tvl-depot/ops/modules/oauth2_proxy.nix
Vincent Ambo 1f3aa71cf2 fix(ops/oauth2_proxy): Fix cookie secret length
The cookie secret in the encrypted file was too long, because the
generation command in the oauth2_proxy docs is also wrong. Should
probably fix that upstream as well.

Also noticed that an extra '2' snuck into the service name and fixed
that.

Change-Id: I9a344a75993ab1f98299a8d45e7f5b2e146b7fc5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4957
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
2022-01-17 13:51:47 +00:00

52 lines
1.5 KiB
Nix

# Configuration for oauth2_proxy, which is used as a handler for nginx
# auth-request setups.
#
# This module exports a helper function at
# `config.services.depot.oauth2_proxy.withAuth` that can be wrapped
# around nginx server configuration blocks to configure their
# authentication setup.
{ config, depot, pkgs, lib, ... }:
let
description = "OAuth2 proxy to authenticate TVL services";
cfg = config.services.depot.oauth2_proxy;
configFile = pkgs.writeText "oauth2_proxy.cfg" ''
email_domains = [ "*" ]
http_address = "127.0.0.1:${toString cfg.port}"
provider = "keycloak-oidc"
client_id = "oauth2-proxy"
oidc_issuer_url = "https://auth.tvl.fyi/auth/realms/TVL"
reverse_proxy = true
set_xauthrequest = true
'';
in {
options.services.depot.oauth2_proxy = {
enable = lib.mkEnableOption description;
port = lib.mkOption {
description = "Port to listen on";
type = lib.types.int;
default = 2884; # "auth"
};
secretsFile = lib.mkOption {
type = lib.types.str;
description = "EnvironmentFile from which to load secrets";
default = "/run/agenix/oauth2_proxy";
};
};
config = lib.mkIf cfg.enable {
systemd.services.oauth2_proxy = {
inherit description;
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Restart = "always";
DynamicUser = true;
EnvironmentFile = cfg.secretsFile;
ExecStart = "${pkgs.oauth2_proxy}/bin/oauth2-proxy --config ${configFile}";
};
};
};
}