tvl-depot/ops/modules/www/auth.tvl.fyi.nix

{ config, ... }:

{
  imports = [
    ./base.nix
  ];

  config = {
    services.nginx.virtualHosts."auth.tvl.fyi" = {
      serverName = "auth.tvl.fyi";
      enableACME = true;
      forceSSL = true;

      extraConfig = ''
        # increase buffer size for large headers
        proxy_buffers 8 16k;
        proxy_buffer_size 16k;

        location / {
          proxy_pass http://localhost:${toString config.services.keycloak.settings.http-port};
          proxy_set_header X-Forwarded-For $remote_addr;
          proxy_set_header X-Forwarded-Proto https;
          proxy_set_header Host $host;
        }
      '';
    };
  };
}
feat(whitby): Configure initial Keycloak setup Trialing this as an alternative to CAS that is a little easier to configure and can help us delegate authentication to other OIDC services. Change-Id: Iad63724d349334910af8fed0b148e4ba428f796b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4608 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: lukegb <lukegb@tvl.fyi> 2021-12-25 15:06:15 +01:00			`{ config, ... }:`

			`{`
			`imports = [`
			`./base.nix`
			`];`

			`config = {`
			`services.nginx.virtualHosts."auth.tvl.fyi" = {`
			`serverName = "auth.tvl.fyi";`
			`enableACME = true;`
			`forceSSL = true;`

			`extraConfig = ''`
fix(ops/www): increase buffer memory size for auth.tvl.fyi Keycloak seems to have decided today that it will now send headers that are larger than what the nginx default configuration can handle. The numbers are a mix of made up and taken from random nginx voodoo posts on the internet, so they're as good a guess as anyone's. Change-Id: If037bcba48eee371cc96304b150276c669930c75 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7992 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de> Autosubmit: tazjin <tazjin@tvl.su> 2023-02-01 10:25:57 +01:00			`# increase buffer size for large headers`
			`proxy_buffers 8 16k;`
			`proxy_buffer_size 16k;`

feat(whitby): Configure initial Keycloak setup Trialing this as an alternative to CAS that is a little easier to configure and can help us delegate authentication to other OIDC services. Change-Id: Iad63724d349334910af8fed0b148e4ba428f796b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4608 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: lukegb <lukegb@tvl.fyi> 2021-12-25 15:06:15 +01:00			`location / {`
fix(ops/www): fix port templating for keycloak Change-Id: I714b12f996d7dbe705f1f553d449f2dbc4910b1e Reviewed-on: https://cl.tvl.fyi/c/depot/+/6848 Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI 2022-10-03 10:08:42 +02:00			`proxy_pass http://localhost:${toString config.services.keycloak.settings.http-port};`
feat(whitby): Configure initial Keycloak setup Trialing this as an alternative to CAS that is a little easier to configure and can help us delegate authentication to other OIDC services. Change-Id: Iad63724d349334910af8fed0b148e4ba428f796b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4608 Tested-by: BuildkiteCI Autosubmit: tazjin <mail@tazj.in> Reviewed-by: lukegb <lukegb@tvl.fyi> 2021-12-25 15:06:15 +01:00			`proxy_set_header X-Forwarded-For $remote_addr;`
			`proxy_set_header X-Forwarded-Proto https;`
			`proxy_set_header Host $host;`
			`}`
			`'';`
			`};`
			`};`
			`}`