nixos/modules/services/security/nginx-sso.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / security / nginx-sso.nix
at 25.11-pre 2.4 kB view raw
 1{
 2  config,
 3  lib,
 4  pkgs,
 5  utils,
 6  ...
 7}:
 8let
 9  cfg = config.services.nginx.sso;
10  format = pkgs.formats.yaml { };
11  configPath = "/var/lib/nginx-sso/config.yaml";
12in
13{
14  options.services.nginx.sso = {
15    enable = lib.mkEnableOption "nginx-sso service";
16
17    package = lib.mkPackageOption pkgs "nginx-sso" { };
18
19    configuration = lib.mkOption {
20      type = format.type;
21      default = { };
22      example = lib.literalExpression ''
23        {
24          listen = { addr = "127.0.0.1"; port = 8080; };
25
26          providers.token.tokens = {
27            myuser = {
28              _secret = "/path/to/secret/token.txt"; # File content should be the secret token
29            };
30          };
31
32          acl = {
33            rule_sets = [
34              {
35                rules = [ { field = "x-application"; equals = "MyApp"; } ];
36                allow = [ "myuser" ];
37              }
38            ];
39          };
40        }
41      '';
42      description = ''
43        nginx-sso configuration
44        ([documentation](https://github.com/Luzifer/nginx-sso/wiki/Main-Configuration))
45        as a Nix attribute set.
46
47        Options containing secret data should be set to an attribute set
48        with the singleton attribute `_secret` - a string value set to the path
49        to the file containing the secret value which should be used in the
50        configuration. This file must be readable by `nginx-sso`.
51      '';
52    };
53  };
54
55  config = lib.mkIf cfg.enable {
56    systemd.services.nginx-sso = {
57      description = "Nginx SSO Backend";
58      after = [ "network.target" ];
59      wantedBy = [ "multi-user.target" ];
60      serviceConfig = {
61        StateDirectory = "nginx-sso";
62        WorkingDirectory = "/var/lib/nginx-sso";
63        ExecStartPre = pkgs.writeShellScript "merge-nginx-sso-config" ''
64          rm -f '${configPath}'
65          # Relies on YAML being a superset of JSON
66          ${utils.genJqSecretsReplacementSnippet cfg.configuration configPath}
67        '';
68        ExecStart = ''
69          ${lib.getExe cfg.package} \
70            --config ${configPath} \
71            --frontend-dir ${lib.getBin cfg.package}/share/frontend
72        '';
73        Restart = "always";
74        User = "nginx-sso";
75        Group = "nginx-sso";
76      };
77    };
78
79    users.users.nginx-sso = {
80      isSystemUser = true;
81      group = "nginx-sso";
82    };
83
84    users.groups.nginx-sso = { };
85  };
86}