Merge pull request #306938 from K900/oauth2-proxy-parametrized

nixos/oauth2_proxy_nginx: allow passing parameters to auth endpoint
2024-11-27 01:13:05 +00:00 · 2024-04-26 16:05:13 +03:00 · 2024-04-26 16:05:13 +03:00 · f13d09e539
commit f13d09e539
parent 01a730b41e ea525d3d11
1 changed files with 46 additions and 6 deletions
--- a/nixos/modules/services/security/oauth2_proxy_nginx.nix
+++ b/nixos/modules/services/security/oauth2_proxy_nginx.nix
@ -25,10 +25,41 @@ in
    };

    virtualHosts = mkOption {
-      type = types.listOf types.str;
-      default = [];
+      type = let
+        vhostSubmodule = types.submodule {
+          options = {
+            allowed_groups = mkOption {
+              type = types.nullOr (types.listOf types.str);
+              description = "List of groups to allow access to this vhost, or null to allow all.";
+              default = null;
+            };
+            allowed_emails = mkOption {
+              type = types.nullOr (types.listOf types.str);
+              description = "List of emails to allow access to this vhost, or null to allow all.";
+              default = null;
+            };
+            allowed_email_domains = mkOption {
+              type = types.nullOr (types.listOf types.str);
+              description = "List of email domains to allow access to this vhost, or null to allow all.";
+              default = null;
+            };
+          };
+        };
+        oldType = types.listOf types.str;
+        convertFunc = x:
+          lib.warn "services.oauth2_proxy.nginx.virtualHosts should be an attrset, found ${lib.generators.toPretty {} x}"
+          lib.genAttrs x (_: {});
+        newType = types.attrsOf vhostSubmodule;
+      in types.coercedTo oldType convertFunc newType;
+      default = {};
+      example = {
+        "protected.foo.com" = {
+          allowed_groups = ["admins"];
+          allowed_emails = ["boss@foo.com"];
+        };
+      };
      description = ''
-        A list of nginx virtual hosts to put behind the oauth2 proxy.
+        Nginx virtual hosts to put behind the oauth2 proxy.
        You can exclude specific locations by setting `auth_request off;` in the locations extraConfig setting.
      '';
    };
@ -50,11 +81,20 @@ in
    }
  ] ++ optional (cfg.virtualHosts != []) {
    recommendedProxySettings = true; # needed because duplicate headers
-  } ++ (map (vhost: {
+  } ++ (lib.mapAttrsToList (vhost: conf: {
    virtualHosts.${vhost} = {
      locations = {
-        "/oauth2/auth" = {
-          proxyPass = cfg.proxy;
+        "/oauth2/auth" = let
+          maybeQueryArg = name: value:
+            if value == null then null
+            else "${name}=${lib.concatStringsSep "," value}";
+          allArgs = lib.mapAttrsToList maybeQueryArg conf;
+          cleanArgs = builtins.map lib.escapeURL (builtins.filter (x: x != null) allArgs);
+          cleanArgsStr = lib.concatStringsSep "&" cleanArgs;
+        in {
+          # nginx doesn't support passing query string arguments to auth_request,
+          # so pass them here instead
+          proxyPass = "${cfg.proxy}/oauth2/auth?${cleanArgsStr}";
          extraConfig = ''
            auth_request off;
            proxy_set_header X-Scheme         $scheme;