nix

configuration files that power my machines
Log | Files | Refs | README | LICENSE

oauth2-proxy.nix (2474B)


      1 {
      2   config,
      3   lib,
      4   ...
      5 }: let
      6   cfg = config.services.haravara.oauth2-proxy;
      7 in {
      8   options.services.haravara.oauth2-proxy = {
      9     enable = lib.mkEnableOption "OAuth2 Proxy for OIDC authentication";
     10     domains = lib.mkOption {
     11       type = lib.types.listOf lib.types.str;
     12       description = "List of domains to serve the OAuth2 proxy on";
     13     };
     14     cookieDomains = lib.mkOption {
     15       type = lib.types.listOf lib.types.str;
     16       description = "List of domains for the OAuth2 proxy cookie";
     17     };
     18     oidcIssuer = lib.mkOption {
     19       type = lib.types.str;
     20       description = "OIDC issuer URL for the upstream identity provider";
     21     };
     22     port = lib.mkOption {
     23       type = lib.types.port;
     24       default = 4180;
     25       description = "Port for OAuth2 Proxy to listen on";
     26     };
     27     clientSecretFile = lib.mkOption {
     28       type = lib.types.path;
     29       description = "Path to the OAuth2 Proxy client secret file";
     30     };
     31     cookieSecretFile = lib.mkOption {
     32       type = lib.types.path;
     33       description = "Path to the OAuth2 Proxy cookie secret file";
     34     };
     35   };
     36 
     37   config = lib.mkIf cfg.enable {
     38     services.oauth2-proxy = {
     39       enable = true;
     40       trustedProxyIP = ["127.0.0.1" "::1"];
     41       provider = "oidc";
     42       clientID = "caddy-proxy";
     43       inherit (cfg) clientSecretFile;
     44       cookie = {
     45         name = "_oauth2_proxy";
     46         secretFile = cfg.cookieSecretFile;
     47         domain = lib.concatStringsSep "," cfg.cookieDomains;
     48         expire = "24h";
     49         refresh = "0h";
     50       };
     51 
     52       scope = "openid email profile";
     53       email.domains = ["*"];
     54       extraConfig = {
     55         insecure-oidc-skip-issuer-verification = "true";
     56         code-challenge-method = "S256";
     57         whitelist-domain = lib.concatStringsSep "," cfg.cookieDomains;
     58         http-address = "127.0.0.1:${toString cfg.port}";
     59         set-xauthrequest = "true";
     60         pass-user-headers = "true";
     61         insecure-oidc-allow-unverified-email = "true";
     62         skip-provider-button = "true";
     63         cookie-samesite = "lax";
     64         cookie-secure = "true";
     65         cookie-expire = "24h";
     66         cookie-refresh = "0h";
     67       };
     68       reverseProxy = true;
     69       oidcIssuerUrl = cfg.oidcIssuer;
     70     };
     71 
     72     services.caddy.virtualHosts = lib.genAttrs cfg.domains (_: {
     73       extraConfig = ''
     74         reverse_proxy 127.0.0.1:${toString cfg.port}
     75       '';
     76     });
     77 
     78     systemd.services.oauth2-proxy = {
     79       after = ["dex.service"];
     80       requires = ["dex.service"];
     81     };
     82   };
     83 }