feat(ops): Add initial oauth2_proxy configuration r/3518

The intent is to configure oauth2_proxy pointing at Keycloak to enable
usage with nginx auth_request directives.

I want to expose this as a function from within the module in which
nginx server configuration blocks can be wrapped, but the function for
that is currently a placeholder.

Change-Id: I5ed7deb9bf1c62818f516e68c33e8c5b632fccfe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4767
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>

4 files changed, 58 insertions, 0 deletions

diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 28d7cf381d..f9a546f7ed 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -13,6 +13,7 @@ in {
     "${depot.path}/ops/modules/irccat.nix"
     "${depot.path}/ops/modules/monorepo-gerrit.nix"
     "${depot.path}/ops/modules/nixery.nix"
+    "${depot.path}/ops/modules/oauth2_proxy.nix"
     "${depot.path}/ops/modules/owothia.nix"
     "${depot.path}/ops/modules/panettone.nix"
     "${depot.path}/ops/modules/paroxysm.nix"
@@ -211,6 +212,7 @@ in {
       irccat.file = secretFile "irccat";
       keycloak-db.file = secretFile "keycloak-db";
       nix-cache-priv.file = secretFile "nix-cache-priv";
+      oauth2_proxy.file = secretFile "oauth2_proxy";
       owothia.file = secretFile "owothia";
       panettone.file = secretFile "panettone";
       smtprelay.file = secretFile "smtprelay";
@@ -396,6 +398,9 @@ in {
 
     # Run autosubmit bot for Gerrit
     gerrit-queue.enable = true;
+
+    # Run oauth2_proxy for internal service auth
+    oauth2_proxy.enable = true;
   };
 
   services.postgresql = {
diff --git a/ops/modules/oauth2_proxy.nix b/ops/modules/oauth2_proxy.nix
new file mode 100644
index 0000000000..612c8197d8
--- /dev/null
+++ b/ops/modules/oauth2_proxy.nix
@@ -0,0 +1,52 @@
+# Configuration for oauth2_proxy, which is used as a handler for nginx
+# auth-request setups.
+#
+# This module exports a helper function at
+# `config.services.depot.oauth2_proxy.withAuth` that can be wrapped
+# around nginx server configuration blocks to configure their
+# authentication setup.
+{ config, depot, pkgs, lib, ... }:
+
+let
+  description = "OAuth2 proxy to authenticate TVL services";
+  cfg = config.services.depot.oauth2_proxy;
+  configFile = pkgs.writeText "oauth2_proxy.cfg" ''
+    email_domains = [ "*" ]
+    http_address = "127.0.0.1:${toString cfg.port}"
+    provider = "keycloak-oidc"
+    client_id = "oauth2-proxy"
+    oidc_issuer_url = "https://auth.tvl.fyi/auth/realms/TVL"
+    reverse_proxy = true
+    set_xauthrequest = true
+  '';
+in {
+  options.services.depot.oauth2_proxy = {
+    enable = lib.mkEnableOption description;
+
+    port = lib.mkOption {
+      description = "Port to listen on";
+      type = lib.types.int;
+      default = 2884; # "auth"
+    };
+
+    secretsFile = lib.mkOption {
+      type = lib.types.str;
+      description = "EnvironmentFile from which to load secrets";
+      default = "/run/agenix/oauth2_proxy";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.oauth2_proxy2 = {
+      inherit description;
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Restart = "always";
+        DynamicUser = true;
+        EnvironmentFile = cfg.secretsFile;
+        ExecStart = "${pkgs.oauth2_proxy}/bin/oauth2-proxy --config ${configFile}";
+      };
+    };
+  };
+}
diff --git a/ops/secrets/oauth2_proxy.age b/ops/secrets/oauth2_proxy.age
new file mode 100644
index 0000000000..2d1ab486e7
--- /dev/null
+++ b/ops/secrets/oauth2_proxy.age
Binary files differdiff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index 921e36e6c6..53f0d39318 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -28,6 +28,7 @@ in {
   "keycloak-db.age" = default;
   "nix-cache-priv.age" = default;
   "nix-cache-pub.age" = default;
+  "oauth2_proxy.age" = default;
   "owothia.age" = default;
   "panettone.age" = default;
   "smtprelay.age" = default;