fix oidc for ocis
This commit is contained in:
parent
59c4ee3e8d
commit
27fbff7e9b
5 changed files with 28 additions and 58 deletions
|
@ -126,7 +126,11 @@
|
||||||
|
|
||||||
# Enable CUPS to print documents.
|
# Enable CUPS to print documents.
|
||||||
services.printing.enable = true;
|
services.printing.enable = true;
|
||||||
# services.printing.drivers = [ pkgs.hplip ];
|
services.printing.drivers = [
|
||||||
|
pkgs.hplip
|
||||||
|
pkgs.gutenprintBin
|
||||||
|
pkgs.canon-cups-ufr2
|
||||||
|
];
|
||||||
|
|
||||||
hardware.pulseaudio.enable = false;
|
hardware.pulseaudio.enable = false;
|
||||||
security.rtkit.enable = true;
|
security.rtkit.enable = true;
|
||||||
|
@ -180,6 +184,7 @@
|
||||||
# List packages installed in system profile. To search, run:
|
# List packages installed in system profile. To search, run:
|
||||||
# $ nix search wget
|
# $ nix search wget
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
imhex
|
||||||
oidc-agent
|
oidc-agent
|
||||||
# Filesystem
|
# Filesystem
|
||||||
(owncloud-client.overrideAttrs (
|
(owncloud-client.overrideAttrs (
|
||||||
|
@ -187,8 +192,8 @@
|
||||||
src = pkgs.fetchFromGitHub {
|
src = pkgs.fetchFromGitHub {
|
||||||
owner = "xinyangli";
|
owner = "xinyangli";
|
||||||
repo = "client";
|
repo = "client";
|
||||||
rev = "e5ec2d68077361f1597b137a944884dda5574487";
|
rev = "780d1c4c8bf02be42e118c792ff833ab10c2fdcc";
|
||||||
hash = "sha256-xs8g7DdL1VxArK3n1c/9k7nW2vwYRHRuz6zaeX7E3eM=";
|
hash = "sha256-pEwcGJI9sN9nooW/RQHmi52Du6yzofgZeB8PcjwPtZ8=";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
))
|
))
|
||||||
|
|
|
@ -118,31 +118,18 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
owncloud = {
|
# It's used for all the clients. I'm too lazy to change the name.
|
||||||
displayName = "ownCloud";
|
|
||||||
originUrl = "https://drive.xinyang.life:8443/";
|
|
||||||
originLanding = "https://drive.xinyang.life:8443/";
|
|
||||||
public = true;
|
|
||||||
preferShortUsername = true;
|
|
||||||
scopeMaps = {
|
|
||||||
ocis-users = [
|
|
||||||
"openid"
|
|
||||||
"email"
|
|
||||||
"profile"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
owncloud-android = {
|
owncloud-android = {
|
||||||
displayName = "ownCloud Apps";
|
displayName = "ownCloud Apps";
|
||||||
originLanding = "https://drive.xinyang.life:8443/";
|
originLanding = "https://drive.xinyang.life:8443/";
|
||||||
originUrl = [
|
originUrl = [
|
||||||
"http://localhost/"
|
"http://localhost:38622/"
|
||||||
"http://127.0.0.1/"
|
"http://localhost:43580/"
|
||||||
|
"https://drive.xinyang.life:8443/"
|
||||||
# TODO: Should allow mobile redirect url not ending with /
|
# TODO: Should allow mobile redirect url not ending with /
|
||||||
# "oc://android.owncloud.com"
|
# "oc://android.owncloud.com"
|
||||||
];
|
];
|
||||||
basicSecretFile = config.sops.secrets."kanidm/ocis_android_secret".path;
|
public = true;
|
||||||
preferShortUsername = true;
|
preferShortUsername = true;
|
||||||
scopeMaps = {
|
scopeMaps = {
|
||||||
ocis-users = [
|
ocis-users = [
|
||||||
|
|
|
@ -9,9 +9,6 @@ forgejo:
|
||||||
restic:
|
restic:
|
||||||
