diff options
Diffstat (limited to 'nixos/modules/services/security/oauth2_proxy.nix')
| -rw-r--r-- | nixos/modules/services/security/oauth2_proxy.nix | 108 |
1 files changed, 54 insertions, 54 deletions
diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index 5c89d587237..8b2c7fa2140 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -92,7 +92,7 @@ in type = types.package; default = pkgs.oauth2-proxy; defaultText = literalExpression "pkgs.oauth2-proxy"; - description = '' + description = lib.mdDoc '' The package that provides oauth2-proxy. ''; }; @@ -118,7 +118,7 @@ in "oidc" ]; default = "google"; - description = '' + description = lib.mdDoc '' OAuth provider. ''; }; @@ -126,14 +126,14 @@ in approvalPrompt = mkOption { type = types.enum ["force" "auto"]; default = "force"; - description = '' + description = lib.mdDoc '' OAuth approval_prompt. ''; }; clientID = mkOption { type = types.nullOr types.str; - description = '' + description = lib.mdDoc '' The OAuth Client ID. ''; example = "123456.apps.googleusercontent.com"; @@ -141,7 +141,7 @@ in clientSecret = mkOption { type = types.nullOr types.str; - description = '' + description = lib.mdDoc '' The OAuth Client Secret. ''; }; @@ -149,7 +149,7 @@ in skipAuthRegexes = mkOption { type = types.listOf types.str; default = []; - description = '' + description = lib.mdDoc '' Skip authentication for requests matching any of these regular expressions. ''; @@ -169,7 +169,7 @@ in addresses = mkOption { type = types.nullOr types.lines; default = null; - description = '' + description = lib.mdDoc '' Line-separated email addresses that are allowed to authenticate. ''; }; @@ -178,7 +178,7 @@ in loginURL = mkOption { type = types.nullOr types.str; default = null; - description = '' + description = lib.mdDoc '' Authentication endpoint. You only need to set this if you are using a self-hosted provider (e.g. @@ -191,7 +191,7 @@ in redeemURL = mkOption { type = types.nullOr types.str; default = null; - description = '' + description = lib.mdDoc '' Token redemption endpoint. You only need to set this if you are using a self-hosted provider (e.g. @@ -204,7 +204,7 @@ in validateURL = mkOption { type = types.nullOr types.str; default = null; - description = '' + description = lib.mdDoc '' Access token validation endpoint. You only need to set this if you are using a self-hosted provider (e.g. @@ -219,7 +219,7 @@ in # doesn't require it so making it optional. type = types.nullOr types.str; default = null; - description = '' + description = lib.mdDoc '' The OAuth2 redirect URL. ''; example = "https://internalapp.yourcompany.com/oauth2/callback"; @@ -229,14 +229,14 @@ in tenant = mkOption { type = types.str; default = "common"; - description = '' + description = lib.mdDoc '' Go to a tenant-specific or common (tenant-independent) endpoint. ''; }; resource = mkOption { type = types.str; - description = '' + description = lib.mdDoc '' The resource that is protected. ''; }; @@ -245,28 +245,28 @@ in google = { adminEmail = mkOption { type = types.str; - description = '' + description = lib.mdDoc '' The Google Admin to impersonate for API calls. Only users with access to the Admin APIs can access the Admin SDK Directory API, thus the service account needs to impersonate one of those users to access the Admin SDK Directory API. - See <link xlink:href="https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account" />. + See <https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account>. ''; }; groups = mkOption { type = types.listOf types.str; default = []; - description = '' + description = lib.mdDoc '' Restrict logins to members of these Google groups. ''; }; serviceAccountJSON = mkOption { type = types.path; - description = '' + description = lib.mdDoc '' The path to the service account JSON credentials. ''; }; @@ -276,7 +276,7 @@ in org = mkOption { type = types.nullOr types.str; default = null; - description = '' + description = lib.mdDoc '' Restrict logins to members of this organisation. ''; }; @@ -284,7 +284,7 @@ in team = mkOption { type = types.nullOr types.str; default = null; - description = '' + description = lib.mdDoc '' Restrict logins to members of this team. ''; }; @@ -296,8 +296,8 @@ in upstream = mkOption { type = with types; coercedTo str (x: [x]) (listOf str); default = []; - description = '' - The http url(s) of the upstream endpoint or <literal>file://</literal> + description = lib.mdDoc '' + The http url(s) of the upstream endpoint or `file://` paths for static files. Routing is based on the path. ''; }; @@ -305,7 +305,7 @@ in passAccessToken = mkOption { type = types.bool; default = false; - description = '' + description = lib.mdDoc '' Pass OAuth access_token to upstream via X-Forwarded-Access-Token header. ''; }; @@ -313,7 +313,7 @@ in passBasicAuth = mkOption { type = types.bool; default = true; - description = '' + description = lib.mdDoc '' Pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream. ''; }; @@ -321,7 +321,7 @@ in basicAuthPassword = mkOption { type = types.nullOr types.str; default = null; - description = '' + description = lib.mdDoc '' The password to set when passing the HTTP Basic Auth header. ''; }; @@ -329,7 +329,7 @@ in passHostHeader = mkOption { type = types.bool; default = true; - description = '' + description = lib.mdDoc '' Pass the