nixos/modules/services/security/oauth2_proxy_nginx.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / security / oauth2_proxy_nginx.nix
at 23.11-pre 2.3 kB view raw
 1{ config, lib, ... }:
 2with lib;
 3let
 4  cfg = config.services.oauth2_proxy.nginx;
 5in
 6{
 7  options.services.oauth2_proxy.nginx = {
 8    proxy = mkOption {
 9      type = types.str;
10      default = config.services.oauth2_proxy.httpAddress;
11      defaultText = literalExpression "config.services.oauth2_proxy.httpAddress";
12      description = lib.mdDoc ''
13        The address of the reverse proxy endpoint for oauth2_proxy
14      '';
15    };
16    virtualHosts = mkOption {
17      type = types.listOf types.str;
18      default = [];
19      description = lib.mdDoc ''
20        A list of nginx virtual hosts to put behind the oauth2 proxy
21      '';
22    };
23  };
24  config.services.oauth2_proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) {
25    enable = true;
26  };
27  config.services.nginx = mkIf config.services.oauth2_proxy.enable (mkMerge
28  ((optional (cfg.virtualHosts != []) {
29    recommendedProxySettings = true; # needed because duplicate headers
30  }) ++ (map (vhost: {
31    virtualHosts.${vhost} = {
32      locations."/oauth2/" = {
33        proxyPass = cfg.proxy;
34        extraConfig = ''
35          proxy_set_header X-Scheme                $scheme;
36          proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
37        '';
38      };
39      locations."/oauth2/auth" = {
40        proxyPass = cfg.proxy;
41        extraConfig = ''
42          proxy_set_header X-Scheme         $scheme;
43          # nginx auth_request includes headers but not body
44          proxy_set_header Content-Length   "";
45          proxy_pass_request_body           off;
46        '';
47      };
48      locations."/".extraConfig = ''
49        auth_request /oauth2/auth;
50        error_page 401 = /oauth2/sign_in;
51
52        # pass information via X-User and X-Email headers to backend,
53        # requires running with --set-xauthrequest flag
54        auth_request_set $user   $upstream_http_x_auth_request_user;
55        auth_request_set $email  $upstream_http_x_auth_request_email;
56        proxy_set_header X-User  $user;
57        proxy_set_header X-Email $email;
58
59        # if you enabled --cookie-refresh, this is needed for it to work with auth_request
60        auth_request_set $auth_cookie $upstream_http_set_cookie;
61        add_header Set-Cookie $auth_cookie;
62      '';
63
64    };
65  }) cfg.virtualHosts)));
66}