nixos/hosts/architect/openid.nix

{ lib }:

{
  openresty_oidc_block =
    { access_role ? "", whitelisted_ips ? [ ] }: ''
      
    '';
    #   access_by_lua_block {
    #     local opts = {
    #       discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
    #       client_id = "nginx",
    #       client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
    #       logout_path = "/logout",
    #       redirect_after_logout_uri = "/",
    #       redirect_uri = "/redirect_uri",
    #       keepalive = "yes",
    #       accept_none_alg = true,
    #       revoke_tokens_on_logout = true,
    #       -- access token valid for a day
    #       access_token_expires_in = 86400
    #     }

    #     ${lib.optionalString (whitelisted_ips != []) ''
    #       local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}          
                      
    #       if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
    #         return
    #       end
    #     ''}
       
    #     -- call introspect for OAuth 2.0 Bearer Access Token validation
    #     local res, err = require("resty.openidc").authenticate(opts)

    #     if err then
    #       ngx.status = 403
    #       ngx.say(err)
    #       ngx.exit(ngx.HTTP_FORBIDDEN)
    #     end

    #     ${lib.optionalString (access_role != "") ''
    #       if not check_role(res, "${access_role}") then
    #         ngx.status = 401
    #         ngx.header.content_type = 'text/html';
    #         ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
    #         ngx.exit(ngx.HTTP_UNAUTHORIZED)
    #       end
    #     ''}
    #   }
    # '';
}
openid: Check for role when authenticating 2022-10-28 21:00:29 +01:00			`{ lib }:`

radarr: Use openid.nix template 2022-10-28 13:43:55 +01:00			`{`
openid: Check for role when authenticating 2022-10-28 21:00:29 +01:00			`openresty_oidc_block =`
Formatting 2023-02-11 02:29:48 +00:00			`{ access_role ? "", whitelisted_ips ? [ ] }: ''`
Initial move to 23.05 2023-05-27 23:16:46 +01:00
			`'';`
			`# access_by_lua_block {`
			`# local opts = {`
			`# discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",`
			`# client_id = "nginx",`
			`# client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",`
			`# logout_path = "/logout",`
			`# redirect_after_logout_uri = "/",`
			`# redirect_uri = "/redirect_uri",`
			`# keepalive = "yes",`
			`# accept_none_alg = true,`
			`# revoke_tokens_on_logout = true,`
			`# -- access token valid for a day`
			`# access_token_expires_in = 86400`
			`# }`
radarr: Use openid.nix template 2022-10-28 13:43:55 +01:00
Initial move to 23.05 2023-05-27 23:16:46 +01:00			`# ${lib.optionalString (whitelisted_ips != []) ''`
			`# local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}`
nginx, openid: Allow IP whitelist to bypass OpenID auth 2022-11-29 13:53:17 +00:00
Initial move to 23.05 2023-05-27 23:16:46 +01:00			`# if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then`
			`# return`
			`# end`
			`# ''}`
nginx, openid: Allow IP whitelist to bypass OpenID auth 2022-11-29 13:53:17 +00:00
Initial move to 23.05 2023-05-27 23:16:46 +01:00			`# -- call introspect for OAuth 2.0 Bearer Access Token validation`
			`# local res, err = require("resty.openidc").authenticate(opts)`
openid: Check for role when authenticating 2022-10-28 21:00:29 +01:00
Initial move to 23.05 2023-05-27 23:16:46 +01:00			`# if err then`
			`# ngx.status = 403`
			`# ngx.say(err)`
			`# ngx.exit(ngx.HTTP_FORBIDDEN)`
			`# end`
nginx, openid: Allow IP whitelist to bypass OpenID auth 2022-11-29 13:53:17 +00:00
Initial move to 23.05 2023-05-27 23:16:46 +01:00			`# ${lib.optionalString (access_role != "") ''`
			`# if not check_role(res, "${access_role}") then`
			`# ngx.status = 401`
			`# ngx.header.content_type = 'text/html';`
			`# ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")`
			`# ngx.exit(ngx.HTTP_UNAUTHORIZED)`
			`# end`
			`# ''}`
			`# }`
			`# '';`
radarr: Use openid.nix template 2022-10-28 13:43:55 +01:00			`}`