0c178a0ef6
Upstream nixpkgs removed a lot of aliases this time, so we needed to do the following transformations. It's a real shame that aliases only really become discoverable easily when they are removed. * runCommandNoCC -> runCommand * gmailieer -> lieer We also need to work around the fact that home-manager hasn't catched on to this rename. * mysql -> mariadb * pkgconfig -> pkg-config This also affects our Nix fork which needs to be bumped. * prometheus_client -> prometheus-client * rxvt_unicode -> rxvt-unicode-unwrapped * nix-review -> nixpkgs-review * oauth2_proxy -> oauth2-proxy Additionally, some Go-related builders decided to drop support for passing the sha256 hash in directly, so we need to use the generic hash arguments. Change-Id: I84aaa225ef18962937f8616a9ff064822f0d5dc3 Reviewed-on: https://cl.tvl.fyi/c/depot/+/6792 Autosubmit: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi> Reviewed-by: flokli <flokli@flokli.de> Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: wpcarro <wpcarro@gmail.com>
60 lines
1.7 KiB
Nix
60 lines
1.7 KiB
Nix
# Configuration for oauth2_proxy, which is used as a handler for nginx
|
|
# auth-request setups.
|
|
#
|
|
# This module exports a helper function at
|
|
# `config.services.depot.oauth2_proxy.withAuth` that can be wrapped
|
|
# around nginx server configuration blocks to configure their
|
|
# authentication setup.
|
|
{ config, depot, pkgs, lib, ... }:
|
|
|
|
let
|
|
description = "OAuth2 proxy to authenticate TVL services";
|
|
cfg = config.services.depot.oauth2_proxy;
|
|
configFile = pkgs.writeText "oauth2_proxy.cfg" ''
|
|
email_domains = [ "*" ]
|
|
http_address = "127.0.0.1:${toString cfg.port}"
|
|
provider = "keycloak-oidc"
|
|
client_id = "oauth2-proxy"
|
|
oidc_issuer_url = "https://auth.tvl.fyi/auth/realms/TVL"
|
|
reverse_proxy = true
|
|
set_xauthrequest = true
|
|
'';
|
|
|
|
# Depend on the Keycloak service if it is running on the same
|
|
# machine.
|
|
depends_on = lib.optional config.services.keycloak.enable "keycloak.service";
|
|
in
|
|
{
|
|
options.services.depot.oauth2_proxy = {
|
|
enable = lib.mkEnableOption description;
|
|
|
|
port = lib.mkOption {
|
|
description = "Port to listen on";
|
|
type = lib.types.int;
|
|
default = 2884; # "auth"
|
|
};
|
|
|
|
secretsFile = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "EnvironmentFile from which to load secrets";
|
|
default = config.age.secretsDir + "/oauth2_proxy";
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
systemd.services.oauth2_proxy = {
|
|
inherit description;
|
|
after = depends_on;
|
|
wants = depends_on;
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
serviceConfig = {
|
|
Restart = "always";
|
|
RestartSec = "5s";
|
|
DynamicUser = true;
|
|
EnvironmentFile = cfg.secretsFile;
|
|
ExecStart = "${pkgs.oauth2-proxy}/bin/oauth2-proxy --config ${configFile}";
|
|
};
|
|
};
|
|
};
|
|
}
|