From 27fbff7e9bddd236d76545feb88401522e27b004 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 30 Sep 2024 15:20:07 +0800 Subject: [PATCH] fix oidc for ocis --- machines/calcite/configuration.nix | 11 ++++++--- machines/massicot/kanidm-provision.nix | 23 ++++------------- machines/massicot/secrets.yaml | 7 ++---- machines/massicot/services.nix | 34 ++++++-------------------- machines/weilite/services/ocis.nix | 11 ++++----- 5 files changed, 28 insertions(+), 58 deletions(-) diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index f397b7a..4601e8c 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -126,7 +126,11 @@ # Enable CUPS to print documents. services.printing.enable = true; - # services.printing.drivers = [ pkgs.hplip ]; + services.printing.drivers = [ + pkgs.hplip + pkgs.gutenprintBin + pkgs.canon-cups-ufr2 + ]; hardware.pulseaudio.enable = false; security.rtkit.enable = true; @@ -180,6 +184,7 @@ # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ + imhex oidc-agent # Filesystem (owncloud-client.overrideAttrs ( @@ -187,8 +192,8 @@ src = pkgs.fetchFromGitHub { owner = "xinyangli"; repo = "client"; - rev = "e5ec2d68077361f1597b137a944884dda5574487"; - hash = "sha256-xs8g7DdL1VxArK3n1c/9k7nW2vwYRHRuz6zaeX7E3eM="; + rev = "780d1c4c8bf02be42e118c792ff833ab10c2fdcc"; + hash = "sha256-pEwcGJI9sN9nooW/RQHmi52Du6yzofgZeB8PcjwPtZ8="; }; } )) diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix index 91f86d2..b7702de 100644 --- a/machines/massicot/kanidm-provision.nix +++ b/machines/massicot/kanidm-provision.nix @@ -118,31 +118,18 @@ ]; }; }; - owncloud = { - displayName = "ownCloud"; - originUrl = "https://drive.xinyang.life:8443/"; - originLanding = "https://drive.xinyang.life:8443/"; - public = true; - preferShortUsername = true; - scopeMaps = { - ocis-users = [ - "openid" - "email" - "profile" - ]; - }; - }; - + # It's used for all the clients. I'm too lazy to change the name. owncloud-android = { displayName = "ownCloud Apps"; originLanding = "https://drive.xinyang.life:8443/"; originUrl = [ - "http://localhost/" - "http://127.0.0.1/" + "http://localhost:38622/" + "http://localhost:43580/" + "https://drive.xinyang.life:8443/" # TODO: Should allow mobile redirect url not ending with / # "oc://android.owncloud.com" ]; - basicSecretFile = config.sops.secrets."kanidm/ocis_android_secret".path; + public = true; preferShortUsername = true; scopeMaps = { ocis-users = [ diff --git a/machines/massicot/secrets.yaml b/machines/massicot/secrets.yaml index 302df3b..0f4bbdc 100644 --- a/machines/massicot/secrets.yaml +++ b/machines/massicot/secrets.yaml @@ -9,9 +9,6 @@ forgejo: restic: repo: ENC[AES256_GCM,data:/vybkTU7LMWSlco9W2pJouU9wm4okXClSHXQMCA6SGIHWp4Ppl6C+jS4sNJALc6ntKzcEHyWO/R3JPjQKjZNH4YtrnNQp/ZY9g==,iv:gAvp6blg5JuBKzLw6YSgM1Uc24Aesov3ttCRXZXBvJw=,tag:pvH1y6BFOl7jIn/qQejUbQ==,type:str] password: ENC[AES256_GCM,data:5eIIBtGtBFwcAQ+ZwTYOtg==,iv:3GEM8Imu0i1aTwwSspvz2EzwJOXUC/b15hzkFFuZ+YY=,tag:wscba+nMtshldgUtcEKnOw==,type:str] -kanidm: - ocis_android_secret: ENC[AES256_GCM,data:vuEIvBEhIME+C/s3xoskddtf5nogC9nPq+HUyyAl3u9nvH3bTzUkfE/1wolaCLeeupnD3pDokdRyKzjEmoZACQ==,iv:cmx/0i23p1uEI0oAiWdcvGRq4+075+VuAMkFSfXzfso=,tag:yVnqz16L5kyW9vAVng53pA==,type:str] - ocis_desktop_secret: ENC[AES256_GCM,data:WTfUQzTB9An9p9xof2nuIkD5mYzMaisS62Cv86zX05rkB/wXmTnZiY7ztUoN9OmhGoPgeZg0+d+Jo6bV1hoqlw==,iv:V4iqtYIOcyDXIijcD0IXqpaSs2rxyWiOSZGer/BFSe4=,tag:1nCU1KmWQcY5ZXjlzhxaQQ==,type:str] sops: kms: [] gcp_kms: [] @@ -36,8 +33,8 @@ sops: dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-14T05:48:04Z" - mac: