Merge pull request #11 from entropia/leona/host-abrechnung-add-berech…

…enbarkei feat(host/abrechung): add berechenbarkeit service
entropia · May 12, 2024 · b9725ea · b9725ea
2 parents 417299c + 602cd6b
commit b9725ea
Show file tree

Hide file tree

Showing 6 changed files with 222 additions and 4 deletions.
diff --git a/hosts/abrechnung/berechenbarkeit.nix b/hosts/abrechnung/berechenbarkeit.nix
@@ -0,0 +1,54 @@
+{ config, pkgs, ... }: {
+  x.sops.secrets."hosts/abrechnung/berechenbarkeit_vouch_proxy_env" = {};
+
+  systemd.services.berechenbarkeit = {
+    description = "berechenbarkeit";
+    after = [ "network.target" "postgresql.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    environment = {
+      BERECHENBARKEIT_STORAGE_BASE_PATH = "/var/lib/berechenbarkeit/storage";
+    };
+    preStart = ''
+      mkdir -p /var/lib/berechenbarkeit/storage
+    '';
+
+    serviceConfig = {
+      Type = "simple";
+      DynamicUser = true;
+      User = "berechenbarkeit";
+      StateDirectory = "berechenbarkeit";
+      ExecStart = "${pkgs.berechenbarkeit}/bin/berechenbarkeit --database-url 'postgres:///berechenbarkeit?host=/run/postgresql'";
+      Restart = "always";
+    };
+  };
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "berechenbarkeit" ];
+    ensureUsers = [
+      { name = "berechenbarkeit";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
+  services.nginx.enable = true;
+  services.nginx.virtualHosts."abrechnung.entropia.de" = {
+    enableACME = true;
+    forceSSL = true;
+    kTLS = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:3000";
+    };
+  };
+
+  services.vouch-proxy = {
+    enable = true;
+    servers."abrechnung.entropia.de" = {
+      clientId = "abrechnung.entropia.de";
+      port = 12300;
+      environmentFiles = [ config.sops.secrets."hosts/abrechnung/berechenbarkeit_vouch_proxy_env".path ];
+    };
+  };
+}
diff --git a/hosts/abrechnung/default.nix b/hosts/abrechnung/default.nix
@@ -4,6 +4,7 @@
     ./disko.nix
     inputs.disko.nixosModules.disko
     ../../profiles/entropia-cluster-vm
+    ./berechenbarkeit.nix
   ];
 
   entropia.users = [ "leona" ];
@@ -28,7 +29,7 @@
     ];
     routes = [
       { routeConfig = { Destination = "0.0.0.0/0"; Gateway = "45.140.180.33"; }; }
-      { routeConfig = { Destination = "::/0"; Gateway = "2a0e:c5c0:0:201::"; }; }
+      { routeConfig = { Destination = "::/0"; Gateway = "2a0e:c5c0:0:201::1"; }; }
     ];
   };
   services.resolved.enable = true;

