···
1
-
# NixOS module for oauth2_proxy.
{ config, lib, pkgs, ... }:
7
-
cfg = config.services.oauth2_proxy;
4
+
cfg = config.services.oauth2-proxy;
9
-
# oauth2_proxy provides many options that are only relevant if you are using
6
+
# oauth2-proxy provides many options that are only relevant if you are using
# a certain provider. This set maps from provider name to a function that
# takes the configuration and returns a string that can be inserted into the
12
-
# command-line to launch oauth2_proxy.
9
+
# command-line to launch oauth2-proxy.
providerSpecificOptions = {
azure-tenant = cfg.azure.tenant;
···
} // (getProviderOptions cfg cfg.provider) // cfg.extraConfig;
76
-
optionalString (attr != null && attr != []) (
77
-
if isDerivation attr then mapConfig key (toString attr) else
78
-
if (builtins.typeOf attr) == "set" then concatStringsSep " "
79
-
(mapAttrsToList (name: value: mapConfig (key + "-" + name) value) attr) else
80
-
if (builtins.typeOf attr) == "list" then concatMapStringsSep " " (mapConfig key) attr else
81
-
if (builtins.typeOf attr) == "bool" then "--${key}=${boolToString attr}" else
73
+
lib.optionalString (attr != null && attr != []) (
74
+
if lib.isDerivation attr then mapConfig key (toString attr) else
75
+
if (builtins.typeOf attr) == "set" then lib.concatStringsSep " "
76
+
(lib.mapAttrsToList (name: value: mapConfig (key + "-" + name) value) attr) else
77
+
if (builtins.typeOf attr) == "list" then lib.concatMapStringsSep " " (mapConfig key) attr else
78
+
if (builtins.typeOf attr) == "bool" then "--${key}=${lib.boolToString attr}" else
if (builtins.typeOf attr) == "string" then "--${key}='${attr}'" else
"--${key}=${toString attr}");
85
-
configString = concatStringsSep " " (mapAttrsToList mapConfig allConfig);
82
+
configString = lib.concatStringsSep " " (lib.mapAttrsToList mapConfig allConfig);
88
-
options.services.oauth2_proxy = {
89
-
enable = mkEnableOption "oauth2_proxy";
85
+
options.services.oauth2-proxy = {
86
+
enable = lib.mkEnableOption "oauth2-proxy";
91
-
package = mkPackageOption pkgs "oauth2-proxy" { };
88
+
package = lib.mkPackageOption pkgs "oauth2-proxy" { };
##############################################
# Taken from: https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/providers.go
96
-
provider = mkOption {
93
+
provider = lib.mkOption {
94
+
type = lib.types.enum [
···
119
-
approvalPrompt = mkOption {
120
-
type = types.enum ["force" "auto"];
116
+
approvalPrompt = lib.mkOption {
117
+
type = lib.types.enum ["force" "auto"];
127
-
clientID = mkOption {
128
-
type = types.nullOr types.str;
124
+
clientID = lib.mkOption {
125
+
type = lib.types.nullOr lib.types.str;
example = "123456.apps.googleusercontent.com";
135
-
oidcIssuerUrl = mkOption {
136
-
type = types.nullOr types.str;
132
+
oidcIssuerUrl = lib.mkOption {
133
+
type = lib.types.nullOr lib.types.str;
···
example = "https://login.microsoftonline.com/{TENANT_ID}/v2.0";
144
-
clientSecret = mkOption {
145
-
type = types.nullOr types.str;
141
+
clientSecret = lib.mkOption {
142
+
type = lib.types.nullOr lib.types.str;
151
-
skipAuthRegexes = mkOption {
152
-
type = types.listOf types.str;
148
+
skipAuthRegexes = lib.mkOption {
149
+
type = lib.types.listOf lib.types.str;
Skip authentication for requests matching any of these regular
···
# XXX: Not clear whether these two options are mutually exclusive or not.
162
-
domains = mkOption {
163
-
type = types.listOf types.str;
159
+
domains = lib.mkOption {
160
+
type = lib.types.listOf lib.types.str;
Authenticate emails with the specified domains. Use
···
171
-
addresses = mkOption {
172
-
type = types.nullOr types.lines;
168
+
addresses = lib.mkOption {
169
+
type = lib.types.nullOr lib.types.lines;
Line-separated email addresses that are allowed to authenticate.
···
180
-
loginURL = mkOption {
181
-
type = types.nullOr types.str;
177
+
loginURL = lib.mkOption {
178
+
type = lib.types.nullOr lib.types.str;
···
example = "https://provider.example.com/oauth/authorize";
193
-
redeemURL = mkOption {
194
-
type = types.nullOr types.str;
190
+
redeemURL = lib.mkOption {
191
+
type = lib.types.nullOr lib.types.str;
Token redemption endpoint.
