2024-07-12 13:01:26 +02:00
|
|
|
{
|
|
|
|
lib,
|
|
|
|
}:
|
2024-08-20 07:09:10 +02:00
|
|
|
let
|
|
|
|
baseImports = pkgs: [
|
|
|
|
(pkgs.path + "/nixos/modules/profiles/headless.nix")
|
|
|
|
(pkgs.path + "/nixos/modules/profiles/qemu-guest.nix")
|
|
|
|
];
|
|
|
|
in
|
2024-07-12 13:01:26 +02:00
|
|
|
{
|
|
|
|
accessScript = {
|
2024-07-16 10:38:26 +02:00
|
|
|
subdomain
|
|
|
|
, domain
|
2024-07-12 13:01:26 +02:00
|
|
|
, hasSSL
|
|
|
|
, waitForServices ? s: []
|
|
|
|
, waitForPorts ? p: []
|
|
|
|
, waitForUnixSocket ? u: []
|
|
|
|
, extraScript ? {...}: ""
|
2024-07-16 10:38:26 +02:00
|
|
|
, redirectSSO ? false
|
2024-07-12 13:01:26 +02:00
|
|
|
}: { nodes, ... }:
|
|
|
|
let
|
2024-07-16 10:38:26 +02:00
|
|
|
fqdn = "${subdomain}.${domain}";
|
2024-07-12 13:01:26 +02:00
|
|
|
proto_fqdn = if hasSSL args then "https://${fqdn}" else "http://${fqdn}";
|
|
|
|
|
|
|
|
args = {
|
|
|
|
node.name = "server";
|
|
|
|
node.config = nodes.server;
|
|
|
|
inherit proto_fqdn;
|
|
|
|
};
|
|
|
|
in
|
|
|
|
''
|
|
|
|
import json
|
|
|
|
import os
|
|
|
|
import pathlib
|
|
|
|
|
|
|
|
start_all()
|
|
|
|
''
|
2024-07-16 10:38:26 +02:00
|
|
|
+ lib.strings.concatMapStrings (s: ''server.wait_for_unit("${s}")'' + "\n") (
|
|
|
|
waitForServices args
|
|
|
|
++ (lib.optionals redirectSSO [ "authelia-auth.${domain}.service" ])
|
|
|
|
)
|
|
|
|
+ lib.strings.concatMapStrings (p: ''server.wait_for_open_port(${toString p})'' + "\n") (
|
|
|
|
waitForPorts args
|
2024-08-31 09:57:21 +02:00
|
|
|
# TODO: when the SSO block exists, replace this hardcoded port.
|
|
|
|
++ (lib.optionals redirectSSO [ 9091 /* nodes.server.services.authelia.instances."auth.${domain}".settings.server.port */ ] )
|
2024-07-16 10:38:26 +02:00
|
|
|
)
|
2024-07-12 13:01:26 +02:00
|
|
|
+ lib.strings.concatMapStrings (u: ''server.wait_for_open_unix_socket("${u}")'' + "\n") (waitForUnixSocket args)
|
|
|
|
+ ''
|
|
|
|
if ${if hasSSL args then "True" else "False"}:
|
|
|
|
server.copy_from_vm("/etc/ssl/certs/ca-certificates.crt")
|
|
|
|
client.succeed("rm -r /etc/ssl/certs")
|
|
|
|
client.copy_from_host(str(pathlib.Path(os.environ.get("out", os.getcwd())) / "ca-certificates.crt"), "/etc/ssl/certs/ca-certificates.crt")
|
|
|
|
|
2024-07-16 10:38:26 +02:00
|
|
|
def curl(target, format, endpoint, data="", extra=""):
|
2024-08-13 16:11:45 +02:00
|
|
|
cmd = ("curl --show-error --location"
|
|
|
|
+ " --cookie-jar cookie.txt"
|
|
|
|
+ " --cookie cookie.txt"
|
|
|
|
+ " --connect-to ${fqdn}:443:server:443"
|
|
|
|
+ " --connect-to ${fqdn}:80:server:80"
