{ config, pkgs, lib, ... }:
let
cfg = config.shb.nginx;
fqdn = c: "${c.subdomain}.${c.domain}";
autheliaConfig = lib.types.submodule {
options = {
subdomain = lib.mkOption {
type = lib.types.str;
description = "Subdomain which must be protected.";
example = "subdomain";
};
domain = lib.mkOption {
type = lib.types.str;
description = "Domain of the subdomain.";
example = "mydomain.com";
};
authEndpoint = lib.mkOption {
type = lib.types.str;
description = "Auth endpoint for SSO.";
default = null;
example = "https://authelia.example.com";
};
upstream = lib.mkOption {
type = lib.types.str;
description = "Upstream url to be protected.";
example = "http://127.0.0.1:1234";
};
autheliaRules = lib.mkOption {
type = lib.types.listOf (lib.types.attrsOf lib.types.anything);
description = "Authelia rule configuration";
example = lib.literalExpression ''[{
policy = "two_factor";
subject = ["group:service_user"];
}]'';
};
};
};
in
{
options.shb.nginx = {
accessLog = lib.mkOption {
type = lib.types.bool;
description = "Log all requests";
default = false;
example = true;
};
debugLog = lib.mkOption {
type = lib.types.bool;
description = "Verbose debug of internal. This will print what servers were matched and why.";
default = false;
example = true;
};
autheliaProtect = lib.mkOption {
description = "Endpoints to be protected by authelia.";
type = lib.types.listOf autheliaConfig;
default = [];
};
};
config = {
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx.enable = true;
services.nginx.logError = lib.mkIf cfg.debugLog "stderr warn";
services.nginx.appendHttpConfig = lib.mkIf cfg.accessLog ''
log_format apm
'{'
'"remote_addr":"$remote_addr",'
'"remote_user":"$remote_user",'
'"time_local":"$time_local",'
'"request":"$request",'
'"request_length":"$request_length",'
'"server_name":"$server_name",'
'"status":"$status",'
'"bytes_sent":"$bytes_sent",'
'"body_bytes_sent":"$body_bytes_sent",'
'"referrer":"$http_referrer",'
'"user_agent":"$http_user_agent",'
'"gzip_ration":"$gzip_ratio",'
'"post":"$request_body",'
'"upstream_addr":"$upstream_addr",'
'"upstream_status":"$upstream_status",'
'"request_time":"$request_time",'
'"upstream_response_time":"$upstream_response_time",'
'"upstream_connect_time":"$upstream_connect_time",'
'"upstream_header_time":"$upstream_header_time"'
'}';
access_log syslog:server=unix:/dev/log apm;
'';
services.nginx.virtualHosts =
let
vhostCfg = c: {
${fqdn c} = {
forceSSL = lib.mkIf config.shb.ssl.enable true;
sslCertificate = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${c.domain}/cert.pem";
sslCertificateKey = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${c.domain}/key.pem";
# Taken from https://github.com/authelia/authelia/issues/178
locations."/".extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_cache_bypass $http_upgrade;
auth_request /authelia;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header X-Forwarded-User $user;
proxy_set_header X-Forwarded-Groups $groups;
# TODO: Are those needed?
# auth_request_set $name $upstream_http_remote_name;
# auth_request_set $email $upstream_http_remote_email;
# proxy_set_header Remote-Name $name;
# proxy_set_header Remote-Email $email;
# TODO: Would be nice to have this working, I think.
# set $new_cookie $http_cookie;
# if ($http_cookie ~ "(.*)(?:^|;)\s*example\.com\.session\.id=[^;]+(.*)") {
# set $new_cookie $1$2;
# }
# proxy_set_header Cookie $new_cookie;
auth_request_set $redirect $scheme://$http_host$request_uri;
error_page 401 =302 ${c.authEndpoint}?rd=$redirect;
error_page 403 = ${c.authEndpoint}/error/403;
proxy_pass ${c.upstream};
'';
# Virtual endpoint created by nginx to forward auth requests.
locations."/authelia".extraConfig = ''
internal;
proxy_pass ${c.authEndpoint}/api/verify;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-URL $scheme://$host$request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Content-Length "";
proxy_pass_request_body off;
# TODO: Would be nice to be able to enable this.
# proxy_ssl_verify on;
# proxy_ssl_trusted_certificate "/etc/ssl/certs/DST_Root_CA_X3.pem";
proxy_ssl_protocols TLSv1.2;
proxy_ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
proxy_ssl_verify_depth 2;
proxy_ssl_server_name on;
'';
};
};
in
lib.mkMerge (map vhostCfg cfg.autheliaProtect);
shb.authelia.rules =
let
authConfig = c: map (r: r // { domain = fqdn c; }) c.autheliaRules;
in
lib.flatten (map authConfig cfg.autheliaProtect);
security.acme.defaults.reloadServices = [
"nginx.service"
];
};
}