ENC[AES256_GCM,data:zdGdvk2pMaZYUsTI9XsSUpgtWrNmZNPg7KoV0zAt19h7Qccu3OGTSfXD+rhhhxhhWgBohGIhDVAVQcORnAw1Y/ykgqxERCANuzoBvvR1eKfPcRNiCEr2dmUAybDF7B2MWKlJ5Fsnpk/caK717Fe8XdAJDuplFwmMWi2c1c61/NQ=,iv:KPQTGzFQH+CQmLeXBzMSbU4lVH0/Wc6CeTp6w/pMMOY=,tag:UVA+sQwQa2bpy2/woBgAkQ==,type:str] + lastmodified: "2024-09-30T07:19:35Z" + mac: ENC[AES256_GCM,data:WSGvA1RkChrD07Sf4BFVMbdTXQYxAHeGGQ52e+pnPh0lZPOzMc9sLDrBPqDK2OfrHC+hK8RC7FxQTGs6G/oBB4nUzIZPn9WycTiU5elwWDfktizH0gr3EJDm7Gs+bTWQpwdoJZGZ8XErK+yegCaKL5cSOSTlBBbQOnZfnoNBg5c=,iv:xyJRFfxHC2xV0ro4CbdOPau1zORxA64OqpvKr4aFZvQ=,tag:c9NA90d5WTK2pfxwoyOX5A==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index dfdac4d..4be75c5 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -268,33 +268,15 @@ in virtualHosts."http://auth.xinyang.life:80".extraConfig = '' reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} ''; - virtualHosts."https://auth.xinyang.life".extraConfig = - let - reverseProxyKanidm = '' - reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} { - header_up Host {upstream_hostport} - header_down Access-Control-Allow-Origin "*" - transport http { - tls_server_name ${config.services.kanidm.serverSettings.domain} - } + virtualHosts."https://auth.xinyang.life".extraConfig = '' + reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} { + header_up Host {upstream_hostport} + header_down Access-Control-Allow-Origin "*" + transport http { + tls_server_name ${config.services.kanidm.serverSettings.domain} } - ''; - in - '' - reverse_proxy /oauth2/openid/owncloud/userinfo https://127.0.0.1:${toString kanidm_listen_port} { - header_up Host {upstream_hostport} - header_down Access-Control-Allow-Origin "*" - transport http { - tls_server_name ${config.services.kanidm.serverSettings.domain} - } - @error status 400 - handle_response @error { - rewrite /oauth2/openid/owncloud/userinfo /oauth2/openid/owncloud-android/userinfo - ${reverseProxyKanidm} - } - } - ${reverseProxyKanidm} - ''; + } + ''; virtualHosts."https://rss.xinyang.life".extraConfig = '' reverse_proxy ${config.custom.miniflux.environment.LISTEN_ADDR} diff --git a/machines/weilite/services/ocis.nix b/machines/weilite/services/ocis.nix index 7438591..dfd4c50 100644 --- a/machines/weilite/services/ocis.nix +++ b/machines/weilite/services/ocis.nix @@ -15,21 +15,20 @@ OCIS_LOG_PRETTY = "true"; PROXY_AUTOPROVISION_ACCOUNTS = "true"; PROXY_USER_OIDC_CLAIM = "preferred_username"; - PROXY_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud"; - PROXY_OIDC_REWRITE_WELLKNOWN = "false"; + PROXY_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud-android"; + PROXY_OIDC_REWRITE_WELLKNOWN = "true"; PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = "none"; OCIS_EXCLUDE_RUN_SERVICES = "idp"; WEB_HTTP_ADDR = "127.0.0.1:12345"; - WEB_OIDC_METADATA_URL = "https://auth.xinyang.life/oauth2/openid/owncloud/.well-known/openid-configuration"; - WEB_OIDC_AUTHORITY = "https://auth.xinyang.life/oauth2/openid/owncloud"; - WEB_OIDC_CLIENT_ID = "owncloud"; + WEB_OIDC_METADATA_URL = "https://auth.xinyang.life/oauth2/openid/owncloud-android/.well-known/openid-configuration"; + WEB_OIDC_AUTHORITY = "https://auth.xinyang.life/oauth2/openid/owncloud-android"; + WEB_OIDC_CLIENT_ID = "owncloud-android"; }; # environmentFile = config.sops.secrets."ocis/env".path; }; networking.firewall.allowedTCPPorts = [ 8443 ]; services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = '' - redir /.well-known/openid-configuration https://auth.xinyang.life/oauth2/openid/owncloud-android/.well-known/openid-configuration permanent reverse_proxy ${config.services.ocis.address}:${toString config.services.ocis.port} ''; }