repo: ENC[AES256_GCM,data:/vybkTU7LMWSlco9W2pJouU9wm4okXClSHXQMCA6SGIHWp4Ppl6C+jS4sNJALc6ntKzcEHyWO/R3JPjQKjZNH4YtrnNQp/ZY9g==,iv:gAvp6blg5JuBKzLw6YSgM1Uc24Aesov3ttCRXZXBvJw=,tag:pvH1y6BFOl7jIn/qQejUbQ==,type:str]
|
repo: ENC[AES256_GCM,data:/vybkTU7LMWSlco9W2pJouU9wm4okXClSHXQMCA6SGIHWp4Ppl6C+jS4sNJALc6ntKzcEHyWO/R3JPjQKjZNH4YtrnNQp/ZY9g==,iv:gAvp6blg5JuBKzLw6YSgM1Uc24Aesov3ttCRXZXBvJw=,tag:pvH1y6BFOl7jIn/qQejUbQ==,type:str]
|
||||||
password: ENC[AES256_GCM,data:5eIIBtGtBFwcAQ+ZwTYOtg==,iv:3GEM8Imu0i1aTwwSspvz2EzwJOXUC/b15hzkFFuZ+YY=,tag:wscba+nMtshldgUtcEKnOw==,type:str]
|
password: ENC[AES256_GCM,data:5eIIBtGtBFwcAQ+ZwTYOtg==,iv:3GEM8Imu0i1aTwwSspvz2EzwJOXUC/b15hzkFFuZ+YY=,tag:wscba+nMtshldgUtcEKnOw==,type:str]
|
||||||
kanidm:
|
|
||||||
ocis_android_secret: ENC[AES256_GCM,data:vuEIvBEhIME+C/s3xoskddtf5nogC9nPq+HUyyAl3u9nvH3bTzUkfE/1wolaCLeeupnD3pDokdRyKzjEmoZACQ==,iv:cmx/0i23p1uEI0oAiWdcvGRq4+075+VuAMkFSfXzfso=,tag:yVnqz16L5kyW9vAVng53pA==,type:str]
|
|
||||||
ocis_desktop_secret: ENC[AES256_GCM,data:WTfUQzTB9An9p9xof2nuIkD5mYzMaisS62Cv86zX05rkB/wXmTnZiY7ztUoN9OmhGoPgeZg0+d+Jo6bV1hoqlw==,iv:V4iqtYIOcyDXIijcD0IXqpaSs2rxyWiOSZGer/BFSe4=,tag:1nCU1KmWQcY5ZXjlzhxaQQ==,type:str]
|
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -36,8 +33,8 @@ sops:
|
||||||
dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i
|
dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i
|
||||||
V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g==
|
V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-09-14T05:48:04Z"
|
lastmodified: "2024-09-30T07:19:35Z"
|
||||||
mac: ENC[AES256_GCM,data:zdGdvk2pMaZYUsTI9XsSUpgtWrNmZNPg7KoV0zAt19h7Qccu3OGTSfXD+rhhhxhhWgBohGIhDVAVQcORnAw1Y/ykgqxERCANuzoBvvR1eKfPcRNiCEr2dmUAybDF7B2MWKlJ5Fsnpk/caK717Fe8XdAJDuplFwmMWi2c1c61/NQ=,iv:KPQTGzFQH+CQmLeXBzMSbU4lVH0/Wc6CeTp6w/pMMOY=,tag:UVA+sQwQa2bpy2/woBgAkQ==,type:str]
|
mac: ENC[AES256_GCM,data:WSGvA1RkChrD07Sf4BFVMbdTXQYxAHeGGQ52e+pnPh0lZPOzMc9sLDrBPqDK2OfrHC+hK8RC7FxQTGs6G/oBB4nUzIZPn9WycTiU5elwWDfktizH0gr3EJDm7Gs+bTWQpwdoJZGZ8XErK+yegCaKL5cSOSTlBBbQOnZfnoNBg5c=,iv:xyJRFfxHC2xV0ro4CbdOPau1zORxA64OqpvKr4aFZvQ=,tag:c9NA90d5WTK2pfxwoyOX5A==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.9.0
|
version: 3.9.0
|
||||||
|
|
|
@ -268,33 +268,15 @@ in
|
||||||
virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
|
virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
|
||||||
reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
|
reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
|
||||||
'';
|
'';
|
||||||
virtualHosts."https://auth.xinyang.life".extraConfig =
|
virtualHosts."https://auth.xinyang.life".extraConfig = ''
|
||||||
let
|
reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
|
||||||
reverseProxyKanidm = ''
|
header_up Host {upstream_hostport}
|
||||||
reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
|
header_down Access-Control-Allow-Origin "*"
|
||||||
header_up Host {upstream_hostport}
|
transport http {
|
||||||
header_down Access-Control-Allow-Origin "*"
|
tls_server_name ${config.services.kanidm.serverSettings.domain}
|
||||||
transport http {
|
|
||||||
