From 8b12efb8c92fdd05310604d4813aeee71ab8d52b Mon Sep 17 00:00:00 2001 From: teidesu Date: Sun, 29 Dec 2024 22:32:46 +0300 Subject: [PATCH] feat(koi): sso for wakapi --- hosts/koi/containers/wakapi/default.nix | 35 ++++++++++++++---------- secrets/wakapi-env.age | Bin 311 -> 458 bytes secrets/wakapi-proxy-env.age | Bin 0 -> 374 bytes 3 files changed, 21 insertions(+), 14 deletions(-) create mode 100644 secrets/wakapi-proxy-env.age diff --git a/hosts/koi/containers/wakapi/default.nix b/hosts/koi/containers/wakapi/default.nix index 9bdfc6d..0038b4d 100644 --- a/hosts/koi/containers/wakapi/default.nix +++ b/hosts/koi/containers/wakapi/default.nix @@ -4,6 +4,7 @@ let UID = 1115; in { desu.secrets.wakapi-env.owner = "wakapi"; + desu.secrets.wakapi-proxy-env.owner = "wakapi"; users.users.wakapi = { isNormalUser = true; @@ -33,13 +34,15 @@ in { WAKAPI_LISTEN_IPV4 = "0.0.0.0"; WAKAPI_LISTEN_IPV6 = "-"; WAKAPI_ALLOW_SIGNUP = "false"; - WAKAPI_DISABLE_FRONTPAGE = "false"; - WAKAPI_MAIL_SENDER = "waka.stupid.fish "; - WAKAPI_MAIL_SMTP_HOST = "smtp.mail.me.com"; - WAKAPI_MAIL_SMTP_PORT = "587"; - WAKAPI_MAIL_SMTP_USERNAME = "teidesu@icloud.com"; - WAKAPI_MAIL_SMTP_TLS = "false"; + WAKAPI_DISABLE_FRONTPAGE = "true"; + WAKAPI_MAIL_ENABLED = "true"; + WAKAPI_MAIL_SENDER = "waka.stupid.fish "; WAKAPI_AVATAR_URL_TEMPLATE = "https://t.me/i/userpic/320/{username}.jpg"; + WAKAPI_SUPPORT_CONTACT = "alina@tei.su"; + + WAKAPI_TRUSTED_HEADER_AUTH = "true"; + WAKAPI_TRUSTED_HEADER_AUTH_KEY = "X-Forwarded-Preferred-Username"; + WAKAPI_TRUST_REVERSE_PROXY_IPS = "172.17.0.0/16"; }; environmentFiles = [ @@ -47,22 +50,26 @@ in { ]; user = "${builtins.toString UID}"; - - extraOptions = [ - "--mount=type=bind,source=/srv/wakapi,target=/data" - ]; }; - systemd.tmpfiles.rules = [ - "d /srv/wakapi 0700 ${builtins.toString UID} ${builtins.toString UID} -" - ]; + desu.openid-proxy.services.wakapi = { + clientId = "300318162728058886"; + domain = "waka.stupid.fish"; + upstream = "http://wakapi.docker:3000"; + envSecret = "wakapi-proxy-env"; + uid = UID; + extra = [ + "--skip-auth-route=POST=^/((v1/)?users/[^/]+/)?heartbeat(s|s\.bulk)?$" + "--skip-auth-route=GET=^/api/health$" + ]; + }; services.nginx.virtualHosts."waka.stupid.fish" = { forceSSL = true; useACMEHost = "stupid.fish"; locations."/" = { - proxyPass = "http://wakapi.docker:3000$request_uri"; + proxyPass = "http://wakapi-oidc.docker$request_uri"; proxyWebsockets = true; }; }; diff --git a/secrets/wakapi-env.age b/secrets/wakapi-env.age index 36de9f6fba4cd2520f03d7eac00481dd36bac252..384d0184f6524f554754c9cc8566bcdf087512e4 100644 GIT binary patch delta 424 zcmV;Z0ayOF0?GrBEPq2qMMXzMO=)p5PE<}eFf&9_Zbx`&F*8IrG&Ff)Wn(ipT5vQ= zZC5l_GzvmdcW!7yFkw+dXGk-8QBPGicSdz(X>LMOd1Xp;V?t9*Hd%T?XGURUa|$gj zEg&~@O>{?5Q)+WhH!?JOPeg4a* zq0PVwh{6CSh}BmCqdtZjds8P1V-$ zpW10K@)#{Sc7F({e-1_t;xX3Ut&Ghg_q^HoG6Xk4xvw+43;NkV_jz{_ zkvY3!nj>%uP(-PsRgBv4CinP^rio4i7*%oDWL>if>Zg7tvn~^*&|Yg& SZ?styiwZ*#N2?iV8K^9gKei|U delta 276 zcmV+v0qg$C1GfT@EPpU$b60d!Yff%CLvc()OgL^rS8ro^Nj6DWGIniQadAOwO+-O9 zFmN+fX9`7EH&b$NO=)K~MP+q2W>Q8*OL$i}I7C8GaWz#iaA9>+WO-IuadJyzZwf6f zEg)f6Rd`lMaCcdBI7T>BMnhC#QesGENpx9qRy0X^c5rhqIe%?)b7D4eGEoZEpUh)@ z0UzQQWR%mi@JU+@OKC>$)pT1{on8<{(PXj*pYVlD6;__Y5sggOPR|wWQDQJa;v>XNcSU_thNs>tDi3ZMV>f(tVLaQ)z|TH(rjOV) as4}!&TLQ1|{tdQ@yoV9F3nyxQ*4ZVUyKyQ2 diff --git a/secrets/wakapi-proxy-env.age b/secrets/wakapi-proxy-env.age new file mode 100644 index 0000000000000000000000000000000000000000..fc0b8888a03616c06ee6f290bbffc333f7497585 GIT binary patch literal 374 zcmV-+0g3)$XJsvAZewzJaCB*JZZ2Mo@G#cxyyZM?_dcNLV;eaB*dHOlCttG;%gkI7xX-R9Ol+GdEE+Mpa^H zdPz1nQA>6=Y-DRVMnhI~YG-tHPeg1sZZbtrLUC?+GII(oEiE8pHA7@HQ)f*;`ogaR3$IkVcAnue$f3geWN5EzxpY!nOlj-rHrWIF+6_31HG1bqWKkd0>mIgrA)2mjH`ZRKVnG U3g5?D*z>6Hj