blob: 361e95a0f5f3ac659f1979d564cb01103d436614 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
{ config, pkgs, ... }:
{
services.nginx.virtualHosts."goapp.emile.space" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://${config.services.emile.goapp-frontend.host}:${toString config.services.emile.goapp-frontend.port}";
};
};
};
services.authelia.instances.main.settings.identity_providers.oidc.clients = [
{
id = "goapp";
# ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
secret = "$pbkdf2-sha512$310000$LPXJRoGR9RyTcaT6cADljg$FK8RV5CnKj5ano4fXmRzzvXcX/00F7k/G6nd67t.8iewpwyq8FntV4JgYZSV8AynYMxz1qnL4j3BzITLCM0KgQ";
public = false;
authorization_policy = "two_factor";
redirect_uris = [
"https://goapp.emile.space/oauth2/callback"
];
scopes = [
"openid"
"email"
"profile"
"groups"
];
grant_types = [
"refresh_token"
"authorization_code"
];
response_types = [ "code" ];
response_modes = [
"form_post"
"query"
"fragment"
];
token_endpoint_auth_method = "client_secret_post";
}
];
environment.systemPackages = with pkgs; [ goapp-frontend ];
# deploy:
# - push code
# - build in order to get the new hash (nix build .#goapp-frontend-pkg)
# - update hash in the package (//nix/templates/goapp/frontent/default.nix)
# - deploy
#
# https://goapp.emile.space/oauth2/callback?code=authelia_ac_iZKCXtRMnj2yjUAmiSkg_LBWjiME2-ghE6KMkxdb6Zw.nDLgCVpu9ctH1llEKUml5rr8szd3bkZYaGa_MAOtNLI&iss=https%3A%2F%2Fsso.emile.space&scope=openid+profile+email+groups&state=random-string-here
#
# Unable to exchange authorization code for tokens
#
# unable to exchange authorization code for tokens: oauth2: "invalid_client" "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)."
services.emile.goapp-frontend = {
enable = true;
package = pkgs.goapp-frontend;
host = "127.0.0.1";
port = config.emile.ports.goapp;
public-url = "https://goapp.emile.space/";
oidc = {
id = "goapp";
issuer = "https://sso.emile.space";
cookie-name = "oidc-client";
scopes = [
"openid"
"profile"
"email"
"groups"
];
# secret-path = "/run/goapp-frontend_oidc_secret";
secret-path = config.age.secrets.goapp_oidc_secret.path;
};
# TODO(emile): change these when going live
session-key-path = config.age.secrets.goapp_oidc_secret.path;
logfile-path = "/var/log/goapp-frontend.log";
database-path = "/var/lib/goapp-frontend/main.db";
sessiondb-path = "/var/lib/goapp-frontend/session.db";
};
}
|
