Merge pull request #306938 from K900/oauth2-proxy-parametrized
nixos/oauth2_proxy_nginx: allow passing parameters to auth endpoint
This commit is contained in:
commit
f13d09e539
|
@ -25,10 +25,41 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
virtualHosts = mkOption {
|
virtualHosts = mkOption {
|
||||||
type = types.listOf types.str;
|
type = let
|
||||||
default = [];
|
vhostSubmodule = types.submodule {
|
||||||
|
options = {
|
||||||
|
allowed_groups = mkOption {
|
||||||
|
type = types.nullOr (types.listOf types.str);
|
||||||
|
description = "List of groups to allow access to this vhost, or null to allow all.";
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
allowed_emails = mkOption {
|
||||||
|
type = types.nullOr (types.listOf types.str);
|
||||||
|
description = "List of emails to allow access to this vhost, or null to allow all.";
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
allowed_email_domains = mkOption {
|
||||||
|
type = types.nullOr (types.listOf types.str);
|
||||||
|
description = "List of email domains to allow access to this vhost, or null to allow all.";
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
oldType = types.listOf types.str;
|
||||||
|
convertFunc = x:
|
||||||
|
lib.warn "services.oauth2_proxy.nginx.virtualHosts should be an attrset, found ${lib.generators.toPretty {} x}"
|
||||||
|
lib.genAttrs x (_: {});
|
||||||
|
newType = types.attrsOf vhostSubmodule;
|
||||||
|
in types.coercedTo oldType convertFunc newType;
|
||||||
|
default = {};
|
||||||
|
example = {
|
||||||
|
"protected.foo.com" = {
|
||||||
|
allowed_groups = ["admins"];
|
||||||
|
allowed_emails = ["boss@foo.com"];
|
||||||
|
};
|
||||||
|
};
|
||||||
description = ''
|
description = ''
|
||||||
A list of nginx virtual hosts to put behind the oauth2 proxy.
|
Nginx virtual hosts to put behind the oauth2 proxy.
|
||||||
You can exclude specific locations by setting `auth_request off;` in the locations extraConfig setting.
|
You can exclude specific locations by setting `auth_request off;` in the locations extraConfig setting.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
@ -50,11 +81,20 @@ in
|
||||||
}
|
}
|
||||||
] ++ optional (cfg.virtualHosts != []) {
|
] ++ optional (cfg.virtualHosts != []) {
|
||||||
recommendedProxySettings = true; # needed because duplicate headers
|
recommendedProxySettings = true; # needed because duplicate headers
|
||||||
} ++ (map (vhost: {
|
} ++ (lib.mapAttrsToList (vhost: conf: {
|
||||||
virtualHosts.${vhost} = {
|
virtualHosts.${vhost} = {
|
||||||
locations = {
|
locations = {
|
||||||
"/oauth2/auth" = {
|
"/oauth2/auth" = let
|
||||||
proxyPass = cfg.proxy;
|
maybeQueryArg = name: value:
|
||||||
|
if value == null then null
|
||||||
|
else "${name}=${lib.concatStringsSep "," value}";
|
||||||
|
allArgs = lib.mapAttrsToList maybeQueryArg conf;
|
||||||
|
cleanArgs = builtins.map lib.escapeURL (builtins.filter (x: x != null) allArgs);
|
||||||
|
cleanArgsStr = lib.concatStringsSep "&" cleanArgs;
|
||||||
|
in {
|
||||||
|
# nginx doesn't support passing query string arguments to auth_request,
|
||||||
|
# so pass them here instead
|
||||||
|
proxyPass = "${cfg.proxy}/oauth2/auth?${cleanArgsStr}";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
auth_request off;
|
auth_request off;
|
||||||
proxy_set_header X-Scheme $scheme;
|
proxy_set_header X-Scheme $scheme;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user