···
example = "https://provider.example.com/oauth/token";
206
-
validateURL = mkOption {
207
-
type = types.nullOr types.str;
203
+
validateURL = lib.mkOption {
204
+
type = lib.types.nullOr lib.types.str;
Access token validation endpoint.
···
example = "https://provider.example.com/user/emails";
219
-
redirectURL = mkOption {
216
+
redirectURL = lib.mkOption {
# XXX: jml suspects this is always necessary, but the command-line
# doesn't require it so making it optional.
222
-
type = types.nullOr types.str;
219
+
type = lib.types.nullOr lib.types.str;
···
231
-
tenant = mkOption {
228
+
tenant = lib.mkOption {
229
+
type = lib.types.str;
Go to a tenant-specific or common (tenant-independent) endpoint.
239
-
resource = mkOption {
236
+
resource = lib.mkOption {
237
+
type = lib.types.str;
The resource that is protected.
···
248
-
adminEmail = mkOption {
245
+
adminEmail = lib.mkOption {
246
+
type = lib.types.str;
The Google Admin to impersonate for API calls.
···
261
-
groups = mkOption {
262
-
type = types.listOf types.str;
258
+
groups = lib.mkOption {
259
+
type = lib.types.listOf lib.types.str;
Restrict logins to members of these Google groups.
269
-
serviceAccountJSON = mkOption {
266
+
serviceAccountJSON = lib.mkOption {
267
+
type = lib.types.path;
The path to the service account JSON credentials.
···
279
-
type = types.nullOr types.str;
275
+
org = lib.mkOption {
276
+
type = lib.types.nullOr lib.types.str;
Restrict logins to members of this organisation.
287
-
type = types.nullOr types.str;
283
+
team = lib.mkOption {
284
+
type = lib.types.nullOr lib.types.str;
Restrict logins to members of this team.
···
####################################################
298
-
upstream = mkOption {
299
-
type = with types; coercedTo str (x: [x]) (listOf str);
295
+
upstream = lib.mkOption {
296
+
type = with lib.types; coercedTo str (x: [x]) (listOf str);
The http url(s) of the upstream endpoint or `file://`
···
307
-
passAccessToken = mkOption {
304
+
passAccessToken = lib.mkOption {
305
+
type = lib.types.bool;
Pass OAuth access_token to upstream via X-Forwarded-Access-Token header.
315
-
passBasicAuth = mkOption {
312
+
passBasicAuth = lib.mkOption {
313
+
type = lib.types.bool;
Pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream.
323
-
basicAuthPassword = mkOption {
324
-
type = types.nullOr types.str;
320
+
basicAuthPassword = lib.mkOption {
321
+
type = lib.types.nullOr lib.types.str;
The password to set when passing the HTTP Basic Auth header.
331
-
passHostHeader = mkOption {
328
+
passHostHeader = lib.mkOption {
329
+
type = lib.types.bool;
Pass the request Host Header to upstream.
339
-
signatureKey = mkOption {
340
-
type = types.nullOr types.str;
336
+
signatureKey = lib.mkOption {
337
+
type = lib.types.nullOr lib.types.str;
GAP-Signature request signature key.
···
349
-
domain = mkOption {
350
-
type = types.nullOr types.str;
346
+
domain = lib.mkOption {
347
+
type = lib.types.nullOr lib.types.str;
Optional cookie domains to force cookies to (ie: `.yourcompany.com`).
···
example = ".yourcompany.com";
360
-
expire = mkOption {
357
+
expire = lib.mkOption {
358
+
type = lib.types.str;
Expire timeframe for cookie.
368
-
httpOnly = mkOption {
365
+
httpOnly = lib.mkOption {
366
+
type = lib.types.bool;
Set HttpOnly cookie flag.
373
+
name = lib.mkOption {
374
+
type = lib.types.str;
default = "_oauth2_proxy";
The name of the cookie that the oauth_proxy creates.
384
-
refresh = mkOption {
381
+
refresh = lib.mkOption {
# XXX: Unclear what the behavior is when this is not specified.
386
-
type = types.nullOr types.str;
383
+
type = lib.types.nullOr lib.types.str;
Refresh the cookie after this duration; 0 to disable.
···
394
-
secret = mkOption {
395
-
type = types.nullOr types.str;
391
+
secret = lib.mkOption {
392
+
type = lib.types.nullOr lib.types.str;
The seed string for secure cookies.
401
-
secure = mkOption {
398
+
secure = lib.mkOption {
399
+
type = lib.types.bool;
Set secure (HTTPS) cookie flag.
