diff options
| author | Emile <git@emile.space> | 2025-02-22 22:44:31 +0100 |
|---|---|---|
| committer | Emile <git@emile.space> | 2025-02-22 22:44:31 +0100 |
| commit | 4100097801550fe86399453b7922875015f34ff9 (patch) | |
| tree | 5c5103bf72b5b422278900a90c138e73a0bcfb65 | |
| parent | e220cd7ed1ff8b9a84e4660519ca0f74720f9e6e (diff) | |
goapp frontend now works on corrino
added an overlay (which took quite some time, as I forgot to include the self parameter in the argument list...) that allows using the goapp on corrino. So now you can... ... use the template ... see the package status after it has been built using hydra ... build the package from the packages exposed by the flake ... use the package on machines including it using an overlay I'm actually quite satisfied with this and hope people find this helpful
23 files changed, 407 insertions, 121 deletions
diff --git a/Makefile b/Makefile index a9d041e..6708a52 100644 --- a/Makefile +++ b/Makefile @@ -8,30 +8,31 @@ help: @echo "dry-activate - build and show different" corrino: - deploy .#corrino --skip-checks -- --show-trace -L + time deploy .#corrino --skip-checks -- --show-trace -L build: - nix run nixpkgs#nix-output-monitor build ".#nixosConfigurations.${HOSTNAME}.config.system.build.toplevel" + time nix run nixpkgs#nix-output-monitor build ".#nixosConfigurations.${HOSTNAME}.config.system.build.toplevel" update: - nix flake update --commit-lock-file + time nix flake update --commit-lock-file switch-caladan: - nix run https://github.com/LnL7/nix-darwin/archive/master.tar.gz -- switch --flake .#caladan + time nix run https://github.com/LnL7/nix-darwin/archive/master.tar.gz -- switch --flake .#caladan build-corrino: - nix run nixpkgs#nix-output-monitor build .#nixosConfigurations.${HOSTNAME}.config.system.build.toplevel + time nix run nixpkgs#nix-output-monitor build .#nixosConfigurations.${HOSTNAME}.config.system.build.toplevel -deploy: build - nix run -- nixpkgs#nixos-rebuild switch \ +deploy: # build + time nix run -- nixpkgs#nixos-rebuild switch \ + -vvv \ --fast \ --build-host root@${BUILDHOST} \ --target-host root@${HOSTNAME} \ --flake ".#${HOSTNAME}" check: - nix flake check + time nix flake check dry-activate: - nix run -- nixpkgs#nixos-rebuild dry-activate --target-host root@${HOSTNAME} --flake ".#corrino" + time nix run -- nixpkgs#nixos-rebuild dry-activate --target-host root@${HOSTNAME} --flake ".#corrino" diff --git a/flake.lock b/flake.lock index 7b65192..74f93e1 100644 --- a/flake.lock +++ b/flake.lock @@ -218,6 +218,23 @@ "url": "https://github.com/nixos/nixpkgs" } }, + "nixpkgs2": { + "locked": { + "lastModified": 1739923778, + "narHash": "sha256-BqUY8tz0AQ4to2Z4+uaKczh81zsGZSYxjgvtw+fvIfM=", + "ref": "nixos-24.11", + "rev": "36864ed72f234b9540da4cf7a0c49e351d30d3f1", + "shallow": true, + "type": "git", + "url": "ssh://git@github.com/nixos/nixpkgs.git" + }, + "original": { + "ref": "nixos-24.11", + "shallow": true, + "type": "git", + "url": "ssh://git@github.com/nixos/nixpkgs.git" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -227,7 +244,8 @@ "home-manager": "home-manager_2", "naersk": "naersk", "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable" + "nixpkgs-unstable": "nixpkgs-unstable", + "nixpkgs2": "nixpkgs2" } }, "systems": { diff --git a/flake.nix b/flake.nix index 51e0093..030fbe2 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,7 @@ { inputs = { nixpkgs.url = "git+ssh://git@github.com/nixos/nixpkgs.git?shallow=1&ref=nixos-24.11"; + nixpkgs2.url = "git+ssh://git@github.com/nixos/nixpkgs.git?shallow=1&ref=nixos-24.11"; nixpkgs-unstable.url = "git+https://github.com/nixos/nixpkgs?ref=nixpkgs-unstable"; # nix