szalotka: put listmonk admin behind auth proxy

2025-02-09 13:35:02 +01:00 · 2025-02-09 13:35:02 +01:00 · f8e67e81eb
parent d887567e3b
commit f8e67e81eb
2 changed files with 73 additions and 4 deletions
--- a/authentik.nix
+++ b/authentik.nix
@ -66,6 +66,16 @@ in {
        "/var/secrets/authentik-ldap"
      ];
    };
+    authentik-proxy = {
+      image = "ghcr.io/goauthentik/proxy:2024.12.2";
+      ports = [ "10.88.0.1:9002:9000" ];
+      environment = {
+        AUTHENTIK_HOST = "https://auth.orga.cebula.camp";
+      };
+      environmentFiles = [
+        "/var/secrets/authentik-proxy"
+      ];
+    };
  };
  services.nginx.virtualHosts."auth.orga.cebula.camp" = {
    forceSSL = true;
--- a/listmonk.nix
+++ b/listmonk.nix
@ -1,16 +1,75 @@
-{ pkgs, config, ... }: {
+{ pkgs, config, ... }:
+
+let 
+  public = {
+    proxyPass = "http://localhost:9003";
+  };
+  admin = public // {
+    # ref: https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/server_nginx
+    extraConfig = ''
+      auth_request /outpost.goauthentik.io/auth/nginx;
+      error_page 401 = @goauthentik_proxy_signin;
+      auth_request_set $auth_cookie $upstream_http_set_cookie;
+      add_header Set-Cookie $auth_cookie;
+
+      # translate headers from the outposts back to the actual upstream
+      auth_request_set $authentik_username $upstream_http_x_authentik_username;
+      auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+      auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
+      auth_request_set $authentik_email $upstream_http_x_authentik_email;
+      auth_request_set $authentik_name $upstream_http_x_authentik_name;
+      auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+
+      proxy_set_header X-authentik-username $authentik_username;
+      proxy_set_header X-authentik-groups $authentik_groups;
+      proxy_set_header X-authentik-entitlements $authentik_entitlements;
+      proxy_set_header X-authentik-email $authentik_email;
+      proxy_set_header X-authentik-name $authentik_name;
+      proxy_set_header X-authentik-uid $authentik_uid;
+    '';
+  };
+in {

  services.listmonk = {
    enable = true;
    database.createLocally = true;
-    settings.app.address = "127.0.0.1:9002";
+    settings.app.address = "127.0.0.1:9003";
  };

  services.nginx.virtualHosts."news.cebula.camp" = {
    forceSSL = true;
    enableACME = true;
-    locations."/" = {
-      proxyPass = "http://localhost:9002";
+
+    # ref: https://listmonk.app/docs/configuration/#http-routes
+    locations."/subscription/" = public;
+    locations."/link/" = public;
+    locations."/campaign/" = public;
+    locations."/public/" = public;
+    locations."/webhooks/service/" = public;
+    locations."/uploads/" = public;
+
+    locations."/api/" = admin;
+    locations."/admin/" = admin;
+    locations."/webhooks/bounce" = admin;
+
+    # ref: https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/server_nginx
+    locations."/outpost.goauthentik.io" = {
+      extraConfig = ''
+        proxy_pass http://10.88.0.1:9002;
+        proxy_set_header Host $host;
+        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+        add_header Set-Cookie $auth_cookie;
+        auth_request_set $auth_cookie $upstream_http_set_cookie;
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+      '';
+    };
+    locations."@goauthentik_proxy_signin" = {
+      extraConfig = ''
+        internal;
+        add_header Set-Cookie $auth_cookie;
+        return 302 /outpost.goauthentik.io/start?rd=$request_uri;
+      '';
    };
  };
 }