diff options
| author | Florian Klink <flokli@flokli.de> | 2023-07-01T22·35+0200 |
|---|---|---|
| committer | clbot <clbot@tvl.fyi> | 2023-07-01T23·35+0000 |
| commit | 5f42c8132d639c69955f400b8aa94a5ac31c6fb9 (patch) | |
| tree | c27f997ad49bba6c3b3b8e81e8e075e9076eb181 /ops/modules | |
| parent | 2aaabb709f6828f082672f9fcd4141a859efb778 (diff) | |
chore(ops/modules): remove oauth2_proxy module r/6381
This was dropped from whitby itself in cl/8905, but didn't drop the module because we were worried someone else might still be using it. However, this relies on the "oauth2-proxy" client ID, which only has the following supported redirect uris (as per ops/keycloak/clients.tf): - https://login.tvl.fyi/oauth2/callback - http://localhost:4774/oauth2/callback … which means, noone can really run this properly anyways, so let's drop it. We can always restore it from git. Change-Id: I7d700f59a62cce1254ad4ba0792a7d7b3960b769 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8913 Reviewed-by: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI Autosubmit: flokli <flokli@flokli.de>
Diffstat (limited to 'ops/modules')
| -rw-r--r-- | ops/modules/oauth2_proxy.nix | 60 |
1 files changed, 0 insertions, 60 deletions
diff --git a/ops/modules/oauth2_proxy.nix b/ops/modules/oauth2_proxy.nix deleted file mode 100644 index 53dec452ec83..000000000000 --- a/ops/modules/oauth2_proxy.nix +++ /dev/null @@ -1,60 +0,0 @@ -# Configuration for oauth2_proxy, which is used as a handler for nginx -# auth-request setups. -# -# This module exports a helper function at -# `config.services.depot.oauth2_proxy.withAuth` that can be wrapped -# around nginx server configuration blocks to configure their -# authentication setup. -{ config, depot, pkgs, lib, ... }: - -let - description = "OAuth2 proxy to authenticate TVL services"; - cfg = config.services.depot.oauth2_proxy; - configFile = pkgs.writeText "oauth2_proxy.cfg" '' - email_domains = [ "*" ] - http_address = "127.0.0.1:${toString cfg.port}" - provider = "keycloak-oidc" - client_id = "oauth2-proxy" - oidc_issuer_url = "https://auth.tvl.fyi/auth/realms/TVL" - reverse_proxy = true - set_xauthrequest = true - ''; - - # Depend on the Keycloak service if it is running on the same - # machine. - depends_on = lib.optional config.services.keycloak.enable "keycloak.service"; -in -{ - options.services.depot.oauth2_proxy = { - enable = lib.mkEnableOption description; - - port = lib.mkOption { - description = "Port to listen on"; - type = lib.types.int; - default = 2884; # "auth" - }; - - secretsFile = lib.mkOption { - type = lib.types.str; - description = "EnvironmentFile from which to load secrets"; - default = config.age.secretsDir + "/oauth2_proxy"; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.services.oauth2_proxy = { - inherit description; - after = depends_on; - wants = depends_on; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - Restart = "always"; - RestartSec = "5s"; - DynamicUser = true; - EnvironmentFile = cfg.secretsFile; - ExecStart = "${pkgs.oauth2-proxy}/bin/oauth2-proxy --config ${configFile}"; - }; - }; - }; -} |