dex.nix (3118B)
1 { 2 config, 3 lib, 4 ... 5 }: let 6 cfg = config.services.haravara.dex; 7 in { 8 options.services.haravara.dex = { 9 enable = lib.mkEnableOption "Dex - Identity Provider"; 10 domain = lib.mkOption { 11 type = lib.types.str; 12 description = "Domain for the Dex instance"; 13 }; 14 adminEmail = lib.mkOption { 15 type = lib.types.str; 16 description = "Admin user email address"; 17 }; 18 adminPasswordHash = lib.mkOption { 19 type = lib.types.str; 20 description = "Bcrypt hash of the admin user password"; 21 }; 22 adminUsername = lib.mkOption { 23 type = lib.types.str; 24 default = "admin"; 25 description = "Admin user username"; 26 }; 27 adminUserID = lib.mkOption { 28 type = lib.types.str; 29 description = "Unique user ID for the admin account"; 30 }; 31 redirectURIs = lib.mkOption { 32 type = lib.types.listOf lib.types.str; 33 description = "List of allowed OIDC redirect URIs"; 34 }; 35 expiry = lib.mkOption { 36 type = lib.types.attrsOf lib.types.str; 37 default = {}; 38 description = "Token expiry configuration passed to Dex"; 39 }; 40 clientSecretFile = lib.mkOption { 41 type = lib.types.path; 42 description = "Path to the Dex OIDC client secret file"; 43 }; 44 address = lib.mkOption { 45 type = lib.types.str; 46 default = "127.0.0.1:5556"; 47 description = "Address for Dex to listen on"; 48 }; 49 telemetryAddress = lib.mkOption { 50 type = lib.types.str; 51 default = "127.0.0.1:5558"; 52 description = "Address for Dex telemetry endpoint"; 53 }; 54 }; 55 56 config = lib.mkIf cfg.enable { 57 services.dex = { 58 enable = true; 59 settings = 60 { 61 issuer = "https://${cfg.domain}"; 62 logger.level = "warn"; 63 64 storage = { 65 type = "sqlite3"; 66 config.file = "/var/lib/dex/dex.db"; 67 }; 68 69 web.http = cfg.address; 70 telemetry.http = cfg.telemetryAddress; 71 72 staticClients = [ 73 { 74 id = "caddy-proxy"; 75 inherit (cfg) redirectURIs; 76 name = "Caddy Auth Proxy"; 77 secretFile = cfg.clientSecretFile; 78 } 79 ]; 80 81 enablePasswordDB = true; 82 83 staticPasswords = [ 84 { 85 email = cfg.adminEmail; 86 hash = cfg.adminPasswordHash; 87 username = cfg.adminUsername; 88 userID = cfg.adminUserID; 89 } 90 ]; 91 } 92 // lib.optionalAttrs (cfg.expiry != {}) {inherit (cfg) expiry;}; 93 }; 94 95 systemd.services.dex.serviceConfig = { 96 KillSignal = "SIGINT"; 97 SuccessExitStatus = 2; 98 StateDirectory = "dex"; 99 StateDirectoryMode = "0700"; 100 }; 101 102 services.caddy.virtualHosts."${cfg.domain}".extraConfig = '' 103 header { 104 Strict-Transport-Security "max-age=31536000; includeSubDomains" 105 X-Content-Type-Options "nosniff" 106 X-Frame-Options "DENY" 107 Referrer-Policy "strict-origin-when-cross-origin" 108 -Server 109 } 110 111 reverse_proxy ${cfg.address} 112 ''; 113 }; 114 }