movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-20 16:39:31 +03:00
Code Activity

nixos/oauth2-proxy{,-nginx}: remove with lib

Browse source
This commit is contained in:
Sandro Jäckel 2023-12-17 01:34:04 +01:00
parent 34f87f3981
commit a19b4b84b0
No known key found for this signature in database
GPG key ID: 3AF5A43A3EECC2E5
2 changed files with 131 additions and 133 deletions
Download patch file Download diff file Expand all files Collapse all files

39
nixos/modules/services/security/oauth2-proxy-nginx.nix
View file

@ -1,21 +1,20 @@
{ config, lib, ... }: { config, lib, ... }:
with lib;
let let
cfg = config.services.oauth2-proxy.nginx; cfg = config.services.oauth2-proxy.nginx;
in in
{ {
options.services.oauth2-proxy.nginx = { options.services.oauth2-proxy.nginx = {
proxy = mkOption { proxy = lib.mkOption {
type = types.str; type = lib.types.str;
default = config.services.oauth2-proxy.httpAddress; default = config.services.oauth2-proxy.httpAddress;
defaultText = literalExpression "config.services.oauth2-proxy.httpAddress"; defaultText = lib.literalExpression "config.services.oauth2-proxy.httpAddress";
description = '' description = ''
The address of the reverse proxy endpoint for oauth2-proxy The address of the reverse proxy endpoint for oauth2-proxy
''; '';
}; };
domain = mkOption { domain = lib.mkOption {
type = types.str; type = lib.types.str;
description = '' description = ''
The domain under which the oauth2-proxy will be accesible and the path of cookies are set to. The domain under which the oauth2-proxy will be accesible and the path of cookies are set to.
This setting must be set to ensure back-redirects are working properly This setting must be set to ensure back-redirects are working properly
@ -24,33 +23,33 @@ in
''; '';
}; };
virtualHosts = mkOption { virtualHosts = lib.mkOption {
type = let type = let
vhostSubmodule = types.submodule { vhostSubmodule = lib.types.submodule {
options = { options = {
allowed_groups = mkOption { allowed_groups = lib.mkOption {
type = types.nullOr (types.listOf types.str); type = lib.types.nullOr (lib.types.listOf lib.types.str);
description = "List of groups to allow access to this vhost, or null to allow all."; description = "List of groups to allow access to this vhost, or null to allow all.";
default = null; default = null;
}; };
allowed_emails = mkOption { allowed_emails = lib.mkOption {
type = types.nullOr (types.listOf types.str); type = lib.types.nullOr (lib.types.listOf lib.types.str);
description = "List of emails to allow access to this vhost, or null to allow all."; description = "List of emails to allow access to this vhost, or null to allow all.";
default = null; default = null;
}; };
allowed_email_domains = mkOption { allowed_email_domains = lib.mkOption {
type = types.nullOr (types.listOf types.str); type = lib.types.nullOr (lib.types.listOf lib.types.str);
description = "List of email domains to allow access to this vhost, or null to allow all."; description = "List of email domains to allow access to this vhost, or null to allow all.";
default = null; default = null;
}; };
}; };
}; };
oldType = types.listOf types.str; oldType = lib.types.listOf lib.types.str;
convertFunc = x: convertFunc = x:
lib.warn "services.oauth2-proxy.nginx.virtualHosts should be an attrset, found ${lib.generators.toPretty {} x}" lib.warn "services.oauth2-proxy.nginx.virtualHosts should be an attrset, found ${lib.generators.toPretty {} x}"
lib.genAttrs x (_: {}); lib.genAttrs x (_: {});
newType = types.attrsOf vhostSubmodule; newType = lib.types.attrsOf vhostSubmodule;
in types.coercedTo oldType convertFunc newType; in lib.types.coercedTo oldType convertFunc newType;
default = {}; default = {};
example = { example = {
