chore: update oauth2_proxy service rename and kanidm update

hosts/sentinel/oauth2.nix

@@ -3,7 +3,7 @@
   nodes,
   ...
 }: {
-  meta.oauth2_proxy = {
+  meta.oauth2-proxy = {
     enable = true;
     cookieDomain = config.repo.secrets.global.domains.me;
     portalDomain = "oauth2.${config.repo.secrets.global.domains.me}";
@@ -13,7 +13,7 @@
   age.secrets.oauth2-cookie-secret = {
     rekeyFile = ./secrets/oauth2-cookie-secret.age;
     mode = "440";
-    group = "oauth2_proxy";
+    group = "oauth2-proxy";
   };
 
   # Mirror the original oauth2 secret, but prepend OAUTH2_PROXY_CLIENT_SECRET=
@@ -32,10 +32,10 @@
       ${decrypt} ${lib.escapeShellArg (lib.head deps).file}
     '';
     mode = "440";
-    group = "oauth2_proxy";
+    group = "oauth2-proxy";
   };
 
-  services.oauth2_proxy = let
+  services.oauth2-proxy = let
     clientId = "web-sentinel";
   in {
     provider = "oidc";
@@ -53,7 +53,7 @@
     };
   };
 
-  systemd.services.oauth2_proxy.serviceConfig.EnvironmentFile = [
+  systemd.services.oauth2-proxy.serviceConfig.EnvironmentFile = [
     config.age.secrets.oauth2-cookie-secret.path
     config.age.secrets.oauth2-client-secret.path
   ];

hosts/ward/guests/adguardhome.nix

@@ -9,7 +9,7 @@
 in {
   wireguard.proxy-sentinel = {
     client.via = "sentinel";
-    firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.adguardhome.settings.bind_port];
+    firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.adguardhome.settings.port];
   };
 
   nodes.sentinel = {
@@ -17,7 +17,7 @@ in {
 
     services.nginx = {
       upstreams.adguardhome = {
-        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.settings.bind_port}" = {};
+        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.settings.port}" = {};
         extraConfig = ''
           zone adguardhome 64k;
           keepalive 2;
@@ -55,8 +55,8 @@ in {
     # simpler sed dns.host_addr logic.
     mutableSettings = false;
     settings = {
-      bind_host = "0.0.0.0";
+      host = "0.0.0.0";
-      bind_port = 3000;
+      port = 3000;
       dns = {
         bind_hosts = [
           # This dummy address passes the configuration check and will

modules/config/users.nix

@@ -19,7 +19,7 @@
     kanidm = uidGid 990;
     loki = uidGid 989;
     vaultwarden = uidGid 988;
-    oauth2_proxy = uidGid 987;
+    oauth2-proxy = uidGid 987;
     influxdb2 = uidGid 986;
     telegraf = uidGid 985;
     rtkit = uidGid 984;

modules/oauth2-proxy.nix

@@ -14,9 +14,9 @@
     types
     ;
 
-  cfg = config.meta.oauth2_proxy;
+  cfg = config.meta.oauth2-proxy;
 in {
-  options.meta.oauth2_proxy = {
+  options.meta.oauth2-proxy = {
     enable = mkEnableOption "oauth2 proxy";
 
     cookieDomain = mkOption {
@@ -33,7 +33,7 @@ in {
   options.services.nginx.virtualHosts = mkOption {
     type = types.attrsOf (types.submodule ({config, ...}: {
       options.oauth2 = {
-        enable = mkEnableOption "access protection of this resource using oauth2_proxy.";
+        enable = mkEnableOption "access protection of this resource using oauth2-proxy.";
         allowedGroups = mkOption {
           type = types.listOf types.str;
           default = [];
@@ -44,9 +44,9 @@ in {
         };
       };
       config = mkIf config.oauth2.enable {
-        locations."/".extraConfig = ''
+        extraConfig = ''
           auth_request /oauth2/auth;
-          error_page 401 = /oauth2/sign_in;
+          error_page 401 = @redirectToAuth2ProxyLogin;
 
           # pass information via X-User and X-Email headers to backend,
           # requires running with --set-xauthrequest flag
@@ -60,20 +60,20 @@ in {
           add_header Set-Cookie $auth_cookie;
         '';
 
