Merge pull request #306938 from K900/oauth2-proxy-parametrized

nixos/oauth2_proxy_nginx: allow passing parameters to auth endpoint
This commit is contained in:
K900 2024-04-26 16:05:13 +03:00 committed by GitHub
commit f13d09e539
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -25,10 +25,41 @@ in
};
virtualHosts = mkOption {
type = types.listOf types.str;
default = [];
type = let
vhostSubmodule = types.submodule {
options = {
allowed_groups = mkOption {
type = types.nullOr (types.listOf types.str);
description = "List of groups to allow access to this vhost, or null to allow all.";
default = null;
};
allowed_emails = mkOption {
type = types.nullOr (types.listOf types.str);
description = "List of emails to allow access to this vhost, or null to allow all.";
default = null;
};
allowed_email_domains = mkOption {
type = types.nullOr (types.listOf types.str);
description = "List of email domains to allow access to this vhost, or null to allow all.";
default = null;
};
};
};
oldType = types.listOf types.str;
convertFunc = x:
lib.warn "services.oauth2_proxy.nginx.virtualHosts should be an attrset, found ${lib.generators.toPretty {} x}"
lib.genAttrs x (_: {});
newType = types.attrsOf vhostSubmodule;
in types.coercedTo oldType convertFunc newType;
default = {};
example = {
"protected.foo.com" = {
allowed_groups = ["admins"];
allowed_emails = ["boss@foo.com"];
};
};
description = ''
A list of nginx virtual hosts to put behind the oauth2 proxy.
Nginx virtual hosts to put behind the oauth2 proxy.
You can exclude specific locations by setting `auth_request off;` in the locations extraConfig setting.
'';
};
@ -50,11 +81,20 @@ in
}
] ++ optional (cfg.virtualHosts != []) {
recommendedProxySettings = true; # needed because duplicate headers
} ++ (map (vhost: {
} ++ (lib.mapAttrsToList (vhost: conf: {
virtualHosts.${vhost} = {
locations = {
"/oauth2/auth" = {
proxyPass = cfg.proxy;
"/oauth2/auth" = let
maybeQueryArg = name: value:
if value == null then null
else "${name}=${lib.concatStringsSep "," value}";
allArgs = lib.mapAttrsToList maybeQueryArg conf;
cleanArgs = builtins.map lib.escapeURL (builtins.filter (x: x != null) allArgs);
cleanArgsStr = lib.concatStringsSep "&" cleanArgs;
in {
# nginx doesn't support passing query string arguments to auth_request,
# so pass them here instead
proxyPass = "${cfg.proxy}/oauth2/auth?${cleanArgsStr}";
extraConfig = ''
auth_request off;
proxy_set_header X-Scheme $scheme;