aboutsummaryrefslogtreecommitdiff
path: root/modules/apps/sproxy.nix
diff options
context:
space:
mode:
Diffstat (limited to 'modules/apps/sproxy.nix')
-rw-r--r--modules/apps/sproxy.nix143
1 files changed, 0 insertions, 143 deletions
diff --git a/modules/apps/sproxy.nix b/modules/apps/sproxy.nix
deleted file mode 100644
index f6eb2af..0000000
--- a/modules/apps/sproxy.nix
+++ /dev/null
@@ -1,143 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-
- inherit (builtins) toString;
- inherit (lib)
- filterAttrs hasPrefix mapAttrsToList
- mkEnableOption concatStrings mkIf mkOption types ;
- inherit (types)
- enum int nullOr attrsOf path str submodule ;
-
- explicit = filterAttrs (n: v: n != "_module" && v != null);
-
- cfg = config.nixsap.apps.sproxy;
-
- oauth2Options = concatStrings (mapAttrsToList (n: c:
- if n == "google" then ''
- client_id : ${c.client_id}
- client_secret : ${c.client_secret_file}
- '' else ''
- ${n}_client_id : ${c.client_id}
- ${n}_client_secret : ${c.client_secret_file}
- ''
- ) (explicit cfg.oauth2));
-
- configFile = pkgs.writeText "sproxy.conf" ''
- ${oauth2Options}
- user : ${cfg.user}
- cookie_domain : ${cfg.cookieDomain}
- cookie_name : ${cfg.cookieName}
- database : "${cfg.database}"
- listen : 443
- log_level : ${cfg.logLevel}
- log_target : stderr
- ssl_certs : ${cfg.sslCert}
- ssl_key : ${cfg.sslKey}
- session_shelf_life : ${toString cfg.sessionShelfLife}
- ${if cfg.backendSocket != null then ''
- backend_socket : ${cfg.backendSocket}
- '' else ''
- backend_address : ${cfg.backendAddress}
- backend_port : ${toString cfg.backendPort}
- ''}
- '';
-
- keys = [ cfg.sslKey ]
- ++ mapAttrsToList (_: c: c.client_secret_file) (explicit cfg.oauth2)
- ;
-
- oauth2 = mkOption {
- type = attrsOf (submodule {
- options = {
- client_id = mkOption {
- type = str;
- description = "OAuth2 client id";
- };
- client_secret_file = mkOption {
- type = path;
- description = "File with OAuth2 client secret";
- };
- };
- });
- example = {
- google.client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com";
- google.client_secret_file = "/run/keys/google_oauth2_secret";
- };
- };
-
-in {
- options.nixsap.apps.sproxy = {
- enable = mkEnableOption "SProxy";
- inherit oauth2;
- user = mkOption {
- description = "User to run as";
- default = "sproxy";
- type = str;
- };
- cookieDomain = mkOption {
- description = "Cookie domain";
- type = str;
- example = "example.com";
- };
- cookieName = mkOption {
- description = "Cookie name";
- type = str;
- example = "sproxy";
- };
- logLevel = mkOption {
- description = "Log level";
- default = "info";
- type = enum [ "info" "warn" "debug" ];
- };
- sslCert = mkOption {
- description = "SSL certificate (in PEM format)";
- type = path;
- };
- sslKey = mkOption {
- description = "SSL key (in PEM format) - secret";
- type = path;
- };
- backendAddress = mkOption {
- description = "Backend TCP address";
- type = str;
- default = "127.0.0.1";
- };
- backendPort = mkOption {
- description = "Backend TCP port";
- type = int;
- example = 8080;
- };
- backendSocket = mkOption {
- description = "Backend UNIX socket. If set, other backend options are ignored";
- type = nullOr path;
- default = null;
- };
- database = mkOption {
- description = "PostgreSQL connection string";
- type = str;
- example = "user=sproxy dbname=sproxy port=6001";
- };
- sessionShelfLife = mkOption {
- description = "Session shelf life in seconds";
- type = int;
- default = 3600 * 24 * 14; # two weeks
- };
- };
-
- config = mkIf cfg.enable {
- nixsap.system.users.daemons = [ cfg.user ];
- nixsap.deployment.keyrings.${cfg.user} = keys;
- systemd.services.sproxy = {
- description = "Sproxy secure proxy";
- wantedBy = [ "multi-user.target" ];
- wants = [ "keys.target" ];
- after = [ "keys.target" "network.target" "local-fs.target" ];
- serviceConfig = {
- ExecStart = "${pkgs.sproxy}/bin/sproxy --config=${configFile}";
- Restart = "on-failure";
- };
- };
- };
-}
-