From 9466a3ce94b1bb0112a323cefe4a7aaeadf515d9 Mon Sep 17 00:00:00 2001
From: Max Audron <audron@cocaine.farm>
Date: Sun, 8 Oct 2023 12:29:39 +0200
Subject: deploy powerdns admin and tlmp

---
 lib/nginx/default.nix | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 lib/nginx/default.nix

(limited to 'lib/nginx/default.nix')

diff --git a/lib/nginx/default.nix b/lib/nginx/default.nix
new file mode 100644
index 0000000..3fdb697
--- /dev/null
+++ b/lib/nginx/default.nix
@@ -0,0 +1,66 @@
+{ lib }:
+
+{
+  proxyDomain = cert: proxyPass: {
+    addSSL = true;
+    useACMEHost = cert;
+    locations."/" = {
+      inherit proxyPass;
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_pass_header Authorization;
+      '';
+    };
+  };
+
+  proxyDomainAuth = cert: proxyPass: {
+    addSSL = true;
+    useACMEHost = cert;
+    locations."/" = {
+      inherit proxyPass;
+      proxyWebsockets = true;
+      extraConfig = ''
+        auth_request     /outpost.goauthentik.io/auth/nginx;
+        error_page       401 = @goauthentik_proxy_signin;
+        auth_request_set $auth_cookie $upstream_http_set_cookie;
+        add_header       Set-Cookie $auth_cookie;
+
+        # translate headers from the outposts back to the actual upstream
+        auth_request_set $authentik_username $upstream_http_x_authentik_username;
+        auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+        auth_request_set $authentik_email $upstream_http_x_authentik_email;
+        auth_request_set $authentik_name $upstream_http_x_authentik_name;
+        auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+
+        proxy_set_header X-authentik-username $authentik_username;
+        proxy_set_header X-authentik-groups $authentik_groups;
+        proxy_set_header X-authentik-email $authentik_email;
+        proxy_set_header X-authentik-name $authentik_name;
+        proxy_set_header X-authentik-uid $authentik_uid;
+      '';
+    };
+
+    locations."/outpost.goauthentik.io" = {
+      proxyPass = "https://auth.vapor.systems/outpost.goauthentik.io";
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_ssl_server_name on;
+
+        proxy_set_header        Host $host;
+        proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
+        add_header              Set-Cookie $auth_cookie;
+        auth_request_set        $auth_cookie $upstream_http_set_cookie;
+        proxy_pass_request_body off;
+        proxy_set_header        Content-Length "";
+      '';
+    };
+
+    locations."@goauthentik_proxy_signin" = {
+      extraConfig = ''
+        internal;
+        add_header Set-Cookie $auth_cookie;
+        return 302 /outpost.goauthentik.io/start?rd=$request_uri;
+      '';
+    };
+  };
+}
-- 
cgit v1.2.3