From 17c351c5b69575efe53439506cd7223fd1d1e87d Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Sun, 24 Sep 2023 11:50:24 +0200 Subject: [PATCH] add priv.yori.cc behind oauth2-proxy --- nixos/machines/frumar/default.nix | 90 +++++++++++++++++------------- nixos/machines/frumar/media.nix | 2 - secrets/oauth2-proxy.age | Bin 0 -> 612 bytes secrets/secrets.nix | 1 + 4 files changed, 52 insertions(+), 41 deletions(-) create mode 100644 secrets/oauth2-proxy.age diff --git a/nixos/machines/frumar/default.nix b/nixos/machines/frumar/default.nix index 385c5f6..ecfb1ad 100644 --- a/nixos/machines/frumar/default.nix +++ b/nixos/machines/frumar/default.nix @@ -32,6 +32,35 @@ ''; }; }; + virtualHosts."priv.yori.cc" = let + oauth2Block = '' + auth_request /oauth2/auth; + error_page 401 = /oauth2/sign_in; + + # pass information via X-User and X-Email headers to backend, + # requires running with --set-xauthrequest flag + auth_request_set $user $upstream_http_x_auth_request_user; + auth_request_set $email $upstream_http_x_auth_request_email; + proxy_set_header X-User $user; + proxy_set_header X-Email $email; + + # if you enabled --cookie-refresh, this is needed for it to work with auth_request + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + ''; + in { + onlySSL = true; + useACMEHost = "wildcard.yori.cc"; + locations."/".proxyPass = "http://127.0.0.1:4000"; + locations."/sonarr" = { + proxyPass = "http://127.0.0.1:8989"; + extraConfig = oauth2Block; + }; + locations."/radarr" = { + proxyPass = "http://127.0.0.1:7878"; + extraConfig = oauth2Block; + }; + }; virtualHosts."frumar.yori.cc" = { enableACME = lib.mkForce false; inherit (config.security.y-selfsigned) sslCertificate sslCertificateKey; @@ -57,37 +86,11 @@ extraFlags = [ "--web.enable-admin-api" ]; # victoriametrics remoteWrite = [{ url = "http://127.0.0.1:8428/api/v1/write"; }]; - scrapeConfigs = [ - # { - # job_name = "smartmeter"; - # # prometheus doesn't support mdns :thinking_face: - # static_configs = [{ targets = [ "192.168.178.30" ]; }]; - # scrape_interval = "10s"; - # } - { - job_name = "node"; - static_configs = [{ targets = [ "localhost:9100" ]; }]; - # } { - # job_name = "unifi"; - # static_configs = [ { targets = [ "localhost:9130" ]; } ]; - } - # { - # job_name = "thermometer"; - # static_configs = [{ targets = [ "192.168.178.21:8000" ]; }]; - # } - # { - # job_name = "esphome"; - # static_configs = [{ targets = [ "192.168.178.77" ]; }]; - # } - ]; + scrapeConfigs = [{ + job_name = "node"; + static_configs = [{ targets = [ "localhost:9100" ]; }]; + }]; exporters.node.enable = true; - # exporters.unifi = { - # enable = true; - # unifiAddress = "https://localhost:8443"; - # unifiInsecure = true; - # unifiUsername = "ReadOnlyUser"; - # unifiPassword = "ReadOnlyPassword"; - # }; }; services.yorick.paperless = { enable = true; @@ -96,11 +99,11 @@ }; boot.zfs.requestEncryptionCredentials = false; networking.firewall = { - interfaces.wg-y.allowedTCPPorts = [ 3000 9090 8443 ]; - # mqtt, wsdd, ??, minecraft - allowedTCPPorts = [ 1883 5357 443 25565 ]; - # mqtt, wsdd, minecraft - allowedUDPPorts = [ 1883 3702 25565 ]; + interfaces.wg-y.allowedTCPPorts = [ 3000 9090 ]; # grafana and prometheus via pennyworth + # mqtt + allowedTCPPorts = [ 1883 ]; + # mqtt + allowedUDPPorts = [ 1883 ]; }; services.rabbitmq = { enable = true; @@ -121,13 +124,14 @@ }; }; age.secrets = { - grafana.file = ../../../secrets/grafana.env.age; - frumar-mail-pass.file = ../../../secrets/frumar-mail-pass.age; acme-transip-key = { file = ../../../secrets/transip-key.age; mode = "770"; group = "acme"; }; + frumar-mail-pass.file = ../../../secrets/frumar-mail-pass.age; + grafana.file = ../../../secrets/grafana.env.age; + oauth2-proxy.file = ../../../secrets/oauth2-proxy.age; }; systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secrets.grafana.path; services.zfs.autoScrub = { @@ -169,8 +173,6 @@ python3 ranger jq - mcrcon - jdk17_headless unzip ]; security.acme.certs."wildcard.yori.cc" = { @@ -210,4 +212,14 @@ ZED_NOTIFY_VERBOSE = true; ZED_SCRUB_AFTER_RESILVER = true; }; + services.oauth2_proxy = { + enable = true; + email.addresses = "yorickvanpelt@gmail.com"; + redirectURL = "https://priv.yori.cc/oauth2/callback"; + reverseProxy = true; + keyFile = config.age.secrets.oauth2-proxy.path; + setXauthrequest = true; + nginx.virtualHosts = [ "priv.yori.cc" ]; + extraConfig.whitelist-domain = ["priv.yori.cc"]; + }; } diff --git a/nixos/machines/frumar/media.nix b/nixos/machines/frumar/media.nix index bd70fe2..6de3600 100644 --- a/nixos/machines/frumar/media.nix +++ b/nixos/machines/frumar/media.nix @@ -25,13 +25,11 @@ enable = true; group = "plex"; user = "plex"; - openFirewall = true; }; services.radarr = { enable = true; group = "plex"; user = "plex"; - openFirewall = true; }; users.users.plex.packages = with pkgs; [ ffmpeg diff --git a/secrets/oauth2-proxy.age b/secrets/oauth2-proxy.age new file mode 100644 index 0000000000000000000000000000000000000000..430f592c1709a492341d57564e68ae227c3c9cc5 GIT binary patch literal 612 zcmV-q0-OC|XJsvAZewzJaCB*JZZ2HUWOzgdRS#?Sw(qiLwHLtF-S;wIY>-bYeGsv3N1b$bXhq#J25S1a%Ew2Wgv2CaeZ)m zDs6*~r|7tJaAHvJ4q~8H^V#BlGTa(Pp=5X~$Lz#67MA%Sj?Pl`Wtp%16cnu8lCP zDL9j8^oM(`p*JAPZBPN^|J)EVP5%31f8ut&fd9(b7W%3RK8h&He(%D>RuRhbasY=d zmFUXY1_bg1eP)7^N@8f6#1+gYvLrQ9p7~2+bxvA&rm`YU*FxF