diff options
| author | Franck Cuny <franck@fcuny.net> | 2025-10-23 07:04:12 -0700 |
|---|---|---|
| committer | Franck Cuny <franck@fcuny.net> | 2025-10-23 07:04:12 -0700 |
| commit | f4dbbf9f2957c7338574425dd818f7d2fb2022ec (patch) | |
| tree | e46ba37bbe32d4fcee261af79a2d16ad5683b16f /machines/nixos/x86_64-linux/do-rproxy | |
| parent | simplify darwin configuration (diff) | |
| download | infra-f4dbbf9f2957c7338574425dd818f7d2fb2022ec.tar.gz | |
webfinger setup to support tailscale
Based on https://tailscale.com/kb/1240/sso-custom-oidc and
https://github.com/randomnetcat/nix-configs/blob/f1963827395d6c82a7e64267fde9b0c82da02380/hosts/bear/auth/default.nix#L134
Diffstat (limited to 'machines/nixos/x86_64-linux/do-rproxy')
| -rw-r--r-- | machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix | 137 |
1 files changed, 94 insertions, 43 deletions
diff --git a/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix b/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix index 9267d20..5c30175 100644 --- a/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix +++ b/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix @@ -1,6 +1,8 @@ { inputs, config, + pkgs, + lib, ... }: { @@ -40,59 +42,108 @@ }; }; - services.nginx = { - enable = true; - recommendedProxySettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - virtualHosts = { - "code.fcuny.net" = { - enableACME = true; - acmeRoot = null; - forceSSL = true; - locations."/" = { - proxyPass = "http://10.100.0.60:3000"; + services.nginx = + let + accounts = [ + { + user = "franck@fcuny.net"; + realm = "fcuny.net"; + } + ]; + webfingerConfig = { + "= /.well-known/webfinger" = { + extraConfig = '' + return 307 /__webfinger/$arg_resource; + ''; }; - locations."/metrics" = { - proxyPass = "http://10.100.0.60:3000/metrics"; + + "~ ^/__webfinger/(acct:[^/]+@[^/]+)" = { + root = pkgs.linkFarm "webfinger-entries" ( + lib.listToAttrs ( + map (acct: { + name = "acct:${acct.user}"; + value = pkgs.writeText "webfinger-${acct.user}" '' + { + "subject": "acct:${acct.user}", + "links": [ + { + "rel": "http://openid.net/specs/connect/1.0/issuer", + "href": "https://id.fcuny.net/realms/${acct.realm}" + } + ] + } + ''; + }) accounts + ) + ); + + tryFiles = "/$1 =404"; + extraConfig = '' - deny all; - access_log off; + add_header Content-Type application/json; ''; }; }; - "go.fcuny.net" = { - enableACME = true; - acmeRoot = null; - forceSSL = true; - locations."/" = { - proxyPass = "http://10.100.0.40:8070"; + in + { + enable = true; + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + virtualHosts = { + "code.fcuny.net" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/" = { + proxyPass = "http://10.100.0.60:3000"; + }; + locations."/metrics" = { + proxyPass = "http://10.100.0.60:3000/metrics"; + extraConfig = '' + deny all; + access_log off; + ''; + }; }; - }; - "id.fcuny.net" = { - enableACME = true; - acmeRoot = null; - forceSSL = true; - locations."/" = { - proxyPass = "http://10.100.0.60:8080"; + "go.fcuny.net" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/" = { + proxyPass = "http://10.100.0.40:8070"; + }; }; - }; - "fcuny.net" = { - enableACME = true; - acmeRoot = null; - forceSSL = true; + "id.fcuny.net" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations = ( + { + "/" = { + proxyPass = "http://10.100.0.60:8080"; + }; + } + // webfingerConfig + ); + }; + "fcuny.net" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; - root = "${inputs.my-site.packages.x86_64-linux.default}/"; + root = "${inputs.my-site.packages.x86_64-linux.default}/"; - locations = { - "/".tryFiles = "$uri $uri/ $uri/index.html =404"; - }; + locations = { + "/".tryFiles = "$uri $uri/ $uri/index.html =404"; + } + // webfingerConfig; - extraConfig = '' - error_page 404 /404; - ''; + extraConfig = '' + error_page 404 /404; + ''; + }; }; }; - }; } |