oauth2_proxy: Update NixOS module

Update to match the current flags and apply fixes to all breaking changes.
2020-02-11 16:34:21 +01:00 · 2020-02-11 16:34:21 +01:00 · 3c551848be
parent 6256d88eed
commit 3c551848be
1 changed files with 24 additions and 5 deletions
--- a/nixos/modules/services/security/oauth2_proxy.nix
+++ b/nixos/modules/services/security/oauth2_proxy.nix
@ -12,7 +12,7 @@ let
  # command-line to launch oauth2_proxy.
  providerSpecificOptions = {
    azure = cfg: {
-      azure.tenant = cfg.azure.tenant;
+      azure-tenant = cfg.azure.tenant;
      resource = cfg.azure.resource;
    };

@ -44,6 +44,7 @@ let
    pass-access-token = passAccessToken;
    pass-basic-auth = passBasicAuth;
    pass-host-header = passHostHeader;
+    reverse-proxy = reverseProxy;
    proxy-prefix = proxyPrefix;
    profile-url = profileURL;
    redeem-url = redeemURL;
@ -65,8 +66,8 @@ let
  } // lib.optionalAttrs (cfg.htpasswd.file != null) {
    display-htpasswd-file = cfg.htpasswd.displayForm;
  } // lib.optionalAttrs tls.enable {
-    tls-cert = tls.certificate;
-    tls-key = tls.key;
+    tls-cert-file = tls.certificate;
+    tls-key-file = tls.key;
    https-address = tls.httpsAddress;
  } // (getProviderOptions cfg cfg.provider) // cfg.extraConfig;

@ -98,14 +99,21 @@ in

    ##############################################
    # PROVIDER configuration
+    # Taken from: https://github.com/pusher/oauth2_proxy/blob/master/providers/providers.go
    provider = mkOption {
      type = types.enum [
        "google"
-        "github"
        "azure"
+        "facebook"
+        "github"
+        "keycloak"
        "gitlab"
        "linkedin"
-        "myusa"
+        "login.gov"
+        "bitbucket"
+        "nextcloud"
+        "digitalocean"
+        "oidc"
      ];
      default = "google";
      description = ''
@ -433,6 +441,17 @@ in
      '';
    };

+    reverseProxy = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        In case when running behind a reverse proxy, controls whether headers
+	like <literal>X-Real-Ip</literal> are accepted. Usage behind a reverse
+        proxy will require this flag to be set to avoid logging the reverse
+        proxy IP address.
+      '';
+    };
+
    proxyPrefix = mkOption {
      type = types.str;
      default = "/oauth2";