mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tvl-depot/ops/modules/oauth2_proxy.nix
Vincent Ambo bdccd2c111 fix(ops/modules): Increase RestartSec= of oauth2_proxy service 
When Keycloak and oauth2_proxy are restarted simultaneously, the
latter might try to come up (repeatedly!) before Keycloak can serve it
properly.

This leads to systemd considering the unit failed.

Since this all happens in the span of a second or so, slightly
increase the restart delay of the service to ensure it comes back
after Keycloak is ready.

A "proper" fix might be to add a script that runs before the actual
service and waits for Keycloak, but I don't want to prioritise that
right now.

Change-Id: I4dadba686de60ffc103fe889ce19f05ca1d7d4fe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5695
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-05-27 21:10:35 +00:00

60 lines
1.7 KiB
Nix
Raw Blame History

# Configuration for oauth2_proxy, which is used as a handler for nginx
# auth-request setups.
#
# This module exports a helper function at
# `config.services.depot.oauth2_proxy.withAuth` that can be wrapped
# around nginx server configuration blocks to configure their
# authentication setup.
{ config, depot, pkgs, lib, ... }:
let
description = "OAuth2 proxy to authenticate TVL services";
cfg = config.services.depot.oauth2_proxy;
configFile = pkgs.writeText "oauth2_proxy.cfg" ''
email_domains = [ "*" ]
http_address = "127.0.0.1:${toString cfg.port}"
provider = "keycloak-oidc"
client_id = "oauth2-proxy"
oidc_issuer_url = "https://auth.tvl.fyi/auth/realms/TVL"
reverse_proxy = true
set_xauthrequest = true
'';
# Depend on the Keycloak service if it is running on the same
# machine.
depends_on = lib.optional config.services.keycloak.enable "keycloak.service";
in
{
options.services.depot.oauth2_proxy = {
enable = lib.mkEnableOption description;
port = lib.mkOption {
description = "Port to listen on";
type = lib.types.int;
default = 2884; # "auth"
};
secretsFile = lib.mkOption {
type = lib.types.str;
description = "EnvironmentFile from which to load secrets";
default = config.age.secretsDir + "/oauth2_proxy";
};
};
config = lib.mkIf cfg.enable {
systemd.services.oauth2_proxy = {
inherit description;
after = depends_on;
wants = depends_on;
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Restart = "always";
RestartSec = "5s";
DynamicUser = true;
EnvironmentFile = cfg.secretsFile;
ExecStart = "${pkgs.oauth2_proxy}/bin/oauth2-proxy --config ${configFile}";
};
};
};
}
Reference in a new issue View git blame Copy permalink