diff --git a/modules/vouch-proxy/default.nix b/modules/vouch-proxy/default.nix
@@ -0,0 +1,129 @@
+{ pkgs, lib, config, ... }:
+
+with lib;
+
+let
+  cfg = config.services.vouch-proxy;
+  format = pkgs.formats.yaml {};
+  serverOptions =
+    { ... }: {
+
+      options = {
+        clientId = mkOption {
+          type = types.str;
+          description = "OIDC Client ID for server.";
+        };
+        port = mkOption {
+          type = types.int;
+          description = "Port of the vouch-proxy server.";
+        };
+        environmentFiles = mkOption {
+          type = with types; nullOr (listOf path);
+          default = [ ];
+          description = ''
+            List of environment files set in the vouch-proxy-<literal>name</literal> systemd service.
+            For example the jwt secret and oidc secrets should be set in one of these files.
+          '';
+        };
+        addAuthRequestToMainLocation = mkOption {
+          type = types.bool;
+          default = false;
+          description = "Add auth_request to / location.";
+        };
+      };
+    };
+  mkService = domain: serviceConfig:
+    let
+      settings = recursiveUpdate cfg.globalSettings {
+        vouch.port = serviceConfig.port;
+        vouch.cookie.domain = domain;
+        oauth.client_id = serviceConfig.clientId;
+        oauth.callback_url = "https://${domain}/_vouch/auth";
+      };
+      configFile = format.generate "vouch-proxy-config.yaml" settings;
+    in nameValuePair "vouch-proxy-${domain}" {
+    description = "vouch-proxy";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    path = [ cfg.package ];
+
+    serviceConfig = {
+      Type = "simple";
+      DynamicUser = true;
+      ExecStart = "${cfg.package}/bin/vouch-proxy -config ${configFile}";
+      Restart = "always";
+      EnvironmentFile = serviceConfig.environmentFiles;
+    };
+  };
+  mkVirtualHosts = domain: serviceConfig: nameValuePair domain {
+    extraConfig = ''
+      error_page 401 = @error401;
+    '';
+    locations."/".extraConfig = ''
+      auth_request /_vouch/validate;
+    '';
+    locations."/_vouch" = {
+      proxyPass = "http://127.0.0.1:${toString serviceConfig.port}";
+      extraConfig = ''
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+        # these return values are used by the @error401 call
+        auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
+        auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
+        auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
+      '';
+    };
+
+    locations."@error401".return = "302 https://${domain}/_vouch/login?url=https://$host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err";
+  };
+in {
+  options.services.vouch-proxy = with lib; {
+    enable = mkEnableOption "vouch-proxy service";
+    package = mkOption {
+      default = pkgs.vouch-proxy;
+      type = types.package;
+      defaultText = "pkgs.vouch-proxy";
+      description = "vouch-proxy derivation to use.";
+    };
+    servers = mkOption {
+      type = types.attrsOf (types.submodule serverOptions);
+    };
+    globalSettings = mkOption {
+      type = format.type;
+      default = {
+        vouch = {
+          listen = "127.0.0.1";
+          jwt.issuer = "entropia vouch";
+          allowAllUsers = true;
+          headers = {
+            claims = [
+              "preferred_username"
+            ];
+          };
+          document_root = "/_vouch";
+        };
+        oauth = {
+          provider = "oidc";
+          auth_url = "https://sso.entropia.de/realms/entropia/protocol/openid-connect/auth";
+          token_url = "https://sso.entropia.de/realms/entropia/protocol/openid-connect/token";
+          user_info_url = "https://sso.entropia.de/realms/entropia/protocol/openid-connect/userinfo";
+          scopes = [
+            "openid"
+            "email"
+            "profile"
+          ];
+        };
+      };
+      description = ''
+        Vouch-proxy configuration. Refer to
+        <link xlink:href="https://github.com/vouch/vouch-proxy/blob/master/config/config.yml_example"/>
+        for details on supported values.
+        '';
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    systemd.services = mapAttrs' mkService cfg.servers;
+    services.nginx.virtualHosts = mapAttrs' mkVirtualHosts cfg.servers;
+  };
+}
+
diff --git a/pkgs/berechenbarkeit/default.nix b/pkgs/berechenbarkeit/default.nix
@@ -0,0 +1,32 @@
+{ lib, rustPlatform, fetchFromGitHub, pkg-config, openssl, postgresql }:
+
+rustPlatform.buildRustPackage {
+  pname = "berechenbarkeit";
+  version = "0-unstable-2024-05-12";
+
+  src = fetchFromGitHub {
+    owner = "entropia";
+    repo = "berechenbarkeit";
+    rev = "703ecb85d66a1798c33feebd1d906a18bf1727e4";
+    hash = "sha256-DtXlaNvWIhDrBMVWOmV1eTskJmqYf8wYLdEfxdbD3oc=";
+  };
+
+  cargoHash = "sha256-Zisj2fpebz4CRwpsg/H+8H/s1Q395lOiVKg9fcZVTtw=";
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [
+    openssl.dev
+    postgresql.lib
+  ];
+
+  preBuild = ''
+    export BERECHENBARKEIT_STATIC_BASE_PATH=$assets
+  '';
+
+  postInstall = ''
+    mkdir $assets
+    cp -R $src/src/assets/* $assets
+  '';
+
+  outputs = [ "out" "assets" ];
+}
diff --git a/pkgs/default.nix b/pkgs/default.nix
@@ -1,11 +1,12 @@
 { self, ... }: {
 
