summary refs log tree commit diff
path: root/nixos/modules/services/security
diff options
context:
space:
mode:
authorMichishige Kaito <me@mkaito.com>2018-06-29 15:36:03 +0100
committerMichishige Kaito <me@mkaito.com>2018-06-29 15:36:03 +0100
commit4a72999c75a7d94ebb1fb9c9dd160541a45b44e5 (patch)
treedd68636b71b3c70b9ebb7bc996f873bc55feaede /nixos/modules/services/security
parente686bd277196f33fccb685c4526333ebc50d1768 (diff)
downloadnixlib-4a72999c75a7d94ebb1fb9c9dd160541a45b44e5.tar
nixlib-4a72999c75a7d94ebb1fb9c9dd160541a45b44e5.tar.gz
nixlib-4a72999c75a7d94ebb1fb9c9dd160541a45b44e5.tar.bz2
nixlib-4a72999c75a7d94ebb1fb9c9dd160541a45b44e5.tar.lz
nixlib-4a72999c75a7d94ebb1fb9c9dd160541a45b44e5.tar.xz
nixlib-4a72999c75a7d94ebb1fb9c9dd160541a45b44e5.tar.zst
nixlib-4a72999c75a7d94ebb1fb9c9dd160541a45b44e5.zip
oauth2_proxy: add nginx vhost module
Diffstat (limited to 'nixos/modules/services/security')
-rw-r--r--nixos/modules/services/security/oauth2_proxy_nginx.nix58


1 files changed, 58 insertions, 0 deletions
diff --git a/nixos/modules/services/security/oauth2_proxy_nginx.nix b/nixos/modules/services/security/oauth2_proxy_nginx.nix
new file mode 100644
index 000000000000..80be28d91618
--- /dev/null
+++ b/nixos/modules/services/security/oauth2_proxy_nginx.nix
@@ -0,0 +1,58 @@
+{ pkgs, config, lib, ... }:
+with lib;
+let
+  cfg = config.services.oauth2_proxy.nginx;
+in
+{
+  options.services.oauth2_proxy.nginx = {
+    proxy = mkOption {
+      type = types.string;
+      default = config.services.oauth2_proxy.httpAddress;
+    };
+    virtualHosts = mkOption {
+      type = types.listOf types.string;
+      default = [];
+    };
+  };
+  config.services.oauth2_proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) {
+    enable = true;
+  };
+  config.services.nginx = mkMerge ((optional (cfg.virtualHosts != []) {
+    recommendedProxySettings = true; # needed because duplicate headers
+  }) ++ (map (vhost: {
+    virtualHosts.${vhost} = {
+      locations."/oauth2/" = {
+        proxyPass = cfg.proxy;
+        extraConfig = ''
+          proxy_set_header X-Scheme                $scheme;
+          proxy_set_header X-Auth-Request-Redirect $request_uri;
+        '';
+      };
+      locations."/oauth2/auth" = {
+        proxyPass = cfg.proxy;
+        extraConfig = ''
+          proxy_set_header X-Scheme         $scheme;
+          # nginx auth_request includes headers but not body
+          proxy_set_header Content-Length   "";
+          proxy_pass_request_body           off;
+        '';
+      };
+      locations."/".extraConfig = ''
+        auth_request /oauth2/auth;
+        error_page 401 = /oauth2/sign_in;
+
+        # pass information via X-User and X-Email headers to backend,
+        # requires running with --set-xauthrequest flag
+        auth_request_set $user   $upstream_http_x_auth_request_user;
+        auth_request_set $email  $upstream_http_x_auth_request_email;
+        proxy_set_header X-User  $user;
+        proxy_set_header X-Email $email;
+
+        # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+        auth_request_set $auth_cookie $upstream_http_set_cookie;
+        add_header Set-Cookie $auth_cookie;
+      '';
+
+    };
+  }) cfg.virtualHosts));
+}

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-04 06:55:39 +0000