nix-config/config/services/oauth2-proxy.nix

93 lines
2.8 KiB
Nix
Raw Normal View History

2024-03-19 00:46:35 +01:00
{
2024-12-20 20:40:27 +01:00
config,
nodes,
globals,
...
}:
{
wireguard.services = {
client.via = "nucnix";
firewallRuleForNode.nucnix-nginx.allowedTCPPorts = [ 3000 ];
2024-03-19 00:46:35 +01:00
};
age.secrets.oauth2-cookie-secret = {
rekeyFile = config.node.secretsDir + "/cookie-secret.age";
mode = "440";
2024-05-22 18:24:04 +02:00
group = "oauth2-proxy";
2024-03-19 00:46:35 +01:00
};
2024-05-22 18:24:04 +02:00
services.oauth2-proxy = {
2024-03-19 00:46:35 +01:00
enable = true;
2024-12-20 20:40:27 +01:00
cookie.domain = ".${globals.domains.web}";
2024-03-19 00:46:35 +01:00
cookie.secure = true;
2024-08-23 01:40:36 +02:00
cookie.expire = "900m";
2024-03-19 00:46:35 +01:00
cookie.secret = null;
clientSecret = null;
reverseProxy = true;
httpAddress = "0.0.0.0:3000";
2024-12-20 20:40:27 +01:00
redirectURL = "https://oauth2.${globals.domains.web}/oauth2/callback";
2024-03-19 00:46:35 +01:00
setXauthrequest = true;
extraConfig = {
code-challenge-method = "S256";
2024-12-20 20:40:27 +01:00
whitelist-domain = ".${globals.domains.web}";
2024-03-19 00:46:35 +01:00
set-authorization-header = true;
pass-access-token = true;
skip-jwt-bearer-tokens = true;
upstream = "static://202";
2024-12-20 20:40:27 +01:00
oidc-issuer-url = "https://auth.${globals.domains.web}/oauth2/openid/oauth2-proxy";
2024-03-19 00:46:35 +01:00
provider-display-name = "Kanidm";
#client-secret-file = config.age.secrets.oauth2-client-secret.path;
};
provider = "oidc";
scope = "openid email";
2024-12-20 20:40:27 +01:00
loginURL = "https://auth.${globals.domains.web}/ui/oauth2";
redeemURL = "https://auth.${globals.domains.web}/oauth2/token";
validateURL = "https://auth.${globals.domains.web}/oauth2/openid/oauth2-proxy/userinfo";
2024-03-19 00:46:35 +01:00
clientID = "oauth2-proxy";
2024-07-26 22:12:48 +02:00
email.domains = [ "*" ];
2024-03-19 00:46:35 +01:00
};
2024-05-22 18:24:04 +02:00
systemd.services.oauth2-proxy.serviceConfig = {
2024-03-19 00:46:35 +01:00
RuntimeDirectory = "oauth2-proxy";
RuntimeDirectoryMode = "0750";
UMask = "007"; # TODO remove once https://github.com/oauth2-proxy/oauth2-proxy/issues/2141 is fixed
RestartSec = "60"; # Retry every minute
};
2024-05-22 18:24:04 +02:00
systemd.services.oauth2-proxy.serviceConfig.EnvironmentFile = [
2024-03-19 00:46:35 +01:00
config.age.secrets.oauth2-cookie-secret.path
config.age.secrets.oauth2-client-secret-env.path
];
# Mirror the original oauth2 secret
age.secrets.oauth2-client-secret = {
inherit (nodes.elisabeth-kanidm.config.age.secrets.oauth2-proxy) rekeyFile;
mode = "440";
2024-05-22 18:24:04 +02:00
group = "oauth2-proxy";
2024-03-19 00:46:35 +01:00
};
# Mirror the original oauth2 secret, but prepend OAUTH2_PROXY_CLIENT_SECRET=
# so it can be used as an EnvironmentFile
# Using the normal secret file option does not work as
# it includes the newline terminating the file which
# makes kanidm reject the secret
age.secrets.oauth2-client-secret-env = {
2024-07-26 22:12:48 +02:00
generator.dependencies = [ nodes.elisabeth-kanidm.config.age.secrets.oauth2-proxy ];
generator.script =
{
lib,
decrypt,
deps,
...
}:
''
echo -n "OAUTH2_PROXY_CLIENT_SECRET="
${decrypt} ${lib.escapeShellArg (lib.head deps).file}
'';
2024-03-19 00:46:35 +01:00
mode = "440";
2024-05-22 18:24:04 +02:00
group = "oauth2-proxy";
2024-03-19 00:46:35 +01:00
};
}