oauth2-proxy.nix (2474B)
1 { 2 config, 3 lib, 4 ... 5 }: let 6 cfg = config.services.haravara.oauth2-proxy; 7 in { 8 options.services.haravara.oauth2-proxy = { 9 enable = lib.mkEnableOption "OAuth2 Proxy for OIDC authentication"; 10 domains = lib.mkOption { 11 type = lib.types.listOf lib.types.str; 12 description = "List of domains to serve the OAuth2 proxy on"; 13 }; 14 cookieDomains = lib.mkOption { 15 type = lib.types.listOf lib.types.str; 16 description = "List of domains for the OAuth2 proxy cookie"; 17 }; 18 oidcIssuer = lib.mkOption { 19 type = lib.types.str; 20 description = "OIDC issuer URL for the upstream identity provider"; 21 }; 22 port = lib.mkOption { 23 type = lib.types.port; 24 default = 4180; 25 description = "Port for OAuth2 Proxy to listen on"; 26 }; 27 clientSecretFile = lib.mkOption { 28 type = lib.types.path; 29 description = "Path to the OAuth2 Proxy client secret file"; 30 }; 31 cookieSecretFile = lib.mkOption { 32 type = lib.types.path; 33 description = "Path to the OAuth2 Proxy cookie secret file"; 34 }; 35 }; 36 37 config = lib.mkIf cfg.enable { 38 services.oauth2-proxy = { 39 enable = true; 40 trustedProxyIP = ["127.0.0.1" "::1"]; 41 provider = "oidc"; 42 clientID = "caddy-proxy"; 43 inherit (cfg) clientSecretFile; 44 cookie = { 45 name = "_oauth2_proxy"; 46 secretFile = cfg.cookieSecretFile; 47 domain = lib.concatStringsSep "," cfg.cookieDomains; 48 expire = "24h"; 49 refresh = "0h"; 50 }; 51 52 scope = "openid email profile"; 53 email.domains = ["*"]; 54 extraConfig = { 55 insecure-oidc-skip-issuer-verification = "true"; 56 code-challenge-method = "S256"; 57 whitelist-domain = lib.concatStringsSep "," cfg.cookieDomains; 58 http-address = "127.0.0.1:${toString cfg.port}"; 59 set-xauthrequest = "true"; 60 pass-user-headers = "true"; 61 insecure-oidc-allow-unverified-email = "true"; 62 skip-provider-button = "true"; 63 cookie-samesite = "lax"; 64 cookie-secure = "true"; 65 cookie-expire = "24h"; 66 cookie-refresh = "0h"; 67 }; 68 reverseProxy = true; 69 oidcIssuerUrl = cfg.oidcIssuer; 70 }; 71 72 services.caddy.virtualHosts = lib.genAttrs cfg.domains (_: { 73 extraConfig = '' 74 reverse_proxy 127.0.0.1:${toString cfg.port} 75 ''; 76 }); 77 78 systemd.services.oauth2-proxy = { 79 after = ["dex.service"]; 80 requires = ["dex.service"]; 81 }; 82 }; 83 }