diff options
author | Nikola Knezevic <nikola@knezevic.ch> | 2020-02-11 16:34:21 +0100 |
---|---|---|
committer | Nikola Knezevic <nikola@knezevic.ch> | 2020-04-20 10:11:46 +0200 |
commit | 3c551848bed7c9fb811de3bcedb70b09241f52a5 (patch) | |
tree | b0aa3b2a01e13023b6ee9a5819f71e96c5e24ee0 /nixos/modules/services/security/oauth2_proxy.nix | |
parent | 6256d88eedd7af0a03e711013d37fe3d97689537 (diff) | |
download | nixpkgs-3c551848bed7c9fb811de3bcedb70b09241f52a5.tar nixpkgs-3c551848bed7c9fb811de3bcedb70b09241f52a5.tar.gz nixpkgs-3c551848bed7c9fb811de3bcedb70b09241f52a5.tar.bz2 nixpkgs-3c551848bed7c9fb811de3bcedb70b09241f52a5.tar.lz nixpkgs-3c551848bed7c9fb811de3bcedb70b09241f52a5.tar.xz nixpkgs-3c551848bed7c9fb811de3bcedb70b09241f52a5.tar.zst nixpkgs-3c551848bed7c9fb811de3bcedb70b09241f52a5.zip |
oauth2_proxy: Update NixOS module
Update to match the current flags and apply fixes to all breaking changes.
Diffstat (limited to 'nixos/modules/services/security/oauth2_proxy.nix')
-rw-r--r-- | nixos/modules/services/security/oauth2_proxy.nix | 29 |
1 files changed, 24 insertions, 5 deletions
diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index 2abb9ec32ac..46caadee204 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -12,7 +12,7 @@ let # command-line to launch oauth2_proxy. providerSpecificOptions = { azure = cfg: { - azure.tenant = cfg.azure.tenant; + azure-tenant = cfg.azure.tenant; resource = cfg.azure.resource; }; @@ -44,6 +44,7 @@ let pass-access-token = passAccessToken; pass-basic-auth = passBasicAuth; pass-host-header = passHostHeader; + reverse-proxy = reverseProxy; proxy-prefix = proxyPrefix; profile-url = profileURL; redeem-url = redeemURL; @@ -65,8 +66,8 @@ let } // lib.optionalAttrs (cfg.htpasswd.file != null) { display-htpasswd-file = cfg.htpasswd.displayForm; } // lib.optionalAttrs tls.enable { - tls-cert = tls.certificate; - tls-key = tls.key; + tls-cert-file = tls.certificate; + tls-key-file = tls.key; https-address = tls.httpsAddress; } // (getProviderOptions cfg cfg.provider) // cfg.extraConfig; @@ -98,14 +99,21 @@ in ############################################## # PROVIDER configuration + # Taken from: https://github.com/pusher/oauth2_proxy/blob/master/providers/providers.go provider = mkOption { type = types.enum [ "google" - "github" "azure" + "facebook" + "github" + "keycloak" "gitlab" "linkedin" - "myusa" + "login.gov" + "bitbucket" + "nextcloud" + "digitalocean" + "oidc" ]; default = "google"; description = '' @@ -433,6 +441,17 @@ in ''; }; + reverseProxy = mkOption { + type = types.bool; + default = false; + description = '' + In case when running behind a reverse proxy, controls whether headers + like <literal>X-Real-Ip</literal> are accepted. Usage behind a reverse + proxy will require this flag to be set to avoid logging the reverse + proxy IP address. + ''; + }; + proxyPrefix = mkOption { type = types.str; default = "/oauth2"; |