tls_server_name ${config.services.kanidm.serverSettings.domain}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
'';
|
}
|
||||||
in
|
'';
|
||||||
''
|
|
||||||
reverse_proxy /oauth2/openid/owncloud/userinfo https://127.0.0.1:${toString kanidm_listen_port} {
|
|
||||||
header_up Host {upstream_hostport}
|
|
||||||
header_down Access-Control-Allow-Origin "*"
|
|
||||||
transport http {
|
|
||||||
tls_server_name ${config.services.kanidm.serverSettings.domain}
|
|
||||||
}
|
|
||||||
@error status 400
|
|
||||||
handle_response @error {
|
|
||||||
rewrite /oauth2/openid/owncloud/userinfo /oauth2/openid/owncloud-android/userinfo
|
|
||||||
${reverseProxyKanidm}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
${reverseProxyKanidm}
|
|
||||||
'';
|
|
||||||
|
|
||||||
virtualHosts."https://rss.xinyang.life".extraConfig = ''
|
virtualHosts."https://rss.xinyang.life".extraConfig = ''
|
||||||
reverse_proxy ${config.custom.miniflux.environment.LISTEN_ADDR}
|
reverse_proxy ${config.custom.miniflux.environment.LISTEN_ADDR}
|
||||||
|
|
|
@ -15,21 +15,20 @@
|
||||||
OCIS_LOG_PRETTY = "true";
|
OCIS_LOG_PRETTY = "true";
|
||||||
PROXY_AUTOPROVISION_ACCOUNTS = "true";
|
PROXY_AUTOPROVISION_ACCOUNTS = "true";
|
||||||
PROXY_USER_OIDC_CLAIM = "preferred_username";
|
PROXY_USER_OIDC_CLAIM = "preferred_username";
|
||||||
PROXY_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud";
|
PROXY_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud-android";
|
||||||
PROXY_OIDC_REWRITE_WELLKNOWN = "false";
|
PROXY_OIDC_REWRITE_WELLKNOWN = "true";
|
||||||
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = "none";
|
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = "none";
|
||||||
OCIS_EXCLUDE_RUN_SERVICES = "idp";
|
OCIS_EXCLUDE_RUN_SERVICES = "idp";
|
||||||
WEB_HTTP_ADDR = "127.0.0.1:12345";
|
WEB_HTTP_ADDR = "127.0.0.1:12345";
|
||||||
WEB_OIDC_METADATA_URL = "https://auth.xinyang.life/oauth2/openid/owncloud/.well-known/openid-configuration";
|
WEB_OIDC_METADATA_URL = "https://auth.xinyang.life/oauth2/openid/owncloud-android/.well-known/openid-configuration";
|
||||||
WEB_OIDC_AUTHORITY = "https://auth.xinyang.life/oauth2/openid/owncloud";
|
WEB_OIDC_AUTHORITY = "https://auth.xinyang.life/oauth2/openid/owncloud-android";
|
||||||
WEB_OIDC_CLIENT_ID = "owncloud";
|
WEB_OIDC_CLIENT_ID = "owncloud-android";
|
||||||
};
|
};
|
||||||
# environmentFile = config.sops.secrets."ocis/env".path;
|
# environmentFile = config.sops.secrets."ocis/env".path;
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 8443 ];
|
networking.firewall.allowedTCPPorts = [ 8443 ];
|
||||||
services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = ''
|
services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = ''
|
||||||
redir /.well-known/openid-configuration https://auth.xinyang.life/oauth2/openid/owncloud-android/.well-known/openid-configuration permanent
|
|
||||||
reverse_proxy ${config.services.ocis.address}:${toString config.services.ocis.port}
|
reverse_proxy ${config.services.ocis.address}:${toString config.services.ocis.port}
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue