movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-23 17:56:53 +03:00
Code Activity

treewide: format all inactive Nix files

Browse source 
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.

Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.

A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.

This commit was automatically created and can be verified using

    nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \
      --argstr baseRev b32a094368
    result/bin/apply-formatting $NIXPKGS_PATH
This commit is contained in:
Silvan Mosberger 2024-12-10 20:26:33 +01:00
parent b32a094368
commit 4f0dadbf38
21293 changed files with 701351 additions and 428307 deletions
Download patch file Download diff file Expand all files Collapse all files

203
nixos/modules/services/security/oauth2-proxy-nginx.nix
View file

@ -24,37 +24,43 @@ in
};
virtualHosts = lib.mkOption {
type = let
vhostSubmodule = lib.types.submodule {
options = {
allowed_groups = lib.mkOption {
type = lib.types.nullOr (lib.types.listOf lib.types.str);
description = "List of groups to allow access to this vhost, or null to allow all.";
default = null;
};
allowed_emails = lib.mkOption {
type = lib.types.nullOr (lib.types.listOf lib.types.str);
description = "List of emails to allow access to this vhost, or null to allow all.";
default = null;
};
allowed_email_domains = lib.mkOption {
type = lib.types.nullOr (lib.types.listOf lib.types.str);
description = "List of email domains to allow access to this vhost, or null to allow all.";
default = null;
type =
let
vhostSubmodule = lib.types.submodule {
options = {
allowed_groups = lib.mkOption {
type = lib.types.nullOr (lib.types.listOf lib.types.str);
description = "List of groups to allow access to this vhost, or null to allow all.";
default = null;
};
allowed_emails = lib.mkOption {
type = lib.types.nullOr (lib.types.listOf lib.types.str);
description = "List of emails to allow access to this vhost, or null to allow all.";
default = null;
};
allowed_email_domains = lib.mkOption {
type = lib.types.nullOr (lib.types.listOf lib.types.str);
description = "List of email domains to allow access to this vhost, or null to allow all.";
default = null;
};
};
};
};
oldType = lib.types.listOf lib.types.str;
convertFunc = x:
lib.warn "services.oauth2-proxy.nginx.virtualHosts should be an attrset, found ${lib.generators.toPretty {} x}"
lib.genAttrs x (_: {});
newType = lib.types.attrsOf vhostSubmodule;
in lib.types.coercedTo oldType convertFunc newType;
default = {};
oldType = lib.types.listOf lib.types.str;
convertFunc =
x:
lib.warn
"services.oauth2-proxy.nginx.virtualHosts should be an attrset, found ${lib.generators.toPretty { } x}"
lib.genAttrs
x
(_: { });
newType = lib.types.attrsOf vhostSubmodule;
in
lib.types.coercedTo oldType convertFunc newType;
default = { };
example = {
"protected.foo.com" = {
allowed_groups = ["admins"];
allowed_emails = ["boss@foo.com"];
allowed_groups = [ "admins" ];
allowed_emails = [ "boss@foo.com" ];
};
};
description = ''
@ -64,72 +70,85 @@ in
};
};
config.services.oauth2-proxy = lib.mkIf (cfg.virtualHosts != {} && (lib.hasPrefix "127.0.0.1:" cfg.proxy)) {
enable = true;
};
config.services.nginx = lib.mkIf (cfg.virtualHosts != {} && config.services.oauth2-proxy.enable) (lib.mkMerge ([
{
virtualHosts.${cfg.domain}.locations."/oauth2/" = {
proxyPass = cfg.proxy;
extraConfig = ''
auth_request off;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
}
] ++ lib.optional (cfg.virtualHosts != {}) {
recommendedProxySettings = true; # needed because duplicate headers
} ++ (lib.mapAttrsToList (vhost: conf: {
virtualHosts.${vhost} = {
locations = {
"/".extraConfig = ''
# pass information via X-User and X-Email headers to backend, requires running with --set-xauthrequest flag
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
add_header Set-Cookie $auth_cookie;
'';
"/oauth2/auth" = let
maybeQueryArg = name: value:
if value == null then null
else "${name}=${lib.concatStringsSep "," (builtins.map lib.escapeURL value)}";
allArgs = lib.mapAttrsToList maybeQueryArg conf;
cleanArgs = builtins.filter (x: x != null) allArgs;
cleanArgsStr = lib.concatStringsSep "&" cleanArgs;
in {
# nginx doesn't support passing query string arguments to auth_request,
# so pass them here instead
proxyPass = "${cfg.proxy}/oauth2/auth?${cleanArgsStr}";
extraConfig = ''
auth_request off;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
"@redirectToAuth2ProxyLogin" = {
return = "307 https://${cfg.domain}/oauth2/start?rd=$scheme://$host$request_uri";
extraConfig = ''
auth_request off;
'';
};
config.services.oauth2-proxy =
lib.mkIf (cfg.virtualHosts != { } && (lib.hasPrefix "127.0.0.1:" cfg.proxy))
{
enable = true;
};
extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = @redirectToAuth2ProxyLogin;
config.services.nginx = lib.mkIf (cfg.virtualHosts != { } && config.services.oauth2-proxy.enable) (
lib.mkMerge (
[
{
virtualHosts.${cfg.domain}.locations."/oauth2/" = {
proxyPass = cfg.proxy;
extraConfig = ''
auth_request off;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
}
]
++ lib.optional (cfg.virtualHosts != { }) {
recommendedProxySettings = true; # needed because duplicate headers
}
++ (lib.mapAttrsToList (vhost: conf: {
virtualHosts.${vhost} = {
locations = {
"/".extraConfig = ''
# pass information via X-User and X-Email headers to backend, requires running with --set-xauthrequest flag
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# set variables being used in locations."/".extraConfig
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
auth_request_set $auth_cookie $upstream_http_set_cookie;
'';
};
}) cfg.virtualHosts)));
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
add_header Set-Cookie $auth_cookie;
'';
"/oauth2/auth" =
let
maybeQueryArg =
name: value:
if value == null then
null
else
"${name}=${lib.concatStringsSep "," (builtins.map lib.escapeURL value)}";
allArgs = lib.mapAttrsToList maybeQueryArg conf;
cleanArgs = builtins.filter (x: x != null) allArgs;
cleanArgsStr = lib.concatStringsSep "&" cleanArgs;
in
{
# nginx doesn't support passing query string arguments to auth_request,
# so pass them here instead
proxyPass = "${cfg.proxy}/oauth2/auth?${cleanArgsStr}";
extraConfig = ''
auth_request off;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
"@redirectToAuth2ProxyLogin" = {
return = "307 https://${cfg.domain}/oauth2/start?rd=$scheme://$host$request_uri";
extraConfig = ''
auth_request off;
'';
};
};
extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = @redirectToAuth2ProxyLogin;
# set variables being used in locations."/".extraConfig
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
auth_request_set $auth_cookie $upstream_http_set_cookie;
'';
};
}) cfg.virtualHosts)
)
);
}