"protected.foo.com" = { "protected.foo.com" = {
@ -65,11 +64,11 @@ in
}; };
}; };
config.services.oauth2-proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) { config.services.oauth2-proxy = lib.mkIf (cfg.virtualHosts != [] && (lib.hasPrefix "127.0.0.1:" cfg.proxy)) {
enable = true; enable = true;
}; };
config.services.nginx = mkIf (cfg.virtualHosts != [] && config.services.oauth2-proxy.enable) (mkMerge ([ config.services.nginx = lib.mkIf (cfg.virtualHosts != [] && config.services.oauth2-proxy.enable) (lib.mkMerge ([
{ {
virtualHosts.${cfg.domain}.locations."/oauth2/" = { virtualHosts.${cfg.domain}.locations."/oauth2/" = {
proxyPass = cfg.proxy; proxyPass = cfg.proxy;
@ -79,7 +78,7 @@ in
''; '';
}; };
} }
] ++ optional (cfg.virtualHosts != []) { ] ++ lib.optional (cfg.virtualHosts != []) {
recommendedProxySettings = true; # needed because duplicate headers recommendedProxySettings = true; # needed because duplicate headers
} ++ (lib.mapAttrsToList (vhost: conf: { } ++ (lib.mapAttrsToList (vhost: conf: {
virtualHosts.${vhost} = { virtualHosts.${vhost} = {

225
nixos/modules/services/security/oauth2-proxy.nix
View file

@ -1,6 +1,5 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib;
let let
cfg = config.services.oauth2-proxy; cfg = config.services.oauth2-proxy;
@ -71,28 +70,28 @@ let
} // (getProviderOptions cfg cfg.provider) // cfg.extraConfig; } // (getProviderOptions cfg cfg.provider) // cfg.extraConfig;
mapConfig = key: attr: mapConfig = key: attr:
optionalString (attr != null && attr != []) ( lib.optionalString (attr != null && attr != []) (
if isDerivation attr then mapConfig key (toString attr) else if lib.isDerivation attr then mapConfig key (toString attr) else
if (builtins.typeOf attr) == "set" then concatStringsSep " " if (builtins.typeOf attr) == "set" then lib.concatStringsSep " "
(mapAttrsToList (name: value: mapConfig (key + "-" + name) value) attr) else (lib.mapAttrsToList (name: value: mapConfig (key + "-" + name) value) attr) else
if (builtins.typeOf attr) == "list" then concatMapStringsSep " " (mapConfig key) attr else if (builtins.typeOf attr) == "list" then lib.concatMapStringsSep " " (mapConfig key) attr else
if (builtins.typeOf attr) == "bool" then "--${key}=${boolToString attr}" else if (builtins.typeOf attr) == "bool" then "--${key}=${lib.boolToString attr}" else
if (builtins.typeOf attr) == "string" then "--${key}='${attr}'" else if (builtins.typeOf attr) == "string" then "--${key}='${attr}'" else
"--${key}=${toString attr}"); "--${key}=${toString attr}");
configString = concatStringsSep " " (mapAttrsToList mapConfig allConfig); configString = lib.concatStringsSep " " (lib.mapAttrsToList mapConfig allConfig);
in in
{ {
options.services.oauth2-proxy = { options.services.oauth2-proxy = {
enable = mkEnableOption "oauth2-proxy"; enable = lib.mkEnableOption "oauth2-proxy";
package = mkPackageOption pkgs "oauth2-proxy" { }; package = lib.mkPackageOption pkgs "oauth2-proxy" { };
############################################## ##############################################
# PROVIDER configuration # PROVIDER configuration
# Taken from: https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/providers.go # Taken from: https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/providers.go
provider = mkOption { provider = lib.mkOption {
type = types.enum [ type = lib.types.enum [
"adfs" "adfs"
"azure" "azure"
"bitbucket" "bitbucket"
@ -114,24 +113,24 @@ in
''; '';
}; };
approvalPrompt = mkOption { approvalPrompt = lib.mkOption {
type = types.enum ["force" "auto"]; type = lib.types.enum ["force" "auto"];
default = "force"; default = "force";
description = '' description = ''
OAuth approval_prompt. OAuth approval_prompt.
''; '';
}; };
clientID = mkOption { clientID = lib.mkOption {
type = types.nullOr types.str; type = lib.types.nullOr lib.types.str;
description = '' description = ''
The OAuth Client ID. The OAuth Client ID.
''; '';
example = "123456.apps.googleusercontent.com"; example = "123456.apps.googleusercontent.com";
}; };
oidcIssuerUrl = mkOption { oidcIssuerUrl = lib.mkOption {
type = types.nullOr types.str; type = lib.types.nullOr lib.types.str;
default = null; default = null;
description = '' description = ''
The OAuth issuer URL. The OAuth issuer URL.
@ -139,15 +138,15 @@ in
example = "https://login.microsoftonline.com/{TENANT_ID}/v2.0"; example = "https://login.microsoftonline.com/{TENANT_ID}/v2.0";
}; };
clientSecret = mkOption { clientSecret = lib.mkOption {
type = types.nullOr types.str; type = lib.types.nullOr lib.types.str;
description = '' description = ''
The OAuth Client Secret. The OAuth Client Secret.
''; '';
}; };
skipAuthRegexes = mkOption { skipAuthRegexes = lib.mkOption {
type = types.listOf types.str; type = lib.types.listOf lib.types.str;
default = []; default = [];
description = '' description = ''
Skip authentication for requests matching any of these regular Skip authentication for requests matching any of these regular
@ -157,8 +156,8 @@ in
# XXX: Not clear whether these two options are mutually exclusive or not. # XXX: Not clear whether these two options are mutually exclusive or not.
email = { email = {
domains = mkOption { domains = lib.mkOption {
type = types.listOf types.str; type = lib.types.listOf lib.types.str;
default = []; default = [];
description = '' description = ''
Authenticate emails with the specified domains. Use Authenticate emails with the specified domains. Use
@ -166,8 +165,8 @@ in
''; '';
}; };
addresses = mkOption { addresses = lib.mkOption {
type = types.nullOr types.lines; type = lib.types.nullOr lib.types.lines;
default = null; default = null;
description = '' description = ''
Line-separated email addresses that are allowed to authenticate. Line-separated email addresses that are allowed to authenticate.
@ -175,8 +174,8 @@ in
}; };
}; };
loginURL = mkOption { loginURL = lib.mkOption {
type = types.nullOr types.str; type = lib.types.nullOr lib.types.str;
default = null; default = null;
description = '' description = ''
Authentication endpoint. Authentication endpoint.
@ -188,8 +187,8 @@ in
example = "https://provider.example.com/oauth/authorize"; example = "https://provider.example.com/oauth/authorize";
}; };
redeemURL = mkOption { redeemURL = lib.mkOption {
type = types.nullOr types.str; type = lib.types.nullOr lib.types.str;
default = null; default = null;
description = '' description = ''
Token redemption endpoint. Token redemption endpoint.
@ -201,8 +200,8 @@ in
example = "https://provider.example.com/oauth/token"; example = "https://provider.example.com/oauth/token";
}; };
validateURL = mkOption { validateURL = lib.mkOption {
type = types.nullOr types.str; type = lib.types.nullOr lib.types.str;
default = null; default = null;
description = '' description = ''
Access token validation endpoint. Access token validation endpoint.
@ -214,10 +213,10 @@ in
example = "https://provider.example.com/user/emails"; example = "https://provider.example.com/user/emails";
}; };
redirectURL = mkOption { redirectURL = lib.mkOption {
# XXX: jml suspects this is always necessary, but the command-line # XXX: jml suspects this is always necessary, but the command-line
# doesn't require it so making it optional. # doesn't require it so making it optional.
type = types.nullOr types.str; type = lib.types.nullOr lib.types.str;
default = null; default = null;
description = '' description = ''
The OAuth2 redirect URL. The OAuth2 redirect URL.
@ -226,16 +225,16 @@ in
}; };
azure = { azure = {
tenant = mkOption { tenant = lib.mkOption {
type = types.str; type = lib.types.str;
default = "common"; default = "common";
description = '' description = ''
Go to a tenant-specific or common (tenant-independent) endpoint. Go to a tenant-specific or common (tenant-independent) endpoint.
''; '';
}; };
resource = mkOption { resource = lib.mkOption {
type = types.str; type = lib.types.str;
description = '' description = ''
The resource that is protected. The resource that is protected.
''; '';
@ -243,8 +242,8 @@ in
}; };
google = { google = {
adminEmail = mkOption { adminEmail = lib.mkOption {
type = types.str; type = lib.types.str;
description = '' description = ''
The Google Admin to impersonate for API calls. The Google Admin to impersonate for API calls.
@ -256,16 +255,16 @@ in
''; '';
}; };
groups = mkOption { groups = lib.mkOption {
type = types.listOf types.str; type = lib.types.listOf lib.types.str;
default = []; default = [];
description = '' description = ''
Restrict logins to members of these Google groups. Restrict logins to members of these Google groups.
''; '';
}; };
serviceAccountJSON = mkOption { serviceAccountJSON = lib.mkOption {
type = types.path; type = lib.types.path;
description = '' description = ''
The path to the service account JSON credentials. The path to the service account JSON credentials.
''; '';
@ -273,16 +272,16 @@ in
}; };
github = { github = {
org = mkOption { org = lib.mkOption {
type = types.nullOr types.str; type = lib.types.nullOr lib.types.str;
default = null; default = null;
description = '' description = ''
Restrict logins to members of this organisation. Restrict logins to members of this organisation.
''; '';
}; };
team = mkOption { team = lib.mkOption {
type = types.nullOr types.str; type = lib.types.nullOr lib.types.str;
default = null; default = null;
description = '' description = ''
Restrict logins to members of this team. Restrict logins to members of this team.
@ -293,8 +292,8 @@ in
#################################################### ####################################################
# UPSTREAM Configuration # UPSTREAM Configuration
upstream = mkOption { upstream = lib.mkOption {
type = with types; coercedTo str (x: [x]) (listOf str); type = with lib.types; coercedTo str (x: [x]) (listOf str);
default = []; default = [];
description = '' description = ''
The http url(s) of the upstream endpoint or `file://` The http url(s) of the upstream endpoint or `file://`
@ -302,40 +301,40 @@ in
''; '';
}; };
passAccessToken = mkOption { passAccessToken = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = false; default = false;
description = '' description = ''
Pass OAuth access_token to upstream via X-Forwarded-Access-Token header. Pass OAuth access_token to upstream via X-Forwarded-Access-Token header.
''; '';
}; };
passBasicAuth = mkOption { passBasicAuth = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = true; default = true;
description = '' description = ''
Pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream. Pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream.
''; '';
}; };
basicAuthPassword = mkOption { basicAuthPassword = lib.mkOption {
type = types.nullOr types.str; type = lib.types.nullOr lib.types.str;
default = null; default = null;
description = '' description = ''
The password to set when passing the HTTP Basic Auth header. The password to set when passing the HTTP Basic Auth header.
''; '';
}; };
passHostHeader = mkOption { passHostHeader = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = true; default = true;
description = '' description = ''
Pass the request Host Header to upstream. Pass the request Host Header to upstream.
''; '';
}; };
signatureKey = mkOption { signatureKey = lib.mkOption {
type = types.nullOr types.str; type = lib.types.nullOr lib.types.str;
default = null; default = null;
description = '' description = ''
GAP-Signature request signature key. GAP-Signature request signature key.
@ -344,8 +343,8 @@ in
}; };
cookie = { cookie = {
domain = mkOption { domain = lib.mkOption {
type = types.nullOr types.str; type = lib.types.nullOr lib.types.str;
default = null; default = null;
description = '' description = ''
Optional cookie domains to force cookies to (ie: `.yourcompany.com`). Optional cookie domains to force cookies to (ie: `.yourcompany.com`).
@ -355,33 +354,33 @@ in
example = ".yourcompany.com"; example = ".yourcompany.com";
}; };
expire = mkOption { expire = lib.mkOption {
type = types.str; type = lib.types.str;
default = "168h0m0s"; default = "168h0m0s";
description = '' description = ''
Expire timeframe for cookie. Expire timeframe for cookie.
''; '';
}; };
httpOnly = mkOption { httpOnly = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = true; default = true;
description = '' description = ''
Set HttpOnly cookie flag. Set HttpOnly cookie flag.
''; '';
}; };
name = mkOption { name = lib.mkOption {
type = types.str; type = lib.types.str;
default = "_oauth2_proxy"; default = "_oauth2_proxy";
description = '' description = ''
The name of the cookie that the oauth_proxy creates. The name of the cookie that the oauth_proxy creates.
''; '';
}; };
refresh = mkOption { refresh = lib.mkOption {
# XXX: Unclear what the behavior is when this is not specified. # XXX: Unclear what the behavior is when this is not specified.
type = types.nullOr types.str; type = lib.types.nullOr lib.types.str;
default = null; default = null;
description = '' description = ''
Refresh the cookie after this duration; 0 to disable. Refresh the cookie after this duration; 0 to disable.
@ -389,15 +388,15 @@ in
example = "168h0m0s"; example = "168h0m0s";
}; };
secret = mkOption { secret = lib.mkOption {
type = types.nullOr types.str; type = lib.types.nullOr lib.types.str;
description = '' description = ''
The seed string for secure cookies. The seed string for secure cookies.
''; '';
}; };
secure = mkOption { secure = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = true; default = true;
description = '' description = ''
Set secure (HTTPS) cookie flag. Set secure (HTTPS) cookie flag.
@ -408,8 +407,8 @@ in
#################################################### ####################################################
# OAUTH2 PROXY configuration # OAUTH2 PROXY configuration
httpAddress = mkOption { httpAddress = lib.mkOption {
type = types.str; type = lib.types.str;
default = "http://127.0.0.1:4180"; default = "http://127.0.0.1:4180";
description = '' description = ''
HTTPS listening address. This module does not expose the port by HTTPS listening address. This module does not expose the port by
@ -419,8 +418,8 @@ in
}; };
htpasswd = { htpasswd = {
file = mkOption { file = lib.mkOption {
type = types.nullOr types.path; type = lib.types.nullOr lib.types.path;
default = null; default = null;
description = '' description = ''
Additionally authenticate against a htpasswd file. Entries must be Additionally authenticate against a htpasswd file. Entries must be
@ -428,8 +427,8 @@ in
''; '';
}; };
displayForm = mkOption { displayForm = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = true; default = true;
description = '' description = ''
Display username / password login form if an htpasswd file is provided. Display username / password login form if an htpasswd file is provided.
@ -437,16 +436,16 @@ in
}; };
}; };
customTemplatesDir = mkOption { customTemplatesDir = lib.mkOption {
type = types.nullOr types.path; type = lib.types.nullOr lib.types.path;
default = null; default = null;
description = '' description = ''
Path to custom HTML templates. Path to custom HTML templates.
''; '';
}; };
reverseProxy = mkOption { reverseProxy = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = false; default = false;
description = '' description = ''
In case when running behind a reverse proxy, controls whether headers In case when running behind a reverse proxy, controls whether headers
@ -456,8 +455,8 @@ in
''; '';
}; };
proxyPrefix = mkOption { proxyPrefix = lib.mkOption {
type = types.str; type = lib.types.str;
default = "/oauth2"; default = "/oauth2";
description = '' description = ''
The url root path that this proxy should be nested under. The url root path that this proxy should be nested under.
@ -465,30 +464,30 @@ in
}; };
tls = { tls = {
enable = mkOption { enable = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = false; default = false;
description = '' description = ''
Whether to serve over TLS. Whether to serve over TLS.