-        locations."/oauth2/" = {
+        locations."@redirectToAuth2ProxyLogin" = {
-          proxyPass = "http://oauth2_proxy";
+          return = "307 https://${cfg.portalDomain}/oauth2/start?rd=$scheme://$host$request_uri";
           extraConfig = ''
-            proxy_set_header X-Scheme                $scheme;
+            auth_request off;
-            proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
           '';
         };
 
         locations."= /oauth2/auth" = {
           proxyPass =
-            "http://oauth2_proxy/oauth2/auth"
+            "http://oauth2-proxy/oauth2/auth"
             + optionalString (config.oauth2.allowedGroups != [])
             "?allowed_groups=${concatStringsSep "," config.oauth2.allowedGroups}";
           extraConfig = ''
+            auth_request off;
             internal;
 
             proxy_set_header X-Scheme         $scheme;
@@ -87,9 +87,12 @@ in {
   };
 
   config = mkIf cfg.enable {
-    services.oauth2_proxy = {
+    services.oauth2-proxy = {
       enable = true;
 
+      # Needed to prevent evaluation error (should theoretically be fixed upstream...)
+      nginx.domain = "dummy";
+
       cookie.domain = ".${cfg.cookieDomain}";
       cookie.secure = true;
       # FIXME disabled because of errors. My closest guess is that this
@@ -100,7 +103,7 @@ in {
 
       clientSecret = mkDefault null;
       reverseProxy = true;
-      httpAddress = "unix:///run/oauth2_proxy/oauth2_proxy.sock";
+      httpAddress = "unix:///run/oauth2-proxy/oauth2-proxy.sock";
       redirectURL = "https://${cfg.portalDomain}/oauth2/callback";
       setXauthrequest = true;
 
@@ -116,20 +119,20 @@ in {
       };
     };
 
-    systemd.services.oauth2_proxy.serviceConfig = {
+    systemd.services.oauth2-proxy.serviceConfig = {
-      RuntimeDirectory = "oauth2_proxy";
+      RuntimeDirectory = "oauth2-proxy";
       RuntimeDirectoryMode = "0750";
       UMask = "007"; # TODO remove once https://github.com/oauth2-proxy/oauth2-proxy/issues/2141 is fixed
       RestartSec = "60"; # Retry every minute
     };
 
-    users.groups.oauth2_proxy.members = ["nginx"];
+    users.groups.oauth2-proxy.members = ["nginx"];
 
     services.nginx = {
-      upstreams.oauth2_proxy = {
+      upstreams.oauth2-proxy = {
-        servers."unix:/run/oauth2_proxy/oauth2_proxy.sock" = {};
+        servers."unix:/run/oauth2-proxy/oauth2-proxy.sock" = {};
         extraConfig = ''
-          zone oauth2_proxy 64k;
+          zone oauth2-proxy 64k;
           keepalive 2;
         '';
       };
@@ -138,7 +141,15 @@ in {
         forceSSL = true;
         useACMEWildcardHost = true;
         oauth2.enable = true;
-        locations."/".proxyPass = "http://oauth2_proxy";
+        locations."/".proxyPass = "http://oauth2-proxy";
+
+        locations."/oauth2/" = {
+          proxyPass = "http://oauth2-proxy";
+          extraConfig = ''
+            proxy_set_header X-Scheme                $scheme;
+            proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+          '';
+        };
       };
     };
   };

pkgs/default.nix

@@ -8,8 +8,8 @@
       provisionSrc = prev.fetchFromGitHub {
         owner = "oddlama";
         repo = "kanidm-provision";
-        rev = "aa7a1c8ec04622745b385bd3b0462e1878f56b51";
+        rev = "v1.0.1";
-        hash = "sha256-NRolS3l2kARjkhWP7FYUG//KCEiueh48ZrADdCDb9Zg=";
+        hash = "sha256-tSr2I7bGEwJoC5C7BOmru2oh9ta04WVTz449KePYSK4=";
       };
     in {
       patches =

pkgs/kanidm-provision.nix

@@ -5,16 +5,16 @@
 }:
 rustPlatform.buildRustPackage rec {
   pname = "kanidm-provision";
-  version = "1.0.0";
+  version = "1.0.1";
 
   src = fetchFromGitHub {
     owner = "oddlama";
     repo = "kanidm-provision";
     rev = "v${version}";
-    hash = "sha256-T6kiBUdOMHCWRUF/vepoPrvaULDQrUGYsd/3I11HCLY=";
+    hash = "sha256-tSr2I7bGEwJoC5C7BOmru2oh9ta04WVTz449KePYSK4=";
   };
 
-  cargoHash = "sha256-nHp3C6szJxOogH/kETIqcQQNhFqBCO0P66j7n3UHuwo=";
+  cargoHash = "sha256-LRPpAIH+pXThS+HJ63kVbxMMoBgsky1nf99RWarX7/0=";
 
   meta = with lib; {
     description = "A small utility to help with kanidm provisioning";