diff options
Diffstat (limited to 'nix/hosts/corrino/www')
| -rw-r--r-- | nix/hosts/corrino/www/goapp.emile.space.nix | 89 | ||||
| -rw-r--r-- | nix/hosts/corrino/www/templates/goapp/default.nix | 30 |
2 files changed, 89 insertions, 30 deletions
diff --git a/nix/hosts/corrino/www/goapp.emile.space.nix b/nix/hosts/corrino/www/goapp.emile.space.nix new file mode 100644 index 0000000..361e95a --- /dev/null +++ b/nix/hosts/corrino/www/goapp.emile.space.nix @@ -0,0 +1,89 @@ +{ config, pkgs, ... }: + +{ + services.nginx.virtualHosts."goapp.emile.space" = { + forceSSL = true; + enableACME = true; + + locations = { + "/" = { + proxyPass = "http://${config.services.emile.goapp-frontend.host}:${toString config.services.emile.goapp-frontend.port}"; + }; + }; + }; + + services.authelia.instances.main.settings.identity_providers.oidc.clients = [ + { + id = "goapp"; + + # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 + secret = "$pbkdf2-sha512$310000$LPXJRoGR9RyTcaT6cADljg$FK8RV5CnKj5ano4fXmRzzvXcX/00F7k/G6nd67t.8iewpwyq8FntV4JgYZSV8AynYMxz1qnL4j3BzITLCM0KgQ"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ + "https://goapp.emile.space/oauth2/callback" + ]; + scopes = [ + "openid" + "email" + "profile" + "groups" + ]; + grant_types = [ + "refresh_token" + "authorization_code" + ]; + response_types = [ "code" ]; + response_modes = [ + "form_post" + "query" + "fragment" + ]; + token_endpoint_auth_method = "client_secret_post"; + } + ]; + + environment.systemPackages = with pkgs; [ goapp-frontend ]; + + # deploy: + # - push code + # - build in order to get the new hash (nix build .#goapp-frontend-pkg) + # - update hash in the package (//nix/templates/goapp/frontent/default.nix) + # - deploy + # + # https://goapp.emile.space/oauth2/callback?code=authelia_ac_iZKCXtRMnj2yjUAmiSkg_LBWjiME2-ghE6KMkxdb6Zw.nDLgCVpu9ctH1llEKUml5rr8szd3bkZYaGa_MAOtNLI&iss=https%3A%2F%2Fsso.emile.space&scope=openid+profile+email+groups&state=random-string-here + # + # Unable to exchange authorization code for tokens + # + # unable to exchange authorization code for tokens: oauth2: "invalid_client" "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)." + + services.emile.goapp-frontend = { + enable = true; + package = pkgs.goapp-frontend; + + host = "127.0.0.1"; + port = config.emile.ports.goapp; + public-url = "https://goapp.emile.space/"; + + oidc = { + id = "goapp"; + issuer = "https://sso.emile.space"; + cookie-name = "oidc-client"; + scopes = [ + "openid" + "profile" + "email" + "groups" + ]; + # secret-path = "/run/goapp-frontend_oidc_secret"; + secret-path = config.age.secrets.goapp_oidc_secret.path; + }; + + # TODO(emile): change these when going live + session-key-path = config.age.secrets.goapp_oidc_secret.path; + + logfile-path = "/var/log/goapp-frontend.log"; + database-path = "/var/lib/goapp-frontend/main.db"; + sessiondb-path = "/var/lib/goapp-frontend/session.db"; + }; +} diff --git a/nix/hosts/corrino/www/templates/goapp/default.nix b/nix/hosts/corrino/www/templates/goapp/default.nix deleted file mode 100644 index 716d6ab..0000000 --- a/nix/hosts/corrino/www/templates/goapp/default.nix +++ /dev/null @@ -1,30 +0,0 @@ - -{ - services.authelia.instances.main.settings.identity_providers.oidc.clients = [ - { - id = "goapp"; - - # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - secret = "$pbkdf2-sha512$310000$WUai4pp1ZVJDrJ8j6ICLiQ$NOMMaCZ3gt.x.a09MWatMkJWQIaH0QeWgRXSbuD2iWRwR.N6MWmJA6QO.LIKcxn6l.zHZN4bO1Ztsrbo9010Tw"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = [ "https://127.0.0.1:8080/auth/oauth2/callback" ]; - scopes = [ - "openid" - "email" - "profile" - ]; - grant_types = [ - "refresh_token" - "authorization_code" - ]; - response_types = [ "code" ]; - response_modes = [ - "form_post" - "query" - "fragment" - ]; - token_endpoint_auth_method = "client_secret_post"; - } - ]; -} |