request Host Header to upstream. ''; }; @@ -337,7 +337,7 @@ in signatureKey = mkOption { type = types.nullOr types.str; default = null; - description = '' + description = lib.mdDoc '' GAP-Signature request signature key. ''; example = "sha1:secret0"; @@ -358,7 +358,7 @@ in expire = mkOption { type = types.str; default = "168h0m0s"; - description = '' + description = lib.mdDoc '' Expire timeframe for cookie. ''; }; @@ -366,7 +366,7 @@ in httpOnly = mkOption { type = types.bool; default = true; - description = '' + description = lib.mdDoc '' Set HttpOnly cookie flag. ''; }; @@ -374,7 +374,7 @@ in name = mkOption { type = types.str; default = "_oauth2_proxy"; - description = '' + description = lib.mdDoc '' The name of the cookie that the oauth_proxy creates. ''; }; @@ -383,7 +383,7 @@ in # XXX: Unclear what the behavior is when this is not specified. type = types.nullOr types.str; default = null; - description = '' + description = lib.mdDoc '' Refresh the cookie after this duration; 0 to disable. ''; example = "168h0m0s"; @@ -391,7 +391,7 @@ in secret = mkOption { type = types.nullOr types.str; - description = '' + description = lib.mdDoc '' The seed string for secure cookies. ''; }; @@ -399,7 +399,7 @@ in secure = mkOption { type = types.bool; default = true; - description = '' + description = lib.mdDoc '' Set secure (HTTPS) cookie flag. ''; }; @@ -411,10 +411,10 @@ in httpAddress = mkOption { type = types.str; default = "http://127.0.0.1:4180"; - description = '' + description = lib.mdDoc '' HTTPS listening address. This module does not expose the port by default. If you want this URL to be accessible to other machines, please - add the port to <literal>networking.firewall.allowedTCPPorts</literal>. + add the port to `networking.firewall.allowedTCPPorts`. ''; }; @@ -422,16 +422,16 @@ in file = mkOption { type = types.nullOr types.path; default = null; - description = '' + description = lib.mdDoc '' Additionally authenticate against a htpasswd file. Entries must be - created with <literal>htpasswd -s</literal> for SHA encryption. + created with `htpasswd -s` for SHA encryption. ''; }; displayForm = mkOption { type = types.bool; default = true; - description = '' + description = lib.mdDoc '' Display username / password login form if an htpasswd file is provided. ''; }; @@ -440,7 +440,7 @@ in customTemplatesDir = mkOption { type = types.nullOr types.path; default = null; - description = '' + description = lib.mdDoc '' Path to custom HTML templates. ''; }; @@ -448,9 +448,9 @@ in reverseProxy = mkOption { type = types.bool; default = false; - description = '' + description = lib.mdDoc '' In case when running behind a reverse proxy, controls whether headers - like <literal>X-Real-Ip</literal> are accepted. Usage behind a reverse + like `X-Real-Ip` are accepted. Usage behind a reverse proxy will require this flag to be set to avoid logging the reverse proxy IP address. ''; @@ -459,7 +459,7 @@ in proxyPrefix = mkOption { type = types.str; default = "/oauth2"; - description = '' + description = lib.mdDoc '' The url root path that this proxy should be nested under. ''; }; @@ -468,21 +468,21 @@ in enable = mkOption { type = types.bool; default = false; - description = '' + description = lib.mdDoc '' Whether to serve over TLS. ''; }; certificate = mkOption { type = types.path; - description = '' + description = lib.mdDoc '' Path to certificate file. ''; }; key = mkOption { type = types.path; - description = '' + description = lib.mdDoc '' Path to private key file. ''; }; @@ -490,11 +490,11 @@ in httpsAddress = mkOption { type = types.str; default = ":443"; - description = '' - <literal>addr:port</literal> to listen on for HTTPS clients. + description = lib.mdDoc '' + `addr:port` to listen on for HTTPS clients. - Remember to add <literal>port</literal> to - <literal>allowedTCPPorts</literal> if you want other machines to be + Remember to add `port` to + `allowedTCPPorts` if you want other machines to be able to connect to it. ''; }; @@ -503,7 +503,7 @@ in requestLogging = mkOption { type = types.bool; default = true; - description = '' + description = lib.mdDoc '' Log requests to stdout. ''; }; @@ -517,7 +517,7 @@ in # doesn't require it so making it optional. type = types.nullOr types.str; default = null; - description = '' + description = lib.mdDoc '' OAuth scope specification. ''; }; @@ -525,7 +525,7 @@ in profileURL = mkOption { type = types.nullOr types.str; default = null; - description = '' + description = lib.mdDoc '' Profile access endpoint. ''; }; @@ -533,7 +533,7 @@ in setXauthrequest = mkOption { type = types.nullOr types.bool; default = false; - description = '' + description = lib.mdDoc '' Set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode). Setting this to 'null' means using the upstream default (false). ''; }; @@ -541,7 +541,7 @@ in extraConfig = mkOption { default = {}; type = types.attrsOf types.anything; - description = '' + description = lib.mdDoc '' Extra config to pass to oauth2-proxy. ''; }; @@ -549,7 +549,7 @@ in keyFile = mkOption { type = types.nullOr types.path; default = null; - description = '' + description = lib.mdDoc '' oauth2-proxy allows passing sensitive configuration via environment variables. Make a file that contains lines like OAUTH2_PROXY_CLIENT_SECRET=asdfasdfasdf.apps.googleuserscontent.com |