   flake.overlays.default = final: prev: {
-    inherit (self.packages.${final.system}) wg-access-server;
+    inherit (self.packages.${final.system}) berechenbarkeit wg-access-server;
   };
 
   perSystem = { pkgs, ... }: {
     packages = {
+      berechenbarkeit = pkgs.callPackage ./berechenbarkeit { };
       wg-access-server = pkgs.callPackage ./wg-access-server { };
     };
   };

diff --git a/secrets/hosts/abrechnung.yaml b/secrets/hosts/abrechnung.yaml
@@ -1,6 +1,7 @@
 hosts:
     abrechnung:
         backup_zweitwohnsitz_password: ENC[AES256_GCM,data:PYkzTEGtg6esZXfaOMk5VyDFAsQ0+xbkXS5pEKrvtmKzL/eNprk/FDiJGhAYICoVP5I0zgvMfGU2WK090Qy9uD9vbG6yxsrq6lhjGwBAgMaN9Yt879obsFIvBHf+TLDIU2PCygHoIUkopTTlF/SEF+w06P66JYl9eqgINRC3nHo=,iv:41JHqA2ua6S6XS9P/ItLpShfl6AZnXmqjbTc+XC2G3s=,tag:6smZNN7MKA/heDPE40Bj+g==,type:str]
+        berechenbarkeit_vouch_proxy_env: ENC[AES256_GCM,data:zGZnTLk93rrMII9pW5n/ol8OGJpnosLfkDmxlM9gmdgmyBTSm7iYndElKMXgWm3w0wkd8HFaD9MmRIy4qzzlB1ml9Q6shYhCPygLkjiJC96zP4JXUay3ffX9ZEEHEz/D+slYuT+p8lVKopoSdALnw8NqJh4Q+BEo1qqeT5cUPmZ+h/wiuTAY,iv:Q+BHeqfaPf9SF0l2Zl8hnng92RllMgfCe/cBGQ29+hU=,tag:6WGzyaqdh2BuKr9HwqqUQQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -25,8 +26,8 @@ sops:
             RkMySzVYU0d3NmJwNEVPT1NNcmxpS1kK+ahIQugzPcovyndhA8f873yGCXi9VH5L
             ybkC/4ZL082ANAqd+fCqqCa8TDLar5nSSTnWNsC/tMs7cFNSyNjLVA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-21T13:40:19Z"
-    mac: ENC[AES256_GCM,data:PakJCP8kB73USVidD9p4+p4y+RygZYfqdvTIi8jIgfgSvLmErHlOBY0JvYy6gYMlfgH+Ik9xiX795htfwSwVR+gt7+2a4ocA2bDfVatRygQm7D3AJX43vjV7ROw8iQkyInDFJvIfkLm+eaaqQ+QrPyjeYLap07h1nRNiDi68fcY=,iv:cDK670o8Fzkowb+SzfY4apqXThI1oOoXSNifxY3oQFA=,tag:OzlWtFulloz9o2MccN7+Mg==,type:str]
+    lastmodified: "2024-05-06T20:08:20Z"
+    mac: ENC[AES256_GCM,data:nNUo/+lJ9nApiaTpYDfkowCH+l/TqnRQY/U8W8uftPC40fZ/oqwS8/HDLyVVS4XBZQJfN0EggCQ8S4Ouqkvc8XMjvWq/BJRQ65hCZ+Hq3xQ5ZHM6egtd3PByQwOR24JpVxts7fnxbCkZGLCoxc6qEFCi7lRWU598VrqaiE9tFPg=,iv:ORNJiQwNhGQaF7noLpaC3iS/q6rVVEGlVNEiaUYBv3o=,tag:ZfLZU0lkqJVspFi/EX6MSw==,type:str]
     pgp:
         - created_at: "2024-04-21T13:39:09Z"
           enc: |-