB2dyRBeXAuaSAvICdESU4zO1MKQmxFeWhXZ1oKLS0tIFFuNjRuN2g0TXIx
|
||||||
|
eHlSbGI0c0MxLzdMWVY3S21jbzgreHQwd2dFUzJuYlEKWCr+LzEM1dxB3+E3TFfX
|
||||||
|
uWJOgQOc6SKNutMSrSw7G/RJZev3EBp9NkJvdSbrSYEVzv3FEUytZFV7EfC9TmXR
|
||||||
|
WoabHyMxaZ0I6IdV0FYaGVQPBf4PT5FPyLKAkWF9bjHBvtwxOCJ+/XT1bzBRLRk=
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
|
@ -1,9 +1,10 @@
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSBxZjYy
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSB5a0NN
|
||||||
dkxESEMxdUswVDNXZFZ2b1RubTIraFJ6bU9oUXFPNmoxVG41SkRjCkR1cHZBcS9B
|
bUFxRXJ6TnJlTTM5d1JJbG9DSjNNc1hLRWVTTDZNU21tMEVQNlhFCnpjeGtVRFo4
|
||||||
OUdyZXNmS3hHcVBQb0tPMHM4K1lOZXY1SEgwdGNPZHA0ckkKLT4gfTxQVS0tZ3Jl
|
WGNPaml5Ym00dXBlemVXaTdGSm9zVjNHZGVVMnE1WFpCQmMKLT4gT1QrLWdyZWFz
|
||||||
YXNlIGotIHBJfGoydApIbERyaXdVZ0xYc3ZCaXE2d3VYWlFoSkF2TmZDR0VuOHpK
|
ZSA3JTA5fTFTIC1KL3JuNwpRYndkeUhvMTF6VjdPTWpDbUNqaEZiYUd6aEdlZlNO
|
||||||
dU5QaFUvclRvMU9BCi0tLSBNV2tTRm1Yb1BMUE1qd1o3ZXRoblpEMFVKd1dCeHJC
|
dWtnVjYvMFRnWDBicWJDVTAzZXRPeVdnZVVxekFadlNFCmlsajgyeTgvU0hCMlh6
|
||||||
bGVYZFMrblQ1TC9RCkgi4Jlqkr7NYUx5CBZSFbcWUxNqrx59p5zFpshzNFwJic3B
|
ZU1yTXMKLS0tIC8yL3BMdUNXc3VIc0JCMDFlaTg1ZTRNR3FENEZ6ZjF4Ym5idHpu
|
||||||
syvn9t+u22kDcP8QcsfAHrY9WbwOCR4iDJ1z
|
eitWaEkKgTzeyWefh3JvEbGyw4HTzj+IJplwk9uOuSnXyJhB3XbfChdQsNyQ92K0
|
||||||
|
XQo4yefB1+QKXWYX2/gJNVcKAbhcs/EF+XI6qg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue