mirror of
https://github.com/oddlama/nix-config.git
synced 2025-10-10 14:50:40 +02:00
187 lines
6.1 KiB
Nix
187 lines
6.1 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib)
|
|
concatStringsSep
|
|
mkDefault
|
|
mkEnableOption
|
|
mkIf
|
|
mkOption
|
|
optionalString
|
|
types
|
|
;
|
|
|
|
cfg = config.meta.oauth2-proxy;
|
|
in
|
|
{
|
|
options.meta.oauth2-proxy = {
|
|
enable = mkEnableOption "oauth2 proxy";
|
|
|
|
cookieDomain = mkOption {
|
|
type = types.str;
|
|
description = "The domain under which to store the credential cookie, and to which redirects will be allowed.";
|
|
};
|
|
|
|
portalDomain = mkOption {
|
|
type = types.str;
|
|
description = "A domain on which to setup the oauth2 callback.";
|
|
};
|
|
};
|
|
|
|
options.services.nginx.virtualHosts = mkOption {
|
|
type = types.attrsOf (
|
|
types.submodule (
|
|
{ config, ... }:
|
|
{
|
|
options.oauth2 = {
|
|
enable = mkEnableOption "access protection of this resource using oauth2-proxy.";
|
|
allowedGroups = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [ ];
|
|
description = ''
|
|
A list of groups that are allowed to access this resource, or the
|
|
empty list to allow any authenticated client.
|
|
'';
|
|
};
|
|
X-User = mkOption {
|
|
type = types.str;
|
|
default = "$upstream_http_x_auth_request_preferred_username";
|
|
description = "The variable to set as X-User";
|
|
};
|
|
X-Email = mkOption {
|
|
type = types.str;
|
|
default = "$upstream_http_x_auth_request_email";
|
|
description = "The variable to set as X-User";
|
|
};
|
|
};
|
|
options.locations = mkOption {
|
|
type = types.attrsOf (
|
|
types.submodule (locationSubmod: {
|
|
options.setOauth2Headers = mkOption {
|
|
type = types.bool;
|
|
default = true;
|
|
description = "Whether to add oauth2 specific headers to this location. Only takes effect is oauth2 is actually enabled on the parent vhost.";
|
|
};
|
|
config = mkIf (config.oauth2.enable && locationSubmod.config.setOauth2Headers) {
|
|
extraConfig = ''
|
|
proxy_set_header X-User $user;
|
|
proxy_set_header X-Email $email;
|
|
add_header Set-Cookie $auth_cookie;
|
|
'';
|
|
};
|
|
})
|
|
);
|
|
};
|
|
config = mkIf config.oauth2.enable {
|
|
extraConfig = ''
|
|
auth_request /oauth2/auth;
|
|
error_page 401 = @redirectToAuth2ProxyLogin;
|
|
|
|
# set variables that can be used in locations.<name>.extraConfig
|
|
# pass information via X-User and X-Email headers to backend,
|
|
# requires running with --set-xauthrequest flag
|
|
auth_request_set $user ${config.oauth2.X-User};
|
|
auth_request_set $email ${config.oauth2.X-Email};
|
|
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
|
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
|
'';
|
|
|
|
locations."@redirectToAuth2ProxyLogin" = {
|
|
# FIXME: allow referring to another node for the portaldomain
|
|
setOauth2Headers = false;
|
|
return = "307 https://${cfg.portalDomain}/oauth2/start?rd=$scheme://$host$request_uri";
|
|
extraConfig = ''
|
|
auth_request off;
|
|
'';
|
|
};
|
|
|
|
locations."= /oauth2/auth" = {
|
|
setOauth2Headers = false;
|
|
proxyPass =
|
|
"http://oauth2-proxy/oauth2/auth"
|
|
+ optionalString (
|
|
config.oauth2.allowedGroups != [ ]
|
|
) "?allowed_groups=${concatStringsSep "," config.oauth2.allowedGroups}";
|
|
extraConfig = ''
|
|
auth_request off;
|
|
internal;
|
|
|
|
proxy_set_header X-Scheme $scheme;
|
|
# nginx auth_request includes headers but not body
|
|
proxy_set_header Content-Length "";
|
|
proxy_pass_request_body off;
|
|
'';
|
|
};
|
|
};
|
|
}
|
|
)
|
|
);
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
services.oauth2-proxy = {
|
|
enable = true;
|
|
|
|
cookie.domain = ".${cfg.cookieDomain}";
|
|
cookie.secure = true;
|
|
# FIXME disabled because of errors. My closest guess is that this
|
|
# reuses refresh tokens but kanidm forbids that. Not sure though.
|
|
#cookie.refresh = "5m";
|
|
cookie.expire = "30m";
|
|
cookie.secret = mkDefault null;
|
|
|
|
clientSecret = mkDefault null;
|
|
reverseProxy = true;
|
|
httpAddress = "unix:///run/oauth2-proxy/oauth2-proxy.sock";
|
|
redirectURL = "https://${cfg.portalDomain}/oauth2/callback";
|
|
setXauthrequest = true;
|
|
|
|
extraConfig = {
|
|
# Enable PKCE
|
|
code-challenge-method = "S256";
|
|
# Share the cookie with all subpages
|
|
whitelist-domain = ".${cfg.cookieDomain}";
|
|
set-authorization-header = true;
|
|
pass-access-token = true;
|
|
skip-jwt-bearer-tokens = true;
|
|
upstream = "static://202";
|
|
};
|
|
};
|
|
|
|
systemd.services.oauth2-proxy.serviceConfig = {
|
|
RuntimeDirectory = "oauth2-proxy";
|
|
RuntimeDirectoryMode = "0750";
|
|
UMask = "007"; # TODO remove once https://github.com/oauth2-proxy/oauth2-proxy/issues/2141 is fixed
|
|
RestartSec = "60"; # Retry every minute
|
|
};
|
|
|
|
users.groups.oauth2-proxy.members = [ "nginx" ];
|
|
|
|
services.nginx = {
|
|
upstreams.oauth2-proxy = {
|
|
servers."unix:/run/oauth2-proxy/oauth2-proxy.sock" = { };
|
|
extraConfig = ''
|
|
zone oauth2-proxy 64k;
|
|
keepalive 2;
|
|
'';
|
|
};
|
|
|
|
virtualHosts.${cfg.portalDomain} = {
|
|
forceSSL = true;
|
|
useACMEWildcardHost = true;
|
|
locations."/".proxyPass = "http://oauth2-proxy";
|
|
|
|
locations."/oauth2/" = {
|
|
proxyPass = "http://oauth2-proxy";
|
|
extraConfig = ''
|
|
proxy_set_header X-Scheme $scheme;
|
|
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|