|
|
|
|
# Client must be able to resolve talking to auth server
|
|
|
|
+ " --connect-to auth.${domain}:443:server:443"
|
|
|
|
+ (f" --data '{data}'" if data != "" else "")
|
|
|
|
+ (f" --silent --output /dev/null --write-out '{format}'" if format != "" else "")
|
|
|
|
+ (f" {extra}" if extra != "" else "")
|
|
|
|
+ f" {endpoint}")
|
|
|
|
print(cmd)
|
|
|
|
_, r = target.execute(cmd)
|
|
|
|
# print(r)
|
|
|
|
return json.loads(r)
|
2024-07-12 13:01:26 +02:00
|
|
|
|
2024-08-15 02:38:12 +02:00
|
|
|
def unline_with(j, s):
|
|
|
|
return j.join((x.strip() for x in s.split("\n")))
|
|
|
|
|
2024-07-16 10:38:26 +02:00
|
|
|
''
|
|
|
|
+ (if (! redirectSSO) then ''
|
2024-07-12 13:01:26 +02:00
|
|
|
with subtest("access"):
|
|
|
|
response = curl(client, """{"code":%{response_code}}""", "${proto_fqdn}")
|
|
|
|
|
|
|
|
if response['code'] != 200:
|
|
|
|
raise Exception(f"Code is {response['code']}")
|
2024-07-16 10:38:26 +02:00
|
|
|
'' else ''
|
|
|
|
with subtest("unauthenticated access is not granted"):
|
|
|
|
response = curl(client, """{"code":%{response_code},"auth_host":"%{urle.host}","auth_query":"%{urle.query}","all":%{json}}""", "${proto_fqdn}")
|
|
|
|
|
|
|
|
if response['code'] != 200:
|
|
|
|
raise Exception(f"Code is {response['code']}")
|
|
|
|
if response['auth_host'] != "auth.${domain}":
|
|
|
|
raise Exception(f"auth host should be auth.${domain} but is {response['auth_host']}")
|
|
|
|
if response['auth_query'] != "rd=${proto_fqdn}/":
|
|
|
|
raise Exception(f"auth query should be rd=${proto_fqdn}/ but is {response['auth_query']}")
|
2024-07-12 13:01:26 +02:00
|
|
|
''
|
2024-07-16 10:38:26 +02:00
|
|
|
)
|
2024-08-13 16:11:03 +02:00
|
|
|
+ (let
|
|
|
|
script = extraScript args;
|
2024-08-15 02:38:12 +02:00
|
|
|
indent = i: str: lib.concatMapStringsSep "\n" (x: (lib.strings.replicate i " ") + x) (lib.splitString "\n" script);
|
2024-08-13 16:11:03 +02:00
|
|
|
in
|
|
|
|
lib.optionalString (script != "") ''
|
|
|
|
with subtest("extraScript"):
|
|
|
|
${indent 4 script}
|
|
|
|
'');
|
2024-07-16 10:38:26 +02:00
|
|
|
|
2024-08-20 07:09:10 +02:00
|
|
|
inherit baseImports;
|
|
|
|
|
2024-07-16 10:38:26 +02:00
|
|
|
base = pkgs: additionalModules: {
|
2024-08-20 07:09:10 +02:00
|
|
|
imports =
|
|
|
|
( baseImports pkgs )
|
|
|
|
++ [
|
|
|
|
# TODO: replace postgresql.nix and authelia.nix by the sso contract
|
|
|
|
../modules/blocks/postgresql.nix
|
|
|
|
../modules/blocks/authelia.nix
|
|
|
|
../modules/blocks/nginx.nix
|
|
|
|
]
|
|
|
|
++ additionalModules;
