diff options
Diffstat (limited to 'ops/modules/oauth2_proxy.nix')
| -rw-r--r-- | ops/modules/oauth2_proxy.nix | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/ops/modules/oauth2_proxy.nix b/ops/modules/oauth2_proxy.nix new file mode 100644 index 0000000000..23afa7bce0 --- /dev/null +++ b/ops/modules/oauth2_proxy.nix @@ -0,0 +1,60 @@ +# Configuration for oauth2_proxy, which is used as a handler for nginx +# auth-request setups. +# +# This module exports a helper function at +# `config.services.depot.oauth2_proxy.withAuth` that can be wrapped +# around nginx server configuration blocks to configure their +# authentication setup. +{ config, depot, pkgs, lib, ... }: + +let + description = "OAuth2 proxy to authenticate TVL services"; + cfg = config.services.depot.oauth2_proxy; + configFile = pkgs.writeText "oauth2_proxy.cfg" '' + email_domains = [ "*" ] + http_address = "127.0.0.1:${toString cfg.port}" + provider = "keycloak-oidc" + client_id = "oauth2-proxy" + oidc_issuer_url = "https://auth.tvl.fyi/auth/realms/TVL" + reverse_proxy = true + set_xauthrequest = true + ''; + + # Depend on the Keycloak service if it is running on the same + # machine. + depends_on = lib.optional config.services.keycloak.enable "keycloak.service"; +in +{ + options.services.depot.oauth2_proxy = { + enable = lib.mkEnableOption description; + + port = lib.mkOption { + description = "Port to listen on"; + type = lib.types.int; + default = 2884; # "auth" + }; + + secretsFile = lib.mkOption { + type = lib.types.str; + description = "EnvironmentFile from which to load secrets"; + default = config.age.secretsDir + "/oauth2_proxy"; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.oauth2_proxy = { + inherit description; + after = depends_on; + wants = depends_on; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Restart = "always"; + RestartSec = "5s"; + DynamicUser = true; + EnvironmentFile = cfg.secretsFile; + ExecStart = "${pkgs.oauth2_proxy}/bin/oauth2-proxy --config ${configFile}"; + }; + }; + }; +} |