darwin version must match nixpkgs version: @@ -35,20 +36,56 @@ outputs = { self, - nixpkgs, # packages + nixpkgs, # packages + nixpkgs2, # packages2 nixpkgs-unstable, # unstable branch - darwin, # darwin related stuff - deploy-rs, # deploy the hosts - agenix, # store secrets crypted using age - home-manager, # manage my home envs - naersk, # build rust stuff - flake-utils, # common flake utils + darwin, # darwin related stuff + deploy-rs, # deploy the hosts + agenix, # store secrets crypted using age + home-manager, # manage my home envs + naersk, # build rust stuff + flake-utils, # common flake utils # hefe-internal, # internal tooling ... }@inputs: let lib = import ./nix/lib inputs; helper = lib.flake-helper; + + # TODO(emile): move all these functions into the helper, keeping the flake.nix clean + + # A function taking an attribute set of flake templates, importing their + # flake.nix/output/packages (if there are any) and returning an attribute set + # of their packages (if the template has one or more) + template-packages = + templ: + (builtins.mapAttrs ( + name: value: + (((import ./nix/templates/${name}/flake.nix).outputs) { + inherit flake-utils; + + # need to provide nixpkgs WITHOUT the overlay for the packages defined in the template applied + nixpkgs = nixpkgs; + }).packages or { } + ) templ); + + # apply the above function to the templates + templates = template-packages self.templates; + + # Merge template packages into root packages with template prefix + mergedTemplatePackages = + system: + let + lib = nixpkgs.lib; + in + lib.foldl ( + acc: tplName: + let + tplPkgs = templates.${tplName}.${system} or { }; + prefixed = lib.mapAttrs' (pkgName: pkg: lib.nameValuePair "${tplName}-${pkgName}" pkg) tplPkgs; + in + acc // prefixed + ) { } (builtins.attrNames templates); in { hosts = { @@ -63,15 +100,15 @@ }; # main vm host - # + # # in case of broken config, reboot into recovery, then: - # + # # cryptsetup luksOpen /dev/md1 luks0 # mount /dev/disk/by-label/root /mnt # mkdir /mnt/boot # mount /dev/disk/by-label/root /mnt # grub-reboot --boot-directory /mnt/boot "Ni" <- press tab and choose wisely - # + # # also see # //nix/hosts/corrino/hetzner-dedicated-wipe-and-install-nixos-luks-raid-lvm.sh corrino = { @@ -80,6 +117,18 @@ description = "Hetzner AX41 dual 512GB NVME"; modules = [ # hefe-internal.nixosModules.corrino + ( + { self, ... }: + { + nixpkgs.overlays = [ + (final: prev: { + inherit (self.packages.x86_64-linux) + goapp-frontend + ; + }) + ]; + } + ) ]; }; chusuk = { @@ -120,7 +169,7 @@ # lankiveil = { # system = "x86_64-linux"; # ???, ???, RTX A2000 - # description = ""; + # description = "Router"; # }; # poritrin = { # description = "lankiveil bmc"; @@ -155,13 +204,11 @@ }; overlays = { - emile = import ./nix/pkgs/overlay.nix; + default = self.overlays.x86_64-linux; x86_64-linux = import ./nix/pkgs/x86_64-linux.nix; aarch64-darwin = import ./nix/pkgs/aarch64-darwin.nix; - default = self.overlays.x86_64-linux; - unstable = final: prev: { unstable = import nixpkgs-unstable { system = "x86_64-linux"; @@ -169,9 +216,9 @@ }; }; - # no clue why, but when rebuilding corrino and this not being commented, something in the - # hardware.bluetooth module breaks - # + # no clue why, but when rebuilding corrino and this not being commented, + # something in the hardware.bluetooth module breaks + # # unstable-darwin = final: prev: { # unstable-darwin = import nixpkgs-unstable { # system = "aarch64-darwin"; @@ -195,7 +242,6 @@ pkgs = import nixpkgs { inherit system; overlays = [ - ( if system == "x86_64-linux" then self.overlays.x86_64-linux @@ -204,30 +250,20 @@ else null ) - # self.overlays.emile - # some arguments for packages (_: _: { inherit naersk; }) ]; }; in - { + # take all the packages exposed from templates and add them to + # the packages exposed by this flake + mergedTemplatePackages system + // { inherit (pkgs) vokobe r2wars-web remarvin; } ); - hydraJobs = let - # A function taking an attribute set of flake templates, importing their flake.nix and returning an attribute ste of their packages (if the template has one or more) - template-packages = templ: - (builtins.mapAttrs - (name: value: - ( - ( - (import ./nix/templates/${name}/flake.nix).outputs) { - inherit nixpkgs flake-utils; - }).packages or {}) - templ); - in { + hydraJobs = { inherit (self) packages; nixosConfigurations = helper.buildHosts self.nixosConfigurations; templates = template-packages self.templates; @@ -260,7 +296,8 @@ ''; }; - # checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + # checks = builtins.mapAttrs (system: deployLib: + # deployLib.deployChecks self.deploy) deploy-rs.lib; + }; }; - }; } diff --git a/nix/hosts/corrino/configuration.nix b/nix/hosts/corrino/configuration.nix index d453b34..52e9ecf 100644 --- a/nix/hosts/corrino/configuration.nix +++ b/nix/hosts/corrino/configuration.nix @@ -27,6 +27,8 @@ in ./www/git ./www/nix-cache + ./www/goapp.emile.space.nix + # screego # web @@ -42,7 +44,7 @@ in ./www/photo - # ./www/tickets.emile.space.nix + ./www/tickets.emile.space.nix # ./www/talks.emile.space.nix # ./www/stream.emile.space.nix ./www/md.emile.space.nix diff --git a/nix/hosts/corrino/ports.nix b/nix/hosts/corrino/ports.nix index 10ae593..bb64934 100644 --- a/nix/hosts/corrino/ports.nix +++ b/nix/hosts/corrino/ports.nix @@ -24,6 +24,7 @@ restic = 8002; nocodb = 8003; goatcounter = 8004; + goapp = 8005; r2wars-web = 8089; ctf = 8338; magic-hash = 8339; diff --git a/nix/hosts/corrino/secrets/goapp_oidc_secret.age b/nix/hosts/corrino/secrets/goapp_oidc_secret.age new file mode 100644 index 0000000..a842003 --- /dev/null +++ b/nix/hosts/corrino/secrets/goapp_oidc_secret.age Binary files differdiff --git a/nix/hosts/corrino/vm.nix b/nix/hosts/corrino/vm.nix index 37d1356..78d818f 100644 --- a/nix/hosts/corrino/vm.nix +++ b/nix/hosts/corrino/vm.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, ... }: { services.emile.libvirtnix = { @@ -15,6 +15,19 @@ uuid = "E34DE478-1402-45BB-B3FD-FC960549258E"; genid = "CA1E2462-1E9D-404C-8DDB-19EEF9D9651B"; + os = { + nvram = { + type = "network"; + source = { + mirror = { + abi = "copy"; + ready = "yes"; + type = "network"; + }; + }; + }; + }; + packages = { libvirt = pkgs.libvirt; qemu = pkgs.qemu; diff --git a/nix/hosts/corrino/www/goapp.emile.space.nix b/nix/hosts/corrino/www/goapp.emile.space.nix new file mode 100644 index 0000000..4a486aa --- /dev/null +++ b/nix/hosts/corrino/www/goapp.emile.space.nix @@ -0,0 +1,78 @@ +{ config, pkgs, ... }: + +{ + services.nginx.virtualHosts."goapp.emile.space" = { + forceSSL = true; + enableACME = true; + + locations = { + "/" = { + proxyPass = "http://${config.services.emile.goapp-frontend.host}:${toString config.services.emile.goapp-frontend.port}"; + }; + }; + }; + + services.authelia.instances.main.settings.identity_providers.oidc.clients = [ + { + id = "goapp"; + + # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 + secret = "$pbkdf2-sha512$310000$/Ht5DUFmIeu/7Ty2PWHXnw$.uJIN1vmZMyGjCAoA0PzUcVaTMIH36AK80KvOZAHVXgLr1Y9ZOrRjoiwK.srHAO29mrcw1BNpCjFTYdWOoympg"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ + # "http://localhost:8080/oauth2/callback" + "https://goapp.emile.space/oauth2/callback" + ]; + scopes = [ + "openid" + "email" + "profile" + "groups" + ]; + grant_types = [ + "refresh_token" + "authorization_code" + ]; + response_types = [ "code" ]; + response_modes = [ + "form_post" + "query" + "fragment" + ]; + token_endpoint_auth_method = "client_secret_post"; + } + ]; + + environment.systemPackages = with pkgs; [ goapp-frontend ]; + + # deploy: + # - push code + # - build in order to get the new hash (nix build .