refactor: move modules to common folder since separation was unsound

2025-10-11 07:10:39 +02:00 · 2023-12-17 17:31:52 +01:00 · 2023-12-17 17:31:52 +01:00 · 558f67ee7d
commit 558f67ee7d
parent 32ce7fe25d
16 changed files with 15 additions and 22 deletions
--- a/modules/oauth2-proxy.nix
+++ b/modules/oauth2-proxy.nix
@ -0,0 +1,146 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  inherit
+    (lib)
+    concatStringsSep
+    mdDoc
+    mkDefault
+    mkEnableOption
+    mkIf
+    mkOption
+    optionalString
+    types
+    ;
+
+  cfg = config.meta.oauth2_proxy;
+in {
+  options.meta.oauth2_proxy = {
+    enable = mkEnableOption (mdDoc "oauth2 proxy");
+
+    cookieDomain = mkOption {
+      type = types.str;
+      description = mdDoc "The domain under which to store the credential cookie, and to which redirects will be allowed.";
+    };
+
+    portalDomain = mkOption {
+      type = types.str;
+      description = mdDoc "A domain on which to setup the oauth2 callback.";
+    };
+  };
+
+  options.services.nginx.virtualHosts = mkOption {
+    type = types.attrsOf (types.submodule ({config, ...}: {
+      options.oauth2 = {
+        enable = mkEnableOption (mdDoc "access protection of this resource using oauth2_proxy.");
+        allowedGroups = mkOption {
+          type = types.listOf types.str;
+          default = [];
+          description = mdDoc ''
+            A list of groups that are allowed to access this resource, or the
+            empty list to allow any authenticated client.
+          '';
+        };
+      };
+      config = mkIf config.oauth2.enable {
+        locations."/".extraConfig = ''
+          auth_request /oauth2/auth;
+          error_page 401 = /oauth2/sign_in;
+
+          # pass information via X-User and X-Email headers to backend,
+          # requires running with --set-xauthrequest flag
+          auth_request_set $user   $upstream_http_x_auth_request_user;
+          auth_request_set $email  $upstream_http_x_auth_request_email;
+          proxy_set_header X-User  $user;
+          proxy_set_header X-Email $email;
+
+          # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+          auth_request_set $auth_cookie $upstream_http_set_cookie;
+          add_header Set-Cookie $auth_cookie;
+        '';
+
+        locations."/oauth2/" = {
+          proxyPass = "http://oauth2_proxy";
+          extraConfig = ''
+            proxy_set_header X-Scheme                $scheme;
+            proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+          '';
+        };
+
+        locations."= /oauth2/auth" = {
+          proxyPass =
+            "http://oauth2_proxy/oauth2/auth"
+            + optionalString (config.oauth2.allowedGroups != [])
+            "?allowed_groups=${concatStringsSep "," config.oauth2.allowedGroups}";
+          extraConfig = ''
+            internal;
+
+            proxy_set_header X-Scheme         $scheme;
+            # nginx auth_request includes headers but not body
+            proxy_set_header Content-Length   "";
+            proxy_pass_request_body           off;
+          '';
+        };
+      };
+    }));
+  };
+
+  config = mkIf cfg.enable {
+    services.oauth2_proxy = {
+      enable = true;
+
+      cookie.domain = ".${cfg.cookieDomain}";
+      cookie.secure = true;
+      # FIXME disabled because of errors. My closest guess is that this
+      # reuses refresh tokens but kanidm forbids that. Not sure though.
+      #cookie.refresh = "5m";
+      cookie.expire = "30m";
+      cookie.secret = mkDefault null;
+
+      clientSecret = mkDefault null;
+      reverseProxy = true;
+      httpAddress = "unix:///run/oauth2_proxy/oauth2_proxy.sock";
+      redirectURL = "https://${cfg.portalDomain}/oauth2/callback";
+      setXauthrequest = true;
+
+      extraConfig = {
+        # Enable PKCE
+        code-challenge-method = "S256";
+        # Share the cookie with all subpages
+        whitelist-domain = ".${cfg.cookieDomain}";
+        set-authorization-header = true;
+        pass-access-token = true;
+        skip-jwt-bearer-tokens = true;
+        upstream = "static://202";
+      };
+    };
+
+    systemd.services.oauth2_proxy.serviceConfig = {
+      RuntimeDirectory = "oauth2_proxy";
+      RuntimeDirectoryMode = "0750";
+      UMask = "007"; # TODO remove once https://github.com/oauth2-proxy/oauth2-proxy/issues/2141 is fixed
+      RestartSec = "600"; # Retry every 10 minutes
+    };
+
+    users.groups.oauth2_proxy.members = ["nginx"];
+
+    services.nginx = {
+      upstreams.oauth2_proxy = {
+        servers."unix:/run/oauth2_proxy/oauth2_proxy.sock" = {};
+        extraConfig = ''
+          zone oauth2_proxy 64k;
+          keepalive 2;
+        '';
+      };
+
+      virtualHosts.${cfg.portalDomain} = {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        oauth2.enable = true;
+        locations."/".proxyPass = "http://oauth2_proxy";
+      };
+    };
+  };
+}