sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: promote oauth proxy config to a nginx virtualHosts option

Browse source
This commit is contained in:
oddlama 2023-06-22 02:55:22 +02:00
parent a092a5a846
commit 71dbda6262
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
8 changed files with 136 additions and 98 deletions
Download patch file Download diff file Expand all files Collapse all files

178
modules/oauth2-proxy.nix
View file

@ -37,13 +37,24 @@ in {
nginx.virtualHosts = mkOption {
default = {};
description = mdDoc ''
Access to all virtualHostst that have an entry here will be put behind
the oauth2 proxy, requiring authentication before users can access the resource.
Also set `allowedGroups` for granuar access control.
'';
type = types.attrsOf (types.submodule {
options.allowedGroups = mkOption {
description =
mdDoc ''
'';
type =
types.attrsOf (types.submodule {
});
};
};
options.services.nginx.virtualHosts = mkOption {
type = types.attrsOf (types.submodule ({
name,
config,
...
}: {
options.oauth2 = {
enable = mkEnableOption (mdDoc "access protection of this resource using oauth2_proxy.");
allowedGroups = mkOption {
type = types.listOf types.str;
default = [];
description = mdDoc ''
@ -51,21 +62,73 @@ in {
empty list to allow any authenticated client.
'';
};
});
};
};
config = mkIf config.oauth2.enable {
locations."/".extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
'';
locations."/oauth2/" = {
proxyPass = "https://${cfg.authProxyDomain}";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
locations."= /oauth2/auth" = {
proxyPass =
"https://${cfg.authProxyDomain}"
+ optionalString (config.oauth2.allowedGroups != [])
"?allowed_groups=${concatStringsSep "," config.oauth2.allowedGroups}";
extraConfig = ''
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
};
}));
};
config = mkIf cfg.enable {
services.oauth2_proxy = {
enable = true;
cookie.domain = ".${cfg.cookieDomain}";
cookie.secure = true;
cookie.httpOnly = false;
cookie.refresh = "5m";
cookie.expire = "30m";
reverseProxy = true;
httpAddress = "unix:///run/oauth2_proxy/oauth2_proxy.sock";
# Share the cookie with all subpages
extraConfig.whitelist-domain = ".${cfg.cookieDomain}";
setXauthrequest = true;
extraConfig = {
# Share the cookie with all subpages
whitelist-domain = ".${cfg.cookieDomain}";
set-authorization-header = true;
pass-access-token = true;
skip-jwt-bearer-tokens = true;
upstream = "static://202";
# TODO allowed group?
};
};
systemd.services.oauth2_proxy.serviceConfig = {
@ -84,78 +147,33 @@ in {
'';
};
virtualHosts =
{
${cfg.authProxyDomain} = {
forceSSL = true;
useACMEHost = config.lib.extra.matchingWildcardCert cfg.authProxyDomain;
virtualHosts.${cfg.authProxyDomain} = {
forceSSL = true;
useACMEHost = config.lib.extra.matchingWildcardCert cfg.authProxyDomain;
locations."/".extraConfig = ''
deny all;
return 404;
'';
locations."/".extraConfig = ''
deny all;
return 404;
'';
locations."/oauth2/" = {
proxyPass = "http://oauth2_proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
locations."= /oauth2/auth" = {
proxyPass = "http://oauth2_proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
};
}
// flip mapAttrs cfg.nginx.virtualHosts
(vhost: vhostCfg: let
authQuery =
optionalString (vhostCfg.allowedGroups != [])
"?allowed_groups=${concatStringsSep "," vhostCfg.allowedGroups}";
in {
locations."/".extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
locations."/oauth2/" = {
proxyPass = "http://oauth2_proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
locations."/oauth2/" = {
proxyPass = "https://${cfg.authProxyDomain}";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
locations."= /oauth2/auth" = {
proxyPass = "https://${cfg.authProxyDomain}${authQuery}";
extraConfig = ''
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
});
locations."= /oauth2/auth" = {
proxyPass = "http://oauth2_proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
};
};
};
}