···
####################################################
# OAUTH2 PROXY configuration
413
-
httpAddress = mkOption {
410
+
httpAddress = lib.mkOption {
411
+
type = lib.types.str;
default = "http://127.0.0.1:4180";
HTTPS listening address. This module does not expose the port by
···
425
-
type = types.nullOr types.path;
421
+
file = lib.mkOption {
422
+
type = lib.types.nullOr lib.types.path;
Additionally authenticate against a htpasswd file. Entries must be
···
433
-
displayForm = mkOption {
430
+
displayForm = lib.mkOption {
431
+
type = lib.types.bool;
Display username / password login form if an htpasswd file is provided.
···
442
-
customTemplatesDir = mkOption {
443
-
type = types.nullOr types.path;
439
+
customTemplatesDir = lib.mkOption {
440
+
type = lib.types.nullOr lib.types.path;
Path to custom HTML templates.
450
-
reverseProxy = mkOption {
447
+
reverseProxy = lib.mkOption {
448
+
type = lib.types.bool;
In case when running behind a reverse proxy, controls whether headers
···
461
-
proxyPrefix = mkOption {
458
+
proxyPrefix = lib.mkOption {
459
+
type = lib.types.str;
The url root path that this proxy should be nested under.
···
470
-
enable = mkOption {
467
+
enable = lib.mkOption {
468
+
type = lib.types.bool;
Whether to serve over TLS.
478
-
certificate = mkOption {
475
+
certificate = lib.mkOption {
476
+
type = lib.types.path;
Path to certificate file.
482
+
key = lib.mkOption {
483
+
type = lib.types.path;
Path to private key file.
492
-
httpsAddress = mkOption {
489
+
httpsAddress = lib.mkOption {
490
+
type = lib.types.str;
`addr:port` to listen on for HTTPS clients.
···
505
-
requestLogging = mkOption {
502
+
requestLogging = lib.mkOption {
503
+
type = lib.types.bool;
···
# XXX: Is this mandatory? Is it part of another group? Is it part of the provider specification?
514
+
scope = lib.mkOption {
# XXX: jml suspects this is always necessary, but the command-line
# doesn't require it so making it optional.
520
-
type = types.nullOr types.str;
517
+
type = lib.types.nullOr lib.types.str;
OAuth scope specification.
527
-
profileURL = mkOption {
528
-
type = types.nullOr types.str;
524
+
profileURL = lib.mkOption {
525
+
type = lib.types.nullOr lib.types.str;
535
-
setXauthrequest = mkOption {
536
-
type = types.nullOr types.bool;
532
+
setXauthrequest = lib.mkOption {
533
+
type = lib.types.nullOr lib.types.bool;
Set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode). Setting this to 'null' means using the upstream default (false).
543
-
extraConfig = mkOption {
540
+
extraConfig = lib.mkOption {
545
-
type = types.attrsOf types.anything;
542
+
type = lib.types.attrsOf lib.types.anything;
Extra config to pass to oauth2-proxy.
551
-
keyFile = mkOption {
552
-
type = types.nullOr types.path;
548
+
keyFile = lib.mkOption {
549
+
type = lib.types.nullOr lib.types.path;
oauth2-proxy allows passing sensitive configuration via environment variables.
···
OAUTH2_PROXY_CLIENT_SECRET=asdfasdfasdf.apps.googleuserscontent.com
and specify the path here.
560
-
example = "/run/keys/oauth2_proxy";
557
+
example = "/run/keys/oauth2-proxy";
565
-
config = mkIf cfg.enable {
562
+
(lib.mkRenamedOptionModule [ "services" "oauth2_proxy" ] [ "services" "oauth2-proxy" ])
567
-
services.oauth2_proxy = mkIf (cfg.keyFile != null) {
568
-
clientID = mkDefault null;
569
-
clientSecret = mkDefault null;
570
-
cookie.secret = mkDefault null;
565
+
config = lib.mkIf cfg.enable {
566
+
services.oauth2-proxy = lib.mkIf (cfg.keyFile != null) {
567
+
clientID = lib.mkDefault null;
568
+
clientSecret = lib.mkDefault null;
569
+
cookie.secret = lib.mkDefault null;
573
-
users.users.oauth2_proxy = {
572
+
users.users.oauth2-proxy = {
description = "OAuth2 Proxy";
576
-
group = "oauth2_proxy";
575
+
group = "oauth2-proxy";
579
-
users.groups.oauth2_proxy = {};
578
+
users.groups.oauth2-proxy = {};
581
-
systemd.services.oauth2_proxy = {
580
+
systemd.services.oauth2-proxy = {
description = "OAuth2 Proxy";
wantedBy = [ "multi-user.target" ];
···
after = [ "network-online.target" ];
589
-
User = "oauth2_proxy";
588
+
User = "oauth2-proxy";
ExecStart = "${cfg.package}/bin/oauth2-proxy ${configString}";
592
-
EnvironmentFile = mkIf (cfg.keyFile != null) cfg.keyFile;
591
+
EnvironmentFile = lib.mkIf (cfg.keyFile != null) cfg.keyFile;
pyrox.dev