DGNum/infrastructure
12
6
Fork 2
Code Issues 18 Pull requests 6 Projects 1 Releases Packages Wiki Activity Actions
infrastructure/machines/compute01/kanidm/default.nix

104 lines
2.6 KiB
Nix
Raw Normal View History

feat(kanidm): Update allowed domains for the CORS
2024-04-12 16:38:15 +02:00
{
config,
lib,
nixpkgs,
...
}:
feat(compute01): Deploy kanidm on sso.dgnum.eu
2023-09-14 08:04:48 +02:00
let
feat(kanidm): Update allowed domains for the CORS
2024-04-12 16:38:15 +02:00
inherit (lib) escapeRegex concatStringsSep;
feat(compute01): Deploy kanidm on sso.dgnum.eu
2023-09-14 08:04:48 +02:00
domain = "sso.dgnum.eu";
cert = config.security.acme.certs.${domain};
feat(kanidm): Update allowed domains for the CORS
2024-04-12 16:38:15 +02:00
allowedDomains = builtins.map escapeRegex (
(builtins.map (s: "${s}.dgnum.eu") [
# DGNum subdomains
"cloud"
"git"
"videos"
"social"
"demarches"
"netbird"
])
++ [
# Extra domains
"netbird-beta.hubrecht.ovh"
]
);
feat(shell): Add pre-commit hooks and reformat the repo
2024-02-02 10:51:31 +01:00
in
{
feat(compute01): Deploy kanidm on sso.dgnum.eu
2023-09-14 08:04:48 +02:00
services.kanidm = {
enableServer = true;
feat(infra): Rework nixpkgs version management
2024-04-03 21:21:04 +02:00
package = nixpkgs.unstable.kanidm;
feat(kanidm): Upgrade to rc.16 and fix an issue with CORS..........
2024-02-22 12:47:18 +01:00
feat(compute01): Deploy kanidm on sso.dgnum.eu
2023-09-14 08:04:48 +02:00
serverSettings = {
inherit domain;
origin = "https://${domain}";
bindaddress = "127.0.0.1:8443";
ldapbindaddress = "0.0.0.0:636";
trust_x_forward_for = true;
tls_chain = "${cert.directory}/fullchain.pem";
tls_key = "${cert.directory}/key.pem";
};
};
users.users.kanidm.extraGroups = [ cert.group ];
services.nginx = {
enable = true;
virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "https://127.0.0.1:8443";
extraConfig = ''
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
return 444;
}
set $origin $http_origin;
feat(kanidm): Update allowed domains for the CORS
2024-04-12 16:38:15 +02:00
if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
feat(compute01): Deploy kanidm on sso.dgnum.eu
2023-09-14 08:04:48 +02:00
set $origin 'https://${domain}';
}
feat(kanidm): Upgrade to rc.16 and fix an issue with CORS..........
2024-02-22 12:47:18 +01:00
proxy_hide_header Access-Control-Allow-Origin;
feat(compute01): Deploy kanidm on sso.dgnum.eu
2023-09-14 08:04:48 +02:00
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' "$origin" always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
add_header Access-Control-Allow-Origin "$origin" always;
add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
add_header Access-Control-Allow-Credentials true always;
}
'';
};
};
};
networking.firewall.allowedTCPPorts = [ 636 ];
networking.firewall.allowedUDPPorts = [ 636 ];
feat(compute01): Create some backups
2024-02-21 22:49:20 +01:00
dgn-backups.jobs.kanidm.settings.paths = [ "/var/lib/kanidm" ];
feat(compute01): Deploy kanidm on sso.dgnum.eu
2023-09-14 08:04:48 +02:00
}
Reference in a new issue Copy permalink