nixos/oauth2-proxy{,-nginx}: renamed from oauth2_proxy, also renamed the service, user, group

This commit is contained in:
Sandro Jäckel 2023-12-10 01:04:55 +01:00
parent 2cf2f3a306
commit 34f87f3981
No known key found for this signature in database
GPG key ID: 3AF5A43A3EECC2E5
4 changed files with 31 additions and 29 deletions

View file

@ -391,6 +391,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
- `services.zope2` has been removed as `zope2` is unmaintained and was relying on Python2.
- `services.oauth2_proxy` was renamed to `services.oauth2-proxy`. Also the corresponding service, user and group were renamed.
- `services.avahi.nssmdns` got split into `services.avahi.nssmdns4` and `services.avahi.nssmdns6` which enable the mDNS NSS switch for IPv4 and IPv6 respectively.
Since most mDNS responders only register IPv4 addresses, most users want to keep the IPv6 support disabled to avoid long timeouts.

View file

@ -1256,8 +1256,8 @@
./services/security/kanidm.nix
./services/security/munge.nix
./services/security/nginx-sso.nix
./services/security/oauth2_proxy.nix
./services/security/oauth2_proxy_nginx.nix
./services/security/oauth2-proxy.nix
./services/security/oauth2-proxy-nginx.nix
./services/security/opensnitch.nix
./services/security/pass-secret-service.nix
./services/security/physlock.nix

View file

@ -1,26 +1,26 @@
{ config, lib, ... }:
with lib;
let
cfg = config.services.oauth2_proxy.nginx;
cfg = config.services.oauth2-proxy.nginx;
in
{
options.services.oauth2_proxy.nginx = {
options.services.oauth2-proxy.nginx = {
proxy = mkOption {
type = types.str;
default = config.services.oauth2_proxy.httpAddress;
defaultText = literalExpression "config.services.oauth2_proxy.httpAddress";
default = config.services.oauth2-proxy.httpAddress;
defaultText = literalExpression "config.services.oauth2-proxy.httpAddress";
description = ''
The address of the reverse proxy endpoint for oauth2_proxy
The address of the reverse proxy endpoint for oauth2-proxy
'';
};
domain = mkOption {
type = types.str;
description = ''
The domain under which the oauth2_proxy will be accesible and the path of cookies are set to.
The domain under which the oauth2-proxy will be accesible and the path of cookies are set to.
This setting must be set to ensure back-redirects are working properly
if oauth2-proxy is configured with {option}`services.oauth2_proxy.cookie.domain`
or multiple {option}`services.oauth2_proxy.nginx.virtualHosts` that are not on the same domain.
if oauth2-proxy is configured with {option}`services.oauth2-proxy.cookie.domain`
or multiple {option}`services.oauth2-proxy.nginx.virtualHosts` that are not on the same domain.
'';
};
@ -47,7 +47,7 @@ in
};
oldType = types.listOf types.str;
convertFunc = x:
lib.warn "services.oauth2_proxy.nginx.virtualHosts should be an attrset, found ${lib.generators.toPretty {} x}"
lib.warn "services.oauth2-proxy.nginx.virtualHosts should be an attrset, found ${lib.generators.toPretty {} x}"
lib.genAttrs x (_: {});
newType = types.attrsOf vhostSubmodule;
in types.coercedTo oldType convertFunc newType;
@ -65,11 +65,11 @@ in
};
};
config.services.oauth2_proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) {
config.services.oauth2-proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) {
enable = true;
};
config.services.nginx = mkIf (cfg.virtualHosts != [] && config.services.oauth2_proxy.enable) (mkMerge ([
config.services.nginx = mkIf (cfg.virtualHosts != [] && config.services.oauth2-proxy.enable) (mkMerge ([
{
virtualHosts.${cfg.domain}.locations."/oauth2/" = {
proxyPass = cfg.proxy;

View file

@ -1,15 +1,13 @@
# NixOS module for oauth2_proxy.
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.oauth2_proxy;
cfg = config.services.oauth2-proxy;
# oauth2_proxy provides many options that are only relevant if you are using
# oauth2-proxy provides many options that are only relevant if you are using
# a certain provider. This set maps from provider name to a function that
# takes the configuration and returns a string that can be inserted into the
# command-line to launch oauth2_proxy.
# command-line to launch oauth2-proxy.
providerSpecificOptions = {
azure = cfg: {
azure-tenant = cfg.azure.tenant;
@ -85,8 +83,8 @@ let
configString = concatStringsSep " " (mapAttrsToList mapConfig allConfig);
in
{
options.services.oauth2_proxy = {
enable = mkEnableOption "oauth2_proxy";
options.services.oauth2-proxy = {
enable = mkEnableOption "oauth2-proxy";
package = mkPackageOption pkgs "oauth2-proxy" { };
@ -557,28 +555,30 @@ in
OAUTH2_PROXY_CLIENT_SECRET=asdfasdfasdf.apps.googleuserscontent.com
and specify the path here.
'';
example = "/run/keys/oauth2_proxy";
example = "/run/keys/oauth2-proxy";
};
};
config = mkIf cfg.enable {
imports = [
(mkRenamedOptionModule [ "services" "oauth2_proxy" ] [ "services" "oauth2-proxy" ])
];
services.oauth2_proxy = mkIf (cfg.keyFile != null) {
config = mkIf cfg.enable {
services.oauth2-proxy = mkIf (cfg.keyFile != null) {
clientID = mkDefault null;
clientSecret = mkDefault null;
cookie.secret = mkDefault null;
};
users.users.oauth2_proxy = {
users.users.oauth2-proxy = {
description = "OAuth2 Proxy";
isSystemUser = true;
group = "oauth2_proxy";
group = "oauth2-proxy";
};
users.groups.oauth2_proxy = {};
users.groups.oauth2-proxy = {};
systemd.services.oauth2_proxy = {
systemd.services.oauth2-proxy = {
description = "OAuth2 Proxy";
path = [ cfg.package ];
wantedBy = [ "multi-user.target" ];
@ -586,7 +586,7 @@ in
after = [ "network-online.target" ];
serviceConfig = {
User = "oauth2_proxy";
User = "oauth2-proxy";
Restart = "always";
ExecStart = "${cfg.package}/bin/oauth2-proxy ${configString}";
EnvironmentFile = mkIf (cfg.keyFile != null) cfg.keyFile;