From 06653220bb2741300fc0a5096dd68326bdf68c3a Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sat, 12 Oct 2024 22:11:34 +0200 Subject: [PATCH] fix(kanidm): Revert switch to simpleProxies As we proxy to an https endpoint, this was not supported --- machines/compute01/kanidm/default.nix | 72 +++++++++++++++------------ 1 file changed, 41 insertions(+), 31 deletions(-) diff --git a/machines/compute01/kanidm/default.nix b/machines/compute01/kanidm/default.nix index f88d070..ad2ab6b 100644 --- a/machines/compute01/kanidm/default.nix +++ b/machines/compute01/kanidm/default.nix @@ -8,9 +8,8 @@ let inherit (lib) escapeRegex concatStringsSep; - host = "sso.dgnum.eu"; + domain = "sso.dgnum.eu"; port = 8443; - domain = host; cert = config.security.acme.certs.${domain}; @@ -41,7 +40,7 @@ in origin = "https://${domain}"; - bindaddress = "127.0.0.1:8443"; + bindaddress = "127.0.0.1:${builtins.toString port}"; ldapbindaddress = "0.0.0.0:636"; trust_x_forward_for = true; @@ -53,40 +52,51 @@ in users.users.kanidm.extraGroups = [ cert.group ]; - dgn-web.simpleProxies.kanidm = { - inherit host port; - vhostConfig.locations."/".extraConfig = '' - if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) { - return 444; - } + dgn-web.internalPorts.kanidm = port; - set $origin $http_origin; + services.nginx = { + enable = true; - if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') { - set $origin 'https://${domain}'; - } + virtualHosts.${domain} = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "https://127.0.0.1:${builtins.toString port}"; - proxy_hide_header Access-Control-Allow-Origin; + extraConfig = '' + if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) { + return 444; + } - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' "$origin" always; - add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always; - add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always; - add_header 'Access-Control-Allow-Credentials' 'true' always; + set $origin $http_origin; - add_header Access-Control-Max-Age 1728000; - add_header Content-Type 'text/plain charset=UTF-8'; - add_header Content-Length 0; - return 204; - } + if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') { + set $origin 'https://${domain}'; + } - if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') { - add_header Access-Control-Allow-Origin "$origin" always; - add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always; - add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always; - add_header Access-Control-Allow-Credentials true always; - } - ''; + proxy_hide_header Access-Control-Allow-Origin; + + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' "$origin" always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always; + add_header 'Access-Control-Allow-Credentials' 'true' always; + + add_header Access-Control-Max-Age 1728000; + add_header Content-Type 'text/plain charset=UTF-8'; + add_header Content-Length 0; + return 204; + } + + if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') { + add_header Access-Control-Allow-Origin "$origin" always; + add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always; + add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always; + add_header Access-Control-Allow-Credentials true always; + } + ''; + }; + }; }; networking.firewall.allowedTCPPorts = [ 636 ];