|
2024-07-16 10:38:26 +02:00
|
|
|
|
|
|
|
# Nginx port.
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
};
|
|
|
|
|
|
|
|
certs = domain: { config, ... }: {
|
|
|
|
imports = [
|
|
|
|
../modules/blocks/ssl.nix
|
|
|
|
];
|
|
|
|
|
|
|
|
shb.certs = {
|
|
|
|
cas.selfsigned.myca = {
|
|
|
|
name = "My CA";
|
|
|
|
};
|
|
|
|
certs.selfsigned = {
|
|
|
|
n = {
|
|
|
|
ca = config.shb.certs.cas.selfsigned.myca;
|
|
|
|
domain = "*.${domain}";
|
|
|
|
group = "nginx";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services.nginx.after = [ config.shb.certs.certs.selfsigned.n.systemdService ];
|
|
|
|
systemd.services.nginx.requires = [ config.shb.certs.certs.selfsigned.n.systemdService ];
|
|
|
|
};
|
|
|
|
|
|
|
|
ldap = domain: pkgs: {
|
|
|
|
imports = [
|
|
|
|
../modules/blocks/ldap.nix
|
|
|
|
];
|
|
|
|
|
|
|
|
networking.hosts = {
|
|
|
|
"127.0.0.1" = [ "ldap.${domain}" ];
|
|
|
|
};
|
|
|
|
|
|
|
|
shb.ldap = {
|
|
|
|
enable = true;
|
|
|
|
inherit domain;
|
|
|
|
subdomain = "ldap";
|
|
|
|
ldapPort = 3890;
|
|
|
|
webUIListenPort = 17170;
|
|
|
|
dcdomain = "dc=example,dc=com";
|
|
|
|
ldapUserPasswordFile = pkgs.writeText "ldapUserPassword" "ldapUserPassword";
|
|
|
|
jwtSecretFile = pkgs.writeText "jwtSecret" "jwtSecret";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
sso = domain: pkgs: ssl: { config, ... }: {
|
|
|
|
imports = [
|
|
|
|
../modules/blocks/authelia.nix
|
|
|
|
];
|
|
|
|
|
|
|
|
networking.hosts = {
|
|
|
|
"127.0.0.1" = [ "auth.${domain}" ];
|
|
|
|
};
|
|
|
|
|
|
|
|
shb.authelia = {
|
|
|
|
enable = true;
|
|
|
|
inherit domain;
|
|
|
|
subdomain = "auth";
|
|
|
|
ssl = config.shb.certs.certs.selfsigned.n;
|
|
|
|
|
2024-09-01 08:36:53 +02:00
|
|
|
ldapHostname = "127.0.0.1";
|
|
|
|
ldapPort = config.shb.ldap.ldapPort;
|
2024-07-16 10:38:26 +02:00
|
|
|
dcdomain = config.shb.ldap.dcdomain;
|
|
|
|
|
|
|
|
secrets = {
|
|
|
|
jwtSecretFile = pkgs.writeText "jwtSecret" "jwtSecret";
|
|
|
|
ldapAdminPasswordFile = pkgs.writeText "ldapUserPassword" "ldapUserPassword";
|
|
|
|
sessionSecretFile = pkgs.writeText "sessionSecret" "sessionSecret";
|
|
|
|
storageEncryptionKeyFile = pkgs.writeText "storageEncryptionKey" "storageEncryptionKey";
|
|
|
|
identityProvidersOIDCHMACSecretFile = pkgs.writeText "identityProvidersOIDCHMACSecret" "identityProvidersOIDCHMACSecret";
|
|
|
|
identityProvidersOIDCIssuerPrivateKeyFile = (pkgs.runCommand "gen-private-key" {} ''
|
|
|
|
mkdir $out
|
|
|
|
${pkgs.openssl}/bin/openssl genrsa -out $out/private.pem 4096
|
|
|
|
'') + "/private.pem";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-07-12 13:01:26 +02:00
|
|
|
}
|