nixpkgs/nixos/modules/services/security/oauth2_proxy_nginx.nix

{ config, lib, ... }:
with lib;
let
  cfg = config.services.oauth2_proxy.nginx;
in
{
  options.services.oauth2_proxy.nginx = {
    proxy = mkOption {
      type = types.string;
      default = config.services.oauth2_proxy.httpAddress;
      description = ''
        The address of the reverse proxy endpoint for oauth2_proxy
      '';
    };
    virtualHosts = mkOption {
      type = types.listOf types.string;
      default = [];
      description = ''
        A list of nginx virtual hosts to put behind the oauth2 proxy
      '';
    };
  };
  config.services.oauth2_proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) {
    enable = true;
  };
  config.services.nginx = mkMerge ((optional (cfg.virtualHosts != []) {
    recommendedProxySettings = true; # needed because duplicate headers
  }) ++ (map (vhost: {
    virtualHosts.${vhost} = {
      locations."/oauth2/" = {
        proxyPass = cfg.proxy;
        extraConfig = ''
          proxy_set_header X-Scheme                $scheme;
          proxy_set_header X-Auth-Request-Redirect $request_uri;
        '';
      };
      locations."/oauth2/auth" = {
        proxyPass = cfg.proxy;
        extraConfig = ''
          proxy_set_header X-Scheme         $scheme;
          # nginx auth_request includes headers but not body
          proxy_set_header Content-Length   "";
          proxy_pass_request_body           off;
        '';
      };
      locations."/".extraConfig = ''
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;

        # pass information via X-User and X-Email headers to backend,
        # requires running with --set-xauthrequest flag
        auth_request_set $user   $upstream_http_x_auth_request_user;
        auth_request_set $email  $upstream_http_x_auth_request_email;
        proxy_set_header X-User  $user;
        proxy_set_header X-Email $email;

        # if you enabled --cookie-refresh, this is needed for it to work with auth_request
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header Set-Cookie $auth_cookie;
      '';

    };
  }) cfg.virtualHosts));
}
[bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00			`{ config, lib, ... }:`
oauth2_proxy: add nginx vhost module 2018-06-29 15:36:03 +01:00			`with lib;`
			`let`
			`cfg = config.services.oauth2_proxy.nginx;`
			`in`
			`{`
			`options.services.oauth2_proxy.nginx = {`
			`proxy = mkOption {`
			`type = types.string;`
			`default = config.services.oauth2_proxy.httpAddress;`
fixup! oauth2_proxy: add nginx vhost module 2018-06-29 16:23:24 +01:00			`description = ''`
			`The address of the reverse proxy endpoint for oauth2_proxy`
			`'';`
oauth2_proxy: add nginx vhost module 2018-06-29 15:36:03 +01:00			`};`
			`virtualHosts = mkOption {`
			`type = types.listOf types.string;`
			`default = [];`
fixup! oauth2_proxy: add nginx vhost module 2018-06-29 16:23:24 +01:00			`description = ''`
			`A list of nginx virtual hosts to put behind the oauth2 proxy`
			`'';`
oauth2_proxy: add nginx vhost module 2018-06-29 15:36:03 +01:00			`};`
			`};`
			`config.services.oauth2_proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) {`
			`enable = true;`
			`};`
			`config.services.nginx = mkMerge ((optional (cfg.virtualHosts != []) {`
			`recommendedProxySettings = true; # needed because duplicate headers`
			`}) ++ (map (vhost: {`
			`virtualHosts.${vhost} = {`
			`locations."/oauth2/" = {`
			`proxyPass = cfg.proxy;`
			`extraConfig = ''`
			`proxy_set_header X-Scheme $scheme;`
			`proxy_set_header X-Auth-Request-Redirect $request_uri;`
			`'';`
			`};`
			`locations."/oauth2/auth" = {`
			`proxyPass = cfg.proxy;`
			`extraConfig = ''`
			`proxy_set_header X-Scheme $scheme;`
			`# nginx auth_request includes headers but not body`
			`proxy_set_header Content-Length "";`
			`proxy_pass_request_body off;`
			`'';`
			`};`
			`locations."/".extraConfig = ''`
			`auth_request /oauth2/auth;`
			`error_page 401 = /oauth2/sign_in;`

			`# pass information via X-User and X-Email headers to backend,`
			`# requires running with --set-xauthrequest flag`
			`auth_request_set $user $upstream_http_x_auth_request_user;`
			`auth_request_set $email $upstream_http_x_auth_request_email;`
			`proxy_set_header X-User $user;`
			`proxy_set_header X-Email $email;`

			`# if you enabled --cookie-refresh, this is needed for it to work with auth_request`
			`auth_request_set $auth_cookie $upstream_http_set_cookie;`
			`add_header Set-Cookie $auth_cookie;`
			`'';`

			`};`
			`}) cfg.virtualHosts));`
			`}`