about summary refs log tree commit diff
path: root/ops/modules/oauth2_proxy.nix
diff options
context:
space:
mode:
authorFlorian Klink <flokli@flokli.de>2023-07-01T22·35+0200
committerclbot <clbot@tvl.fyi>2023-07-01T23·35+0000
commit5f42c8132d639c69955f400b8aa94a5ac31c6fb9 (patch)
treec27f997ad49bba6c3b3b8e81e8e075e9076eb181 /ops/modules/oauth2_proxy.nix
parent2aaabb709f6828f082672f9fcd4141a859efb778 (diff)
chore(ops/modules): remove oauth2_proxy module r/6381
This was dropped from whitby itself in cl/8905, but didn't drop the
module because we were worried someone else might still be using it.

However, this relies on the "oauth2-proxy" client ID, which only has the
following supported redirect uris (as per ops/keycloak/clients.tf):

 - https://login.tvl.fyi/oauth2/callback
 - http://localhost:4774/oauth2/callback

… which means, noone can really run this properly anyways, so let's
drop it.

We can always restore it from git.

Change-Id: I7d700f59a62cce1254ad4ba0792a7d7b3960b769
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8913
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
Diffstat (limited to 'ops/modules/oauth2_proxy.nix')
-rw-r--r--ops/modules/oauth2_proxy.nix60
1 files changed, 0 insertions, 60 deletions
diff --git a/ops/modules/oauth2_proxy.nix b/ops/modules/oauth2_proxy.nix
deleted file mode 100644
index 53dec452ec83..000000000000
--- a/ops/modules/oauth2_proxy.nix
+++ /dev/null
@@ -1,60 +0,0 @@
-# Configuration for oauth2_proxy, which is used as a handler for nginx
-# auth-request setups.
-#
-# This module exports a helper function at
-# `config.services.depot.oauth2_proxy.withAuth` that can be wrapped
-# around nginx server configuration blocks to configure their
-# authentication setup.
-{ config, depot, pkgs, lib, ... }:
-
-let
-  description = "OAuth2 proxy to authenticate TVL services";
-  cfg = config.services.depot.oauth2_proxy;
-  configFile = pkgs.writeText "oauth2_proxy.cfg" ''
-    email_domains = [ "*" ]
-    http_address = "127.0.0.1:${toString cfg.port}"
-    provider = "keycloak-oidc"
-    client_id = "oauth2-proxy"
-    oidc_issuer_url = "https://auth.tvl.fyi/auth/realms/TVL"
-    reverse_proxy = true
-    set_xauthrequest = true
-  '';
-
-  # Depend on the Keycloak service if it is running on the same
-  # machine.
-  depends_on = lib.optional config.services.keycloak.enable "keycloak.service";
-in
-{
-  options.services.depot.oauth2_proxy = {
-    enable = lib.mkEnableOption description;
-
-    port = lib.mkOption {
-      description = "Port to listen on";
-      type = lib.types.int;
-      default = 2884; # "auth"
-    };
-
-    secretsFile = lib.mkOption {
-      type = lib.types.str;
-      description = "EnvironmentFile from which to load secrets";
-      default = config.age.secretsDir + "/oauth2_proxy";
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    systemd.services.oauth2_proxy = {
-      inherit description;
-      after = depends_on;
-      wants = depends_on;
-      wantedBy = [ "multi-user.target" ];
-
-      serviceConfig = {
-        Restart = "always";
-        RestartSec = "5s";
-        DynamicUser = true;
-        EnvironmentFile = cfg.secretsFile;
-        ExecStart = "${pkgs.oauth2-proxy}/bin/oauth2-proxy --config ${configFile}";
-      };
-    };
-  };
-}