summary refs log tree commit diff
path: root/nixos/modules/services/security/oauth2_proxy.nix
diff options
context:
space:
mode:
authorNikola Knezevic <nikola@knezevic.ch>2020-02-11 16:34:21 +0100
committerNikola Knezevic <nikola@knezevic.ch>2020-04-20 10:11:46 +0200
commit3c551848bed7c9fb811de3bcedb70b09241f52a5 (patch)
treeb0aa3b2a01e13023b6ee9a5819f71e96c5e24ee0 /nixos/modules/services/security/oauth2_proxy.nix
parent6256d88eedd7af0a03e711013d37fe3d97689537 (diff)
downloadnixpkgs-3c551848bed7c9fb811de3bcedb70b09241f52a5.tar
nixpkgs-3c551848bed7c9fb811de3bcedb70b09241f52a5.tar.gz
nixpkgs-3c551848bed7c9fb811de3bcedb70b09241f52a5.tar.bz2
nixpkgs-3c551848bed7c9fb811de3bcedb70b09241f52a5.tar.lz
nixpkgs-3c551848bed7c9fb811de3bcedb70b09241f52a5.tar.xz
nixpkgs-3c551848bed7c9fb811de3bcedb70b09241f52a5.tar.zst
nixpkgs-3c551848bed7c9fb811de3bcedb70b09241f52a5.zip
oauth2_proxy: Update NixOS module
Update to match the current flags and apply fixes to all breaking changes.
Diffstat (limited to 'nixos/modules/services/security/oauth2_proxy.nix')
-rw-r--r--nixos/modules/services/security/oauth2_proxy.nix29
1 files changed, 24 insertions, 5 deletions
diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix
index 2abb9ec32ac..46caadee204 100644
--- a/nixos/modules/services/security/oauth2_proxy.nix
+++ b/nixos/modules/services/security/oauth2_proxy.nix
@@ -12,7 +12,7 @@ let
   # command-line to launch oauth2_proxy.
   providerSpecificOptions = {
     azure = cfg: {
-      azure.tenant = cfg.azure.tenant;
+      azure-tenant = cfg.azure.tenant;
       resource = cfg.azure.resource;
     };
 
@@ -44,6 +44,7 @@ let
     pass-access-token = passAccessToken;
     pass-basic-auth = passBasicAuth;
     pass-host-header = passHostHeader;
+    reverse-proxy = reverseProxy;
     proxy-prefix = proxyPrefix;
     profile-url = profileURL;
     redeem-url = redeemURL;
@@ -65,8 +66,8 @@ let
   } // lib.optionalAttrs (cfg.htpasswd.file != null) {
     display-htpasswd-file = cfg.htpasswd.displayForm;
   } // lib.optionalAttrs tls.enable {
-    tls-cert = tls.certificate;
-    tls-key = tls.key;
+    tls-cert-file = tls.certificate;
+    tls-key-file = tls.key;
     https-address = tls.httpsAddress;
   } // (getProviderOptions cfg cfg.provider) // cfg.extraConfig;
 
@@ -98,14 +99,21 @@ in
 
     ##############################################
     # PROVIDER configuration
+    # Taken from: https://github.com/pusher/oauth2_proxy/blob/master/providers/providers.go
     provider = mkOption {
       type = types.enum [
         "google"
-        "github"
         "azure"
+        "facebook"
+        "github"
+        "keycloak"
         "gitlab"
         "linkedin"
-        "myusa"
+        "login.gov"
+        "bitbucket"
+        "nextcloud"
+        "digitalocean"
+        "oidc"
       ];
       default = "google";
       description = ''
@@ -433,6 +441,17 @@ in
       '';
     };
 
+    reverseProxy = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        In case when running behind a reverse proxy, controls whether headers
+	like <literal>X-Real-Ip</literal> are accepted. Usage behind a reverse
+        proxy will require this flag to be set to avoid logging the reverse
+        proxy IP address.
+      '';
+    };
+
     proxyPrefix = mkOption {
       type = types.str;
       default = "/oauth2";
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-14 21:55:49 +0000