#goapp-frontend-pkg) + # - update hash in the package (//nix/templates/goapp/frontent/default.nix) + # - deploy + + # services.emile.goapp-frontend = { + # enable = true; + # package = pkgs.goapp-frontend; + + # host = "127.0.0.1"; + # port = config.emile.ports.goapp-frontend; + # public-url = "https://goapp-frontend.emile.space/"; + + # oidc = { + # id = "goapp-frontend"; + # issuer = "https://sso.emile.space"; + # cookie-name = "oidc-client"; + # scopes = [ "openid" "profile" "email" "groups" ]; + # secret-path = "/run/goapp-frontend_oidc_secret"; + # }; + + # # TODO(emile): change these when going live + # session-key-path = config.age.secrets.goapp-frontend_oidc_secret.path; + + # logfile-path = "/var/log/goapp-frontend.log"; + # database-path = "/var/lib/goapp-frontend/main.db"; + # sessiondb-path = "/var/lib/goapp-frontend/session.db"; + # }; +} diff --git a/nix/hosts/corrino/www/templates/goapp/default.nix b/nix/hosts/corrino/www/templates/goapp/default.nix deleted file mode 100644 index 716d6ab..0000000 --- a/nix/hosts/corrino/www/templates/goapp/default.nix +++ /dev/null @@ -1,30 +0,0 @@ - -{ - services.authelia.instances.main.settings.identity_providers.oidc.clients = [ - { - id = "goapp"; - - # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - secret = "$pbkdf2-sha512$310000$WUai4pp1ZVJDrJ8j6ICLiQ$NOMMaCZ3gt.x.a09MWatMkJWQIaH0QeWgRXSbuD2iWRwR.N6MWmJA6QO.LIKcxn6l.zHZN4bO1Ztsrbo9010Tw"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = [ "https://127.0.0.1:8080/auth/oauth2/callback" ]; - scopes = [ - "openid" - "email" - "profile" - ]; - grant_types = [ - "refresh_token" - "authorization_code" - ]; - response_types = [ "code" ]; - response_modes = [ - "form_post" - "query" - "fragment" - ]; - token_endpoint_auth_method = "client_secret_post"; - } - ]; -} diff --git a/nix/modules/goapp-frontend/default.nix b/nix/modules/goapp-frontend/default.nix new file mode 100644 index 0000000..31573f7 --- /dev/null +++ b/nix/modules/goapp-frontend/default.nix @@ -0,0 +1,134 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + cfg = config.services.emile.goapp-frontend; +in +with lib; +{ + options.services.emile.goapp-frontend = { + enable = mkEnableOption "Enable goapp-frontend"; + package = mkPackageOption pkgs "goapp-frontend" { }; + + # ip, port and external host to listen on + host = mkOption { + type = types.str; + default = "127.0.0.1"; + example = "0.0.0.0"; + description = "The host the service listens on"; + }; + port = mkOption { + type = types.int; + default = 8080; + example = 8080; + description = "The port the service listens on"; + }; + public-url = mkOption { + type = types.str; + default = "http://localhost:8080/"; + example = "https://goapp.emile.space/"; + description = '' + The domain that the service can be reached from externally. This is used by oidc for redirects and thus should be set, as you'll probably be running this behind some kind of reverse proxy. + ''; + }; + + # the oidc config + oidc = mkOption { + type = types.submodule { + options = { + id = mkOption { + type = types.str; + default = ""; + example = "AiliavahweiweeG5"; + description = "The oidc id"; + }; + issuer = mkOption { + type = types.str; + default = ""; + example = "https://sso.emile.space"; + description = "The oidc identity provider"; + }; + cookie-name = mkOption { + type = types.str; + default = "oidc-client"; + example = "CookieMcCookieface"; + description = "The oidc cookie name"; + }; + scopes = mkOption { + type = types.listOf types.str; + default = [ "openid" "profile" "email" "groups" ]; + example = [ "openid" "profile" "email" ]; + description = "The openid scopes to request"; + }; + secret-path = mkOption { + type = types.str; + default = ""; + example = "/run/goapp_oidc_secret"; + description = "The path to the oidc secret"; + }; + }; + }; + }; + + # paths to files + session-key-path = mkOption { + type = types.str; + default = ""; + example = "/run/sesionkey"; + description = "The path to a file containing the sessionKey"; + }; + logfile-path = mkOption { + type = types.str; + default = "/var/log/goapp-frontend.log"; + example = "/var/log/goapp-frontend.log"; + description = "The path to where the logfile should be written"; + }; + + database-path = mkOption { + type = types.str; + default = "/var/lib/goapp-frontend/main.db"; + example = "/var/lib/goapp-frontend/main.db"; + description = "The path to the main database"; + }; + sessiondb-path = mkOption { + type = types.str; + default = "/var/lib/goapp-frontend/sessions.db"; + example = "/var/lib/goapp-frontend/sessions.db"; + description = "The path to the sessions database"; + }; + }; + + config = mkIf cfg.enable { + systemd.services.goapp-frontend = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + RestartSec = 5; + Restart = "on-failure"; + }; + environment = { + VERSION = pkgs.goapp-frontend.version; + }; + path = [ pkgs.goapp-frontend ]; + serviceConfig.ExecStart = '' + ${pkgs.goapp-frontend}/bin/goapp-frontend \ + --host ${cfg.host} \ + --port ${toString cfg.port} \ + --public-url ${cfg.public-url} \ + --id ${cfg.oidc.id} \ + --issuer ${cfg.oidc.issuer} \ + --cookie-name ${cfg.oidc.cookie-name} \ + --scopes ${concatStringsSep "," cfg.oidc.scopes} \ + --oidc-secret-path ${cfg.oidc.secret-path} \ + --logfilepath ${cfg.logfile-path} \ + --databasepath ${cfg.database-path} \ + --sessiondbpath ${cfg.sessiondb-path} \ + --sessionkeypath ${cfg.session-key-path} \ + --templatespath ${pkgs.goapp-frontend}/templates + ''; + }; + }; +} diff --git a/nix/modules/x86_64-linux.nix b/nix/modules/x86_64-linux.nix index e5dbc64..62945b3 100644 --- a/nix/modules/x86_64-linux.nix +++ b/nix/modules/x86_64-linux.nix @@ -4,6 +4,7 @@ ./r2wars-web ./remarvin ./filebrowser - ./libvirtnix + # ./libvirtnix + ./goapp-frontend ]; } diff --git a/nix/pkgs/overlay.nix b/nix/pkgs/overlay.nix deleted file mode 100644 index e213533..0000000 --- a/nix/pkgs/overlay.nix +++ /dev/null @@ -1,9 +0,0 @@ -final: prev: { - vokobe = final.callPackage ./vokobe { inherit (final) naersk; }; - r2wars-web = final.callPackage ./r2wars-web { }; - remarvin = final.callPackage ./remarvin { }; - - pretalx_old = prev.pretalx.overrideAttrs ( old: { - version = "2024.1.0"; - }); -} diff --git a/nix/pkgs/x86_64-linux.nix b/nix/pkgs/x86_64-linux.nix index f5e8b60..c186cc4 100644 --- a/nix/pkgs/x86_64-linux.nix +++ b/nix/pkgs/x86_64-linux.nix @@ -2,5 +2,5 @@ final: prev: { vokobe = final.callPackage ./vokobe { inherit (final) naersk; }; r2wars-web = final.callPackage ./r2wars-web { }; remarvin = final.callPackage ./remarvin { }; - libc-database = final.callPackage ./libc-database {}; + # libc-database = final.callPackage ./libc-database {}; } diff --git a/nix/templates/goapp/flake.nix b/nix/templates/goapp/flake.nix index 1ca876f..385f1bf 100644 --- a/nix/templates/goapp/flake.nix +++ b/nix/templates/goapp/flake.nix @@ -12,20 +12,26 @@ overlays = [ ]; }; + # take a name and return an attrset with a corresponding package and docker container package-and-docker = name: (let - pkgname = name + "-pkg"; + # define the name for the package and docker container + pkgname = name; dockername = name + "-docker"; + # import the package itself package = import ./${name} { inherit pkgs name; }; + + # define the container + container = pkgs.dockerTools.buildImage { + name = "${name}"; # TODO(emile): this could simply be `inherit name;` iinw + config.Cmd = [ "${package}/bin/${name}" ]; + }; in { # the raw package ${pkgname} = package; # the docker image - ${dockername} = pkgs.dockerTools.buildImage { - name = "${name}"; - config.Cmd = [ "${package}/bin/${name}" ]; - }; + ${dockername} = container; }); in { diff --git a/nix/templates/goapp/frontend/default.nix b/nix/templates/goapp/frontend/default.nix index 42ccb79..7b5caa8 100644 --- a/nix/templates/goapp/frontend/default.nix +++ b/nix/templates/goapp/frontend/default.nix @@ -4,13 +4,20 @@ let version = "0.0.1"; in pkgs.buildGoModule { - name = "${name}-${version}"; pname = "${name}"; version = "${version}"; src = ./.; - subPackages = [ "src" ]; - vendorHash = "sha256-VXuhsXejduIcthawj4qu7hruBEDegj27YY0ym5srMQY="; - doCheck = true; + # use the dependencies directly from the vendor/ folder + # vendorHash = null; + + vendorHash = "sha256-dXWwAP0XM24cAcDV87XHQX9dLg6TDQ7ZVfEFgW/Q+J4="; + + doCheck = false; + + postInstall = '' + cp -r templates $out + mv $out/bin/{src,${name}} + ''; } diff --git a/nix/templates/goapp/frontend/go.mod b/nix/templates/goapp/frontend/go.mod index fecf4ac..a71f5a0 100644 --- a/nix/templates/goapp/frontend/go.mod +++ b/nix/templates/goapp/frontend/go.mod @@ -1,20 +1,20 @@ -module github.com/hanemile/goapp/backend +module github.com/hanemile/goapp/frontend go 1.23.5 require ( + github.com/coreos/go-oidc/v3 v3.12.0 github.com/gorilla/handlers v1.5.2 github.com/gorilla/mux v1.8.1 github.com/gorilla/securecookie v1.1.2 github.com/gorilla/sessions v1.4.0 github.com/mattn/go-sqlite3 v1.14.24 - golang.org/x/crypto v0.33.0 + github.com/spf13/cobra v1.9.1 golang.org/x/oauth2 v0.21.0 modernc.org/sqlite v1.34.5 ) require ( - github.com/coreos/go-oidc/v3 v3.12.0 // indirect github.com/dustin/go-humanize v1.0.1 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/go-jose/go-jose/v4 v4.0.2 // indirect @@ -23,8 +23,8 @@ require ( github.com/mattn/go-isatty v0.0.20 // indirect github.com/ncruces/go-strftime v0.1.9 // indirect github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect - github.com/spf13/cobra v1.9.1 // indirect github.com/spf13/pflag v1.0.6 // indirect + golang.org/x/crypto v0.33.0 // indirect golang.org/x/sys v0.30.0 // indirect modernc.org/libc v1.55.3 // indirect modernc.org/mathutil v1.6.0 // indirect diff --git a/nix/templates/goapp/frontend/go.sum b/nix/templates/goapp/frontend/go.sum index 365e2c5..15bbb6f 100644 --- a/nix/templates/goapp/frontend/go.sum +++ b/nix/templates/goapp/frontend/go.sum @@ -1,6 +1,8 @@ github.com/coreos/go-oidc/v3 v3.12.0 h1:sJk+8G2qq94rDI6ehZ71Bol3oUHy63qNYmkiSjrc/Jo= github.com/coreos/go-oidc/v3 v3.12.