diff options
| author | Alyssa Ross <hi@alyssa.is> | 2020-05-12 14:45:39 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2020-05-12 14:56:01 +0000 |
| commit | eb7dadee9c0f903f1152f8dd4165453bfa48ccf4 (patch) | |
| tree | a6bd66dcbec895aae167465672af08a1ca70f089 /nixpkgs/nixos/modules/services/security | |
| parent | 3879b925f5dae3a0eb5c98b10c1ac5a0e4d729a3 (diff) | |
| parent | 683c68232e91f76386db979c461d8fbe2a018782 (diff) | |
| download | nixlib-eb7dadee9c0f903f1152f8dd4165453bfa48ccf4.tar nixlib-eb7dadee9c0f903f1152f8dd4165453bfa48ccf4.tar.gz nixlib-eb7dadee9c0f903f1152f8dd4165453bfa48ccf4.tar.bz2 nixlib-eb7dadee9c0f903f1152f8dd4165453bfa48ccf4.tar.lz nixlib-eb7dadee9c0f903f1152f8dd4165453bfa48ccf4.tar.xz nixlib-eb7dadee9c0f903f1152f8dd4165453bfa48ccf4.tar.zst nixlib-eb7dadee9c0f903f1152f8dd4165453bfa48ccf4.zip | |
Merge commit '683c68232e91f76386db979c461d8fbe2a018782'
Diffstat (limited to 'nixpkgs/nixos/modules/services/security')
4 files changed, 29 insertions, 15 deletions
diff --git a/nixpkgs/nixos/modules/services/security/fprot.nix b/nixpkgs/nixos/modules/services/security/fprot.nix index f203f2abc033..3a0b08b3c6d8 100644 --- a/nixpkgs/nixos/modules/services/security/fprot.nix +++ b/nixpkgs/nixos/modules/services/security/fprot.nix @@ -10,12 +10,7 @@ in { services.fprot = { updater = { - enable = mkOption { - default = false; - description = '' - Whether to enable automatic F-Prot virus definitions database updates. - ''; - }; + enable = mkEnableOption "automatic F-Prot virus definitions database updates"; productData = mkOption { description = '' diff --git a/nixpkgs/nixos/modules/services/security/hologram-agent.nix b/nixpkgs/nixos/modules/services/security/hologram-agent.nix index a5087b0a99b4..e37334b3cf5e 100644 --- a/nixpkgs/nixos/modules/services/security/hologram-agent.nix +++ b/nixpkgs/nixos/modules/services/security/hologram-agent.nix @@ -43,12 +43,12 @@ in { description = "Provide EC2 instance credentials to machines outside of EC2"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - requires = [ "network-link-dummy0.service" "network-addresses-dummy0.service" ]; + requires = [ "network-link-dummy0.service" "network-addresses-dummy0.service" ]; preStart = '' /run/current-system/sw/bin/rm -fv /run/hologram.sock ''; serviceConfig = { - ExecStart = "${pkgs.hologram.bin}/bin/hologram-agent -debug -conf ${cfgFile} -port ${cfg.httpPort}"; + ExecStart = "${pkgs.hologram}/bin/hologram-agent -debug -conf ${cfgFile} -port ${cfg.httpPort}"; }; }; diff --git a/nixpkgs/nixos/modules/services/security/hologram-server.nix b/nixpkgs/nixos/modules/services/security/hologram-server.nix index bad02c7440ba..4acf6ae0e218 100644 --- a/nixpkgs/nixos/modules/services/security/hologram-server.nix +++ b/nixpkgs/nixos/modules/services/security/hologram-server.nix @@ -123,7 +123,7 @@ in { wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = "${pkgs.hologram.bin}/bin/hologram-server --debug --conf ${cfgFile}"; + ExecStart = "${pkgs.hologram}/bin/hologram-server --debug --conf ${cfgFile}"; }; }; }; diff --git a/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix b/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix index 2abb9ec32aca..d5c5437329ea 100644 --- a/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixpkgs/nixos/modules/services/security/oauth2_proxy.nix @@ -12,7 +12,7 @@ let # command-line to launch oauth2_proxy. providerSpecificOptions = { azure = cfg: { - azure.tenant = cfg.azure.tenant; + azure-tenant = cfg.azure.tenant; resource = cfg.azure.resource; }; @@ -44,6 +44,7 @@ let pass-access-token = passAccessToken; pass-basic-auth = passBasicAuth; pass-host-header = passHostHeader; + reverse-proxy = reverseProxy; proxy-prefix = proxyPrefix; profile-url = profileURL; redeem-url = redeemURL; @@ -65,8 +66,8 @@ let } // lib.optionalAttrs (cfg.htpasswd.file != null) { display-htpasswd-file = cfg.htpasswd.displayForm; } // lib.optionalAttrs tls.enable { - tls-cert = tls.certificate; - tls-key = tls.key; + tls-cert-file = tls.certificate; + tls-key-file = tls.key; https-address = tls.httpsAddress; } // (getProviderOptions cfg cfg.provider) // cfg.extraConfig; @@ -98,14 +99,21 @@ in ############################################## # PROVIDER configuration + # Taken from: https://github.com/pusher/oauth2_proxy/blob/master/providers/providers.go provider = mkOption { type = types.enum [ "google" - "github" "azure" + "facebook" + "github" + "keycloak" "gitlab" "linkedin" - "myusa" + "login.gov" + "bitbucket" + "nextcloud" + "digitalocean" + "oidc" ]; default = "google"; description = '' @@ -433,6 +441,17 @@ in ''; }; + reverseProxy = mkOption { + type = types.bool; + default = false; + description = '' + In case when running behind a reverse proxy, controls whether headers + like <literal>X-Real-Ip</literal> are accepted. Usage behind a reverse + proxy will require this flag to be set to avoid logging the reverse + proxy IP address. + ''; + }; + proxyPrefix = mkOption { type = types.str; default = "/oauth2"; @@ -558,7 +577,7 @@ in serviceConfig = { User = "oauth2_proxy"; Restart = "always"; - ExecStart = "${cfg.package.bin}/bin/oauth2_proxy ${configString}"; + ExecStart = "${cfg.package}/bin/oauth2_proxy ${configString}"; EnvironmentFile = mkIf (cfg.keyFile != null) cfg.keyFile; }; }; |