From 3bab9bb8db06c8c599454d2f353bd29bb480591e Mon Sep 17 00:00:00 2001
From: Emile <git@emile.space>
Date: Sun, 23 Feb 2025 02:16:02 +0100
Subject: corrino: goapp finally working with oidc

---
 nix/hosts/corrino/secrets/goapp_oidc_secret.age    | Bin 395 -> 395 bytes
 .../corrino/secrets/goapp_oidc_session_key.age     |   8 ++++
 nix/hosts/corrino/www/goapp.emile.space.nix        |  53 +++++++++++++--------
 3 files changed, 40 insertions(+), 21 deletions(-)
 create mode 100644 nix/hosts/corrino/secrets/goapp_oidc_session_key.age

(limited to 'nix/hosts')

diff --git a/nix/hosts/corrino/secrets/goapp_oidc_secret.age b/nix/hosts/corrino/secrets/goapp_oidc_secret.age
index a842003..ca96981 100644
Binary files a/nix/hosts/corrino/secrets/goapp_oidc_secret.age and b/nix/hosts/corrino/secrets/goapp_oidc_secret.age differ
diff --git a/nix/hosts/corrino/secrets/goapp_oidc_session_key.age b/nix/hosts/corrino/secrets/goapp_oidc_session_key.age
new file mode 100644
index 0000000..938f97f
--- /dev/null
+++ b/nix/hosts/corrino/secrets/goapp_oidc_session_key.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 gvwQ2Q BAvDdIEUEgmo963+9Wd5VLJgrp3MBISvWR3+27bfJW8
+NOEj2ObYe/cM2CaqzmbgexSEUNZIEo1ZmvlamJaSOjo
+-> ssh-ed25519 m8VklA d/hwd3rGkPD3GDdlOP2XUsi687VH+tfKrAsKnImk+kI
+gFAyyMZT5DK7da7YXOf/5gUd4Bi9cEe3ddMKUMuctMU
+--- 9tVE+AAvptrlMZe5+UGJGzH9usnxa+ZICbikcRT0PYI
+g!X+/šØ0P	;™*{ª«V p!¶êÙ4£sÌöãa	ÎI+À/\Iœ‚Ô–,Äéo½p‡Îì›˜DP7"ŠíØÀ¦ä;p·„PÀpÍ
+%ÈcÒUÚœ8
\ No newline at end of file
diff --git a/nix/hosts/corrino/www/goapp.emile.space.nix b/nix/hosts/corrino/www/goapp.emile.space.nix
index 4a486aa..361e95a 100644
--- a/nix/hosts/corrino/www/goapp.emile.space.nix
+++ b/nix/hosts/corrino/www/goapp.emile.space.nix
@@ -17,11 +17,10 @@
       id = "goapp";
 
       # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
-      secret = "$pbkdf2-sha512$310000$/Ht5DUFmIeu/7Ty2PWHXnw$.uJIN1vmZMyGjCAoA0PzUcVaTMIH36AK80KvOZAHVXgLr1Y9ZOrRjoiwK.srHAO29mrcw1BNpCjFTYdWOoympg";
+      secret = "$pbkdf2-sha512$310000$LPXJRoGR9RyTcaT6cADljg$FK8RV5CnKj5ano4fXmRzzvXcX/00F7k/G6nd67t.8iewpwyq8FntV4JgYZSV8AynYMxz1qnL4j3BzITLCM0KgQ";
       public = false;
       authorization_policy = "two_factor";
       redirect_uris = [
-        # "http://localhost:8080/oauth2/callback"
         "https://goapp.emile.space/oauth2/callback"
       ];
       scopes = [
@@ -51,28 +50,40 @@
   # - build in order to get the new hash (nix build .#goapp-frontend-pkg)
   # - update hash in the package (//nix/templates/goapp/frontent/default.nix)
   # - deploy
+  #
+  # https://goapp.emile.space/oauth2/callback?code=authelia_ac_iZKCXtRMnj2yjUAmiSkg_LBWjiME2-ghE6KMkxdb6Zw.nDLgCVpu9ctH1llEKUml5rr8szd3bkZYaGa_MAOtNLI&iss=https%3A%2F%2Fsso.emile.space&scope=openid+profile+email+groups&state=random-string-here
+  #
+  # Unable to exchange authorization code for tokens
+  #
+  # unable to exchange authorization code for tokens: oauth2: "invalid_client" "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)."
 
-  # services.emile.goapp-frontend = {
-  #   enable = true;
-  #   package = pkgs.goapp-frontend;
+  services.emile.goapp-frontend = {
+    enable = true;
+    package = pkgs.goapp-frontend;
 
-  #   host = "127.0.0.1";
-  #   port = config.emile.ports.goapp-frontend;
-  #   public-url = "https://goapp-frontend.emile.space/";
+    host = "127.0.0.1";
+    port = config.emile.ports.goapp;
+    public-url = "https://goapp.emile.space/";
 
-  #   oidc = {
-  #     id = "goapp-frontend";
-  #     issuer = "https://sso.emile.space";
-  #     cookie-name = "oidc-client";
-  #     scopes = [ "openid" "profile" "email" "groups" ];
-  #     secret-path = "/run/goapp-frontend_oidc_secret";
-  #   };
+    oidc = {
+      id = "goapp";
+      issuer = "https://sso.emile.space";
+      cookie-name = "oidc-client";
+      scopes = [
+        "openid"
+        "profile"
+        "email"
+        "groups"
+      ];
+      # secret-path = "/run/goapp-frontend_oidc_secret";
+      secret-path = config.age.secrets.goapp_oidc_secret.path;
+    };
 
-  #   # TODO(emile): change these when going live
-  #   session-key-path = config.age.secrets.goapp-frontend_oidc_secret.path;
+    # TODO(emile): change these when going live
+    session-key-path = config.age.secrets.goapp_oidc_secret.path;
 
-  #   logfile-path = "/var/log/goapp-frontend.log";
-  #   database-path = "/var/lib/goapp-frontend/main.db";
-  #   sessiondb-path = "/var/lib/goapp-frontend/session.db";
-  # };
+    logfile-path = "/var/log/goapp-frontend.log";
+    database-path = "/var/lib/goapp-frontend/main.db";
+    sessiondb-path = "/var/lib/goapp-frontend/session.db";
+  };
 }
-- 
cgit 1.4.1