''; '';
}; };
certificate = mkOption { certificate = lib.mkOption {
type = types.path; type = lib.types.path;
description = '' description = ''
Path to certificate file. Path to certificate file.
''; '';
}; };
key = mkOption { key = lib.mkOption {
type = types.path; type = lib.types.path;
description = '' description = ''
Path to private key file. Path to private key file.
''; '';
}; };
httpsAddress = mkOption { httpsAddress = lib.mkOption {
type = types.str; type = lib.types.str;
default = ":443"; default = ":443";
description = '' description = ''
`addr:port` to listen on for HTTPS clients. `addr:port` to listen on for HTTPS clients.
@ -500,8 +499,8 @@ in
}; };
}; };
requestLogging = mkOption { requestLogging = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = true; default = true;
description = '' description = ''
Log requests to stdout. Log requests to stdout.
@ -512,42 +511,42 @@ in
# UNKNOWN # UNKNOWN
# XXX: Is this mandatory? Is it part of another group? Is it part of the provider specification? # XXX: Is this mandatory? Is it part of another group? Is it part of the provider specification?
scope = mkOption { scope = lib.mkOption {
# XXX: jml suspects this is always necessary, but the command-line # XXX: jml suspects this is always necessary, but the command-line
# doesn't require it so making it optional. # doesn't require it so making it optional.
type = types.nullOr types.str; type = lib.types.nullOr lib.types.str;
default = null; default = null;
description = '' description = ''
OAuth scope specification. OAuth scope specification.
''; '';
}; };
profileURL = mkOption { profileURL = lib.mkOption {
type = types.nullOr types.str; type = lib.types.nullOr lib.types.str;
default = null; default = null;
description = '' description = ''
Profile access endpoint. Profile access endpoint.
''; '';
}; };
setXauthrequest = mkOption { setXauthrequest = lib.mkOption {
type = types.nullOr types.bool; type = lib.types.nullOr lib.types.bool;
default = false; default = false;
description = '' description = ''
Set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode). Setting this to 'null' means using the upstream default (false). Set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode). Setting this to 'null' means using the upstream default (false).
''; '';
}; };
extraConfig = mkOption { extraConfig = lib.mkOption {
default = {}; default = {};
type = types.attrsOf types.anything; type = lib.types.attrsOf lib.types.anything;
description = '' description = ''
Extra config to pass to oauth2-proxy. Extra config to pass to oauth2-proxy.
''; '';
}; };
keyFile = mkOption { keyFile = lib.mkOption {
type = types.nullOr types.path; type = lib.types.nullOr lib.types.path;
default = null; default = null;
description = '' description = ''
oauth2-proxy allows passing sensitive configuration via environment variables. oauth2-proxy allows passing sensitive configuration via environment variables.
@ -560,14 +559,14 @@ in
}; };
imports = [ imports = [
(mkRenamedOptionModule [ "services" "oauth2_proxy" ] [ "services" "oauth2-proxy" ]) (lib.mkRenamedOptionModule [ "services" "oauth2_proxy" ] [ "services" "oauth2-proxy" ])
]; ];
config = mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.oauth2-proxy = mkIf (cfg.keyFile != null) { services.oauth2-proxy = lib.mkIf (cfg.keyFile != null) {
clientID = mkDefault null; clientID = lib.mkDefault null;
clientSecret = mkDefault null; clientSecret = lib.mkDefault null;
cookie.secret = mkDefault null; cookie.secret = lib.mkDefault null;
}; };
users.users.oauth2-proxy = { users.users.oauth2-proxy = {
@ -589,7 +588,7 @@ in
User = "oauth2-proxy"; User = "oauth2-proxy";
Restart = "always"; Restart = "always";
ExecStart = "${cfg.package}/bin/oauth2-proxy ${configString}"; ExecStart = "${cfg.package}/bin/oauth2-proxy ${configString}";
EnvironmentFile = mkIf (cfg.keyFile != null) cfg.keyFile; EnvironmentFile = lib.mkIf (cfg.keyFile != null) cfg.keyFile;
}; };
}; };