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0= github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= @@ -31,6 +33,8 @@ github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBW github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4= github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= @@ -38,6 +42,8 @@ github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= +github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus= golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M= golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= @@ -50,6 +56,7 @@ golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/tools v0.19.0 h1:tfGCXNR1OsFG+sVdLAitlpjAvD/I6dHDKnYrpEZUHkw= golang.org/x/tools v0.19.0/go.mod h1:qoJWxmGSIBmAeriMx19ogtrEPrGtDbPK634QFIcLAhc= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= modernc.org/cc/v4 v4.21.4 h1:3Be/Rdo1fpr8GrQ7IVw9OHtplU4gWbb+wNgeoBMmGLQ= modernc.org/cc/v4 v4.21.4/go.mod h1:HM7VJTZbUCR3rV8EYBi9wxnJ0ZBRiGE5OeGXNA0IsLQ= diff --git a/nix/templates/goapp/frontend/run.sh b/nix/templates/goapp/frontend/run.sh index d68b840..b2624f3 100755 --- a/nix/templates/goapp/frontend/run.sh +++ b/nix/templates/goapp/frontend/run.sh @@ -7,4 +7,5 @@ export SESSION_KEY=aes1Itheich4aeQu9Ouz7ahcaiVoogh9 go run ./... \ --id goapp \ --issuer "https://sso.emile.space" \ - --secret "KGFO5LQnUxu1Zs.35gOem3MaG8odthg1U0v0.kScVPS6TPTWVRnAdT_nj4PYYSfuU6jdzTM6" + --secret "KGFO5LQnUxu1Zs.35gOem3MaG8odthg1U0v0.kScVPS6TPTWVRnAdT_nj4PYYSfuU6jdzTM6" \ + $@ diff --git a/nix/templates/goapp/frontend/server.log b/nix/templates/goapp/frontend/server.log index 4b6cff5..6c4d6dc 100644 --- a/nix/templates/goapp/frontend/server.log +++ b/nix/templates/goapp/frontend/server.log @@ -177,3 +177,5 @@ ::1 - - [19/Feb/2025:19:43:29 +0100] "GET /oauth2/callback?code=authelia_ac_8UdV__GJCN9gxJrYa629TC3FToyDDhsbacPbJzhvcJ4.uPw2-_N4jQr7xf7JNZ_IZBNHEq-eeOFoZup7Vwjx1Y0&iss=https%3A%2F%2Fsso.emile.space&scope=openid+profile+email+groups&state=random-string-here HTTP/1.1" 500 142 ::1 - - [19/Feb/2025:19:49:22 +0100] "GET / HTTP/1.1" 200 6587 ::1 - - [19/Feb/2025:19:49:23 +0100] "GET /login HTTP/1.1" 302 242 +::1 - - [19/Feb/2025:19:56:09 +0100] "GET / HTTP/1.1" 200 6587 +::1 - - [19/Feb/2025:19:56:12 +0100] "GET /login HTTP/1.1" 302 242 diff --git a/nix/templates/goapp/frontend/src/handlers.go b/nix/templates/goapp/frontend/src/handlers.go index 8fdd325..b0bbf91 100644 --- a/nix/templates/goapp/frontend/src/handlers.go +++ b/nix/templates/goapp/frontend/src/handlers.go @@ -134,7 +134,6 @@ func oauthCallbackHandler(res http.ResponseWriter, req *http.Request) { if req.FormValue("error") != "" { log.Printf("got an error from the idp: %s", req.FormValue("error")) http.Redirect(res, req, fmt.Sprintf("/error?%s", req.Form.Encode()), http.StatusFound) - return } diff --git a/nix/templates/goapp/frontend/src/init.go b/nix/templates/goapp/frontend/src/init.go index 97e58f0..dc0e252 100644 --- a/nix/templates/goapp/frontend/src/init.go +++ b/nix/templates/goapp/frontend/src/init.go @@ -32,12 +32,17 @@ func dbInit() { func sessionInit() { log.Println("[i] Setting up Session Storage...") + session_key, err := os.ReadFile(options.SessionKeyPath) + if err != nil { + log.Println("Could not read Session key") + panic(err) + } store, err := NewSqliteStore( sessiondbPath, "sessions", "/", 3600, - []byte(os.Getenv("SESSION_KEY"))) + session_key) if err != nil { panic(err) } @@ -60,14 +65,21 @@ func oauth2Init() (err error) { } verifier = provider.Verifier(&oidc.Config{ClientID: options.ClientID}) + + clientSecretBytes, err := os.ReadFile(options.ClientSecretPath) + if err != nil { + panic(err) + } + clientSecret := string(clientSecretBytes) + log.Printf("[ ] ClientID: %s", options.ClientID) - log.Printf("[ ] ClientSecret: %s", options.ClientSecret) + log.Printf("[ ] ClientSecret: %s", clientSecret) log.Printf("[ ] redirectURL: %s", redirectURL.String()) log.Printf("[ ] providerEndpoint: %+v", provider.Endpoint()) log.Printf("[ ] Scopes: %s", options.Scopes) oauth2Config = oauth2.Config{ ClientID: options.ClientID, - ClientSecret: options.ClientSecret, + ClientSecret: clientSecret, RedirectURL: redirectURL.String(), Endpoint: provider.Endpoint(), Scopes: strings.Split(options.Scopes, ","), diff --git a/nix/templates/goapp/frontend/src/main.go b/nix/templates/goapp/frontend/src/main.go index fcf4224..72ec7ee 100644 --- a/nix/templates/goapp/frontend/src/main.go +++ b/nix/templates/goapp/frontend/src/main.go @@ -38,18 +38,21 @@ func main() { rootCmd := &cobra.Command{Use: "goapp", RunE: root} - rootCmd.Flags().StringVar(&options.Host, "host", "0.0.0.0", "Specifies the tcp host to listen on") + rootCmd.Flags().StringVar(&options.Host, "host", "127.0.0.1", "Specifies the tcp host to listen on") rootCmd.Flags().IntVar(&options.Port, "port", 8080, "Specifies the port to listen on") rootCmd.Flags().StringVar(&options.PublicURL, "public-url", "http://localhost:8080/", "Specifies the root URL to generate the redirect URI") rootCmd.Flags().StringVar(&options.ClientID, "id", "", "Specifies the OpenID Connect Client ID") - rootCmd.Flags().StringVarP(&options.ClientSecret, "secret", "s", "", "Specifies the OpenID Connect Client Secret") + rootCmd.Flags().StringVarP(&options.ClientSecretPath, "oidc-secret-path", "s", "", "Specifies the OpenID Connect Client Secret path") rootCmd.Flags().StringVarP(&options.Issuer, "issuer", "i", "", "Specifies the URL for the OpenID Connect OP") rootCmd.Flags().StringVar(&options.Scopes, "scopes", "openid,profile,email,groups", "Specifies the OpenID Connect scopes to request") rootCmd.Flags().StringVar(&options.CookieName, "cookie-name", "oidc-client", "Specifies the storage cookie name to use") rootCmd.Flags().StringSliceVar(&options.Filters, "filters", []string{}, "If specified filters the specified text from html output (not json) out of the email addresses, display names, audience, etc") rootCmd.Flags().StringSliceVar(&options.GroupsFilter, "groups-filter", []string{}, "If specified only shows the groups in this list") - rootCmd.Flags().StringVar(&options.LogFilePath, "logpath", "./server.log", "Specifies the path to store the server logs at") + rootCmd.Flags().StringVar(&options.LogFilePath, "logfilepath", "./server.log", "Specifies the path to store the server logs at") rootCmd.Flags().StringVar(&options.TemplatesPath, "templatespath", "./templates", "Specifies the path to where the templates are stored") + rootCmd.Flags().StringVar(&options.DatabasePath, "databasepath", "./main.db", "Specifies the path to where the database is stored") + rootCmd.Flags().StringVar(&options.SessionDBPath, "sessiondbpath", "./sessions.db", "Specifies the path to where the session database is stored") + rootCmd.Flags().StringVar(&options.SessionKeyPath, "sessionkeypath", "", "Specifies the path to where the session key is stored") _ = rootCmd.MarkFlagRequired("id") _ = rootCmd.MarkFlagRequired("secret") diff --git a/nix/templates/goapp/frontend/src/types.go b/nix/templates/goapp/frontend/src/types.go index 7efcc70..97e0db5 100644 --- a/nix/templates/goapp/frontend/src/types.go +++ b/nix/templates/goapp/frontend/src/types.go @@ -50,16 +50,19 @@ type ClamsAddress struct { } type Options struct { - Host string - Port int - LogFilePath string - TemplatesPath string - ClientID string - ClientSecret string - Issuer string - PublicURL string - Scopes string - CookieName string - Filters []string - GroupsFilter []string + ClientID string + ClientSecretPath string + CookieName string + DatabasePath string + Filters []string + GroupsFilter []string + Host string + Issuer string + LogFilePath string + Port int + PublicURL string + Scopes string + SessionDBPath string + SessionKeyPath string + TemplatesPath string } |
