Build with filtered source

Further nixos module fixes Add tailwind and esbuild to assets build Handle domain on session cookies correctly
2023-11-10 20:53:21 +00:00
parent cf9cb3eff5
commit 92edb025fb
7 changed files with 57 additions and 19 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -47,11 +47,13 @@
        };
        options.services.nginx.virtualHosts = lib.mkOption {
          type = lib.types.attrsOf (lib.types.submodule ({ config, ...}: {
-            options.locations = lib.types.attrsOf (lib.types.submodule {
-              extraConfig = lib.mkIf config.sso.enable ''
-                proxy_set_header X-Auth-Username $auth_resp_username
-              '';
-            })
+            options.locations = lib.mkOption {
+              type = lib.types.attrsOf (lib.types.submodule {
+                extraConfig = lib.mkIf config.sso.enable ''
+                  proxy_set_header X-Auth-Username $auth_resp_username
+                '';
+              });
+            };
            options.sso.enable = lib.mkEnableOption "SSO BSN";
            config.extraConfig = lib.mkIf config.sso.enable ''
              auth_request /__auth_sso_validate;
@@ -72,14 +74,20 @@
              error_page 401 = @error401;

              location @error401 {
-                return 302 url=https://${cfg.host}/user/log_in?next=$http_host$request_uri;
+                return 302 https://${cfg.host}/users/log_in?next=$scheme://$http_host$request_uri;
              }
            '';
          }));
        };
        config.environment.systemPackages = lib.mkIf cfg.enable [ script ];
-        users.users.nginx.extraGroups = ["sso-bsn"];
-        users.groups.sso-bsn = {};
+        config.users = lib.mkIf cfg.enable {
+          groups.sso-bsn = {};
+          users.nginx.extraGroups = ["sso-bsn"];
+          users.sso-bsn = {
+            group = "sso-bsn";
+            isSystemUser = true;
+          };
+        };
        config.systemd.services.sso-bsn = lib.mkIf cfg.enable {
          description = "sso-bsn";
          environment = {
@@ -95,12 +103,17 @@
          '';
          wantedBy = [ "multi-user.target" ];
          serviceConfig = {
-            DynamicUser = true;
            ProtectHome = true;
            PrivateUsers = true;
            StateDirectory = "sso-bsn";
            RuntimeDirectory = "sso-bsn";
            UMask = "007";
+            User = "sso-bsn";
+            Group = "sso-bsn";
+            PrivateTmp = true;
+            RemoveIPC = true;
+            NoNewPrivileges = true;
+            RestrictSUIDSGID = true;
          };
        };
        config.services.nginx.virtualHosts = lib.mkIf cfg.enable {