Nixos module

2023-11-09 23:58:26 +00:00
parent 6fb839824e
commit 53d01e4ced
5 changed files with 103 additions and 13 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -23,5 +23,90 @@
        inherit self;
      };
    });
+
+    nixosModules = {
+      default = { lib, pkgs, config, ... }: let
+        sso-bsn = self.packages.${pkgs.system}.default;
+        gen-secret = pkgs.writeShellScript "gen-secret" ''
+          mkdir -p $1
+          (umask 077; [ -f $1/$2 ] || ${pkgs.coreutils}/bin/head -c 128 /dev/urandom | ${pkgs.coreutils}/bin/base64 -w0 > $1/$2)
+        '';
+        secret = var: dir: file: ''
+          ${gen-secret} "${dir}" "${file}"
+          ${var}=$(${pkgs.coreutils}/bin/cat "${dir}/${file}")
+        '';
+        script = pkgs.writeShellScript "sso-bsn" ''
+          ${secret "RELEASE_COOKIE" "/run/sso-bsn" "cookie"} ${lib.getExe sso-bsn} "$@"
+        '';
+        cfg = config.services.bluepython508.sso-bsn;
+      in {
+        options.services.bluepython508.sso-bsn = {
+          enable = lib.mkEnableOption "sso-bsn";
+          host = lib.mkOption { type = lib.types.string; };
+          session-domain = lib.mkOption { type = with lib.types; nullOr string; };
+        };
+        options.services.nginx.virtualHosts = lib.mkOption {
+          type = lib.types.attrsOf (lib.types.submodule ({ config }: {
+            options.sso.enable = lib.mkEnableOption "SSO BSN";
+            config.extraConfig = lib.mkIf config.sso.enable ''
+              auth_request /__auth_sso_validate;
+              proxy_set_header X-Auth-Username $auth_resp_username;
+
+              location = /__auth_sso_validate {
+                internal;
+                proxy_pass https://${cfg.host}/whoami;
+                proxy_pass_request_body off; # no need to send the POST body
+
+                proxy_set_header Content-Length "";
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto $scheme;
+
+                auth_request_set $auth_resp_username $upstream_http_x_auth_username;
+              }
+
+              error_page 401 = @error401;
+
+              location @error401 {
+                return 302 url=https://${cfg.host}/user/log_in?next=$http_host$request_uri;
+              }
+            '';
+          }));
+        };
+        config.environment.systemPackages = lib.mkIf cfg.enable [ script ];
+        config.systemd.services.sso-bsn = lib.mkIf cfg.enable {
+          description = "sso-bsn";
+          environment = {
+            SERVER = "true";
+            DATABASE_PATH = "/var/lib/sso-bsn/db.sqlite";
+            BIND_UNIX = "/run/sso-bsn/sock";
+            SSO_BSN_HOST = cfg.host;
+            SESSION_DOMAIN = cfg.session-domain;
+          };
+          script = ''
+            ${secret "SECRET_KEY_BASE" "/var/lib/sso-bsn" "secret-key-base"}
+            SECRET_KEY_BASE="$SECRET_KEY_BASE" ${script} start
+          '';
+          wantedBy = [ "multi-user.target" ];
+          serviceConfig = {
+            DynamicUser = true;
+            ProtectHome = true;
+            PrivateUsers = true;
+            StateDirectory = "sso-bsn";
+          };
+        };
+        config.services.nginx.virtualHosts = lib.mkIf cfg.enable {
+          ${cfg.host} = {
+            forceSSL = true;
+            enableACME = true;
+            locations."/" = {
+              proxyPass = "http://unix:/run/sso-bsn/sock:/";
+              recommendedProxySettings = true;
+              proxyWebsockets = true;
+            };
+          };
+        };
+      };
+    };
  };
 }