nixos/hosts/architect/openid.nix

{ lib }:

{
  openresty_oidc_block =
    { access_role ? "", whitelisted_ips ? [] }: ''
      access_by_lua_block {
        local opts = {
          discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
          client_id = "nginx",
          client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
          logout_path = "/logout",
          redirect_after_logout_uri = "/",
          redirect_uri = "/redirect_uri",
          keepalive = "yes",
          accept_none_alg = true,
          revoke_tokens_on_logout = true,
          -- access token valid for a day
          access_token_expires_in = 86400
        }

        ${lib.optionalString (whitelisted_ips != []) ''
          local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}          
                      
          if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
            return
          end
        ''}
       
        -- call introspect for OAuth 2.0 Bearer Access Token validation
        local res, err = require("resty.openidc").authenticate(opts)

        if err then
          ngx.status = 403
          ngx.say(err)
          ngx.exit(ngx.HTTP_FORBIDDEN)
        end

        ${lib.optionalString (access_role != "") ''
          if not check_role(res, "${access_role}") then
            ngx.status = 401
            ngx.header.content_type = 'text/html';
            ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
            ngx.exit(ngx.HTTP_UNAUTHORIZED)
          end
        ''}
      }
    '';
}
openid: Check for role when authenticating 2022-10-28 21:00:29 +01:00			`{ lib }:`

radarr: Use openid.nix template 2022-10-28 13:43:55 +01:00			`{`
openid: Check for role when authenticating 2022-10-28 21:00:29 +01:00			`openresty_oidc_block =`
nginx, openid: Allow IP whitelist to bypass OpenID auth 2022-11-29 13:53:17 +00:00			`{ access_role ? "", whitelisted_ips ? [] }: ''`
openid: Check for role when authenticating 2022-10-28 21:00:29 +01:00			`access_by_lua_block {`
			`local opts = {`
openid: Force nginx app, allow to change only access_role 2022-11-11 18:08:00 +00:00			`discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",`
			`client_id = "nginx",`
			`client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",`
openid: Check for role when authenticating 2022-10-28 21:00:29 +01:00			`logout_path = "/logout",`
			`redirect_after_logout_uri = "/",`
			`redirect_uri = "/redirect_uri",`
			`keepalive = "yes",`
openid: Revoke tokens on logout 2022-11-29 11:56:40 +00:00			`accept_none_alg = true,`
openid: Extend access token validity to one day 2022-11-29 12:03:26 +00:00			`revoke_tokens_on_logout = true,`
			`-- access token valid for a day`
			`access_token_expires_in = 86400`
nginx, openid: Allow IP whitelist to bypass OpenID auth 2022-11-29 13:53:17 +00:00			`}`
radarr: Use openid.nix template 2022-10-28 13:43:55 +01:00
nginx, openid: Allow IP whitelist to bypass OpenID auth 2022-11-29 13:53:17 +00:00			`${lib.optionalString (whitelisted_ips != []) ''`
			`local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}`

			`if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then`
			`return`
			`end`
			`''}`

			`-- call introspect for OAuth 2.0 Bearer Access Token validation`
			`local res, err = require("resty.openidc").authenticate(opts)`
openid: Check for role when authenticating 2022-10-28 21:00:29 +01:00
nginx, openid: Allow IP whitelist to bypass OpenID auth 2022-11-29 13:53:17 +00:00			`if err then`
			`ngx.status = 403`
			`ngx.say(err)`
			`ngx.exit(ngx.HTTP_FORBIDDEN)`
openid: Check for role when authenticating 2022-10-28 21:00:29 +01:00			`end`
nginx, openid: Allow IP whitelist to bypass OpenID auth 2022-11-29 13:53:17 +00:00
			`${lib.optionalString (access_role != "") ''`
			`if not check_role(res, "${access_role}") then`
			`ngx.status = 401`
			`ngx.header.content_type = 'text/html';`
			`ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")`
			`ngx.exit(ngx.HTTP_UNAUTHORIZED)`
			`end`
			`''}`
openid: Check for role when authenticating 2022-10-28 21:00:29 +01:00			`}`
			`'';`
radarr: Use openid.nix template 2022-10-28 13:43:55 +01:00			`}`