mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

chore: format everything

Browse source
This commit is contained in:
oddlama 2024-11-26 13:34:55 +01:00
parent deca311c68
commit 7ccd7856ee
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
162 changed files with 4750 additions and 3718 deletions
Download patch file Download diff file Expand all files Collapse all files

171
modules/oauth2-proxy.nix
View file

@ -2,9 +2,9 @@
lib,
config,
...
}: let
inherit
(lib)
}:
let
inherit (lib)
concatStringsSep
mkDefault
mkEnableOption
@ -15,7 +15,8 @@
;
cfg = config.meta.oauth2-proxy;
in {
in
{
options.meta.oauth2-proxy = {
enable = mkEnableOption "oauth2 proxy";
@ -31,85 +32,93 @@ in {
};
options.services.nginx.virtualHosts = mkOption {
type = types.attrsOf (types.submodule ({config, ...}: {
options.oauth2 = {
enable = mkEnableOption "access protection of this resource using oauth2-proxy.";
allowedGroups = mkOption {
type = types.listOf types.str;
default = [];
description = ''
A list of groups that are allowed to access this resource, or the
empty list to allow any authenticated client.
'';
};
X-User = mkOption {
type = types.str;
default = "$upstream_http_x_auth_request_preferred_username";
description = "The variable to set as X-User";
};
X-Email = mkOption {
type = types.str;
default = "$upstream_http_x_auth_request_email";
description = "The variable to set as X-User";
};
};
options.locations = mkOption {
type = types.attrsOf (types.submodule (locationSubmod: {
options.setOauth2Headers = mkOption {
type = types.bool;
default = true;
description = "Whether to add oauth2 specific headers to this location. Only takes effect is oauth2 is actually enabled on the parent vhost.";
type = types.attrsOf (
types.submodule (
{ config, ... }:
{
options.oauth2 = {
enable = mkEnableOption "access protection of this resource using oauth2-proxy.";
allowedGroups = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
A list of groups that are allowed to access this resource, or the
empty list to allow any authenticated client.
'';
};
X-User = mkOption {
type = types.str;
default = "$upstream_http_x_auth_request_preferred_username";
description = "The variable to set as X-User";
};
X-Email = mkOption {
type = types.str;
default = "$upstream_http_x_auth_request_email";
description = "The variable to set as X-User";
};
};
config = mkIf (config.oauth2.enable && locationSubmod.config.setOauth2Headers) {
options.locations = mkOption {
type = types.attrsOf (
types.submodule (locationSubmod: {
options.setOauth2Headers = mkOption {
type = types.bool;
default = true;
description = "Whether to add oauth2 specific headers to this location. Only takes effect is oauth2 is actually enabled on the parent vhost.";
};
config = mkIf (config.oauth2.enable && locationSubmod.config.setOauth2Headers) {
extraConfig = ''
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
add_header Set-Cookie $auth_cookie;
'';
};
})
);
};
config = mkIf config.oauth2.enable {
extraConfig = ''
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
add_header Set-Cookie $auth_cookie;
auth_request /oauth2/auth;
error_page 401 = @redirectToAuth2ProxyLogin;
# set variables that can be used in locations.<name>.extraConfig
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user ${config.oauth2.X-User};
auth_request_set $email ${config.oauth2.X-Email};
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
'';
locations."@redirectToAuth2ProxyLogin" = {
# FIXME: allow referring to another node for the portaldomain
setOauth2Headers = false;
return = "307 https://${cfg.portalDomain}/oauth2/start?rd=$scheme://$host$request_uri";
extraConfig = ''
auth_request off;
'';
};
locations."= /oauth2/auth" = {
setOauth2Headers = false;
proxyPass =
"http://oauth2-proxy/oauth2/auth"
+ optionalString (
config.oauth2.allowedGroups != [ ]
) "?allowed_groups=${concatStringsSep "," config.oauth2.allowedGroups}";
extraConfig = ''
auth_request off;
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
};
}));
};
config = mkIf config.oauth2.enable {
extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = @redirectToAuth2ProxyLogin;
# set variables that can be used in locations.<name>.extraConfig
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user ${config.oauth2.X-User};
auth_request_set $email ${config.oauth2.X-Email};
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
'';
locations."@redirectToAuth2ProxyLogin" = {
# FIXME: allow referring to another node for the portaldomain
setOauth2Headers = false;
return = "307 https://${cfg.portalDomain}/oauth2/start?rd=$scheme://$host$request_uri";
extraConfig = ''
auth_request off;
'';
};
locations."= /oauth2/auth" = {
setOauth2Headers = false;
proxyPass =
"http://oauth2-proxy/oauth2/auth"
+ optionalString (config.oauth2.allowedGroups != [])
"?allowed_groups=${concatStringsSep "," config.oauth2.allowedGroups}";
extraConfig = ''
auth_request off;
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
};
}));
}
)
);
};
config = mkIf cfg.enable {
@ -149,11 +158,11 @@ in {
RestartSec = "60"; # Retry every minute
};
users.groups.oauth2-proxy.members = ["nginx"];
users.groups.oauth2-proxy.members = [ "nginx" ];
services.nginx = {
upstreams.oauth2-proxy = {
servers."unix:/run/oauth2-proxy/oauth2-proxy.sock" = {};
servers."unix:/run/oauth2-proxy/oauth2-proxy.sock" = { };
extraConfig = ''
zone oauth2-proxy 64k;
keepalive 2;