From f8e67e81ebdda41bb8cec39c625819ce1bdebf10 Mon Sep 17 00:00:00 2001
From: Serge Bazanski <q3k@q3k.org>
Date: Sun, 9 Feb 2025 13:35:02 +0100
Subject: [PATCH] szalotka: put listmonk admin behind auth proxy

---
 authentik.nix | 10 ++++++++
 listmonk.nix  | 67 ++++++++++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 73 insertions(+), 4 deletions(-)

diff --git a/authentik.nix b/authentik.nix
index c147b29..d6f208c 100644
--- a/authentik.nix
+++ b/authentik.nix
@@ -66,6 +66,16 @@ in {
         "/var/secrets/authentik-ldap"
       ];
     };
+    authentik-proxy = {
+      image = "ghcr.io/goauthentik/proxy:2024.12.2";
+      ports = [ "10.88.0.1:9002:9000" ];
+      environment = {
+        AUTHENTIK_HOST = "https://auth.orga.cebula.camp";
+      };
+      environmentFiles = [
+        "/var/secrets/authentik-proxy"
+      ];
+    };
   };
   services.nginx.virtualHosts."auth.orga.cebula.camp" = {
     forceSSL = true;
diff --git a/listmonk.nix b/listmonk.nix
index 8affcc7..24196fa 100644
--- a/listmonk.nix
+++ b/listmonk.nix
@@ -1,16 +1,75 @@
-{ pkgs, config, ... }: {
+{ pkgs, config, ... }:
+
+let 
+  public = {
+    proxyPass = "http://localhost:9003";
+  };
+  admin = public // {
+    # ref: https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/server_nginx
+    extraConfig = ''
+      auth_request /outpost.goauthentik.io/auth/nginx;
+      error_page 401 = @goauthentik_proxy_signin;
+      auth_request_set $auth_cookie $upstream_http_set_cookie;
+      add_header Set-Cookie $auth_cookie;
+
+      # translate headers from the outposts back to the actual upstream
+      auth_request_set $authentik_username $upstream_http_x_authentik_username;
+      auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+      auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
+      auth_request_set $authentik_email $upstream_http_x_authentik_email;
+      auth_request_set $authentik_name $upstream_http_x_authentik_name;
+      auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+
+      proxy_set_header X-authentik-username $authentik_username;
+      proxy_set_header X-authentik-groups $authentik_groups;
+      proxy_set_header X-authentik-entitlements $authentik_entitlements;
+      proxy_set_header X-authentik-email $authentik_email;
+      proxy_set_header X-authentik-name $authentik_name;
+      proxy_set_header X-authentik-uid $authentik_uid;
+    '';
+  };
+in {
 
   services.listmonk = {
     enable = true;
     database.createLocally = true;
-    settings.app.address = "127.0.0.1:9002";
+    settings.app.address = "127.0.0.1:9003";
   };
 
   services.nginx.virtualHosts."news.cebula.camp" = {
     forceSSL = true;
     enableACME = true;
-    locations."/" = {
-      proxyPass = "http://localhost:9002";
+
+    # ref: https://listmonk.app/docs/configuration/#http-routes
+    locations."/subscription/" = public;
+    locations."/link/" = public;
+    locations."/campaign/" = public;
+    locations."/public/" = public;
+    locations."/webhooks/service/" = public;
+    locations."/uploads/" = public;
+
+    locations."/api/" = admin;
+    locations."/admin/" = admin;
+    locations."/webhooks/bounce" = admin;
+
+    # ref: https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/server_nginx
+    locations."/outpost.goauthentik.io" = {
+      extraConfig = ''
+        proxy_pass http://10.88.0.1:9002;
+        proxy_set_header Host $host;
+        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+        add_header Set-Cookie $auth_cookie;
+        auth_request_set $auth_cookie $upstream_http_set_cookie;
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+      '';
+    };
+    locations."@goauthentik_proxy_signin" = {
+      extraConfig = ''
+        internal;
+        add_header Set-Cookie $auth_cookie;
+        return 302 /outpost.goauthentik.io/start?rd=$request_uri;
+      '';
     };
   };
 }