nixos/oauth2-proxy: require secure secret passing (fcba9136) · Commits · nix / nixpkgs

nixos/modules/services/security/oauth2-proxy.nix

+24 −28

Original line number	Diff line number	Diff line
		@@ -46,7 +46,6 @@ let
		approval-prompt = approvalPrompt;
		basic-auth-password = basicAuthPassword;
		client-id = clientID;
		client-secret = clientSecret;
		client-secret-file = if clientSecretFile != null then "%d/client-secret" else null;
		custom-templates-dir = customTemplatesDir;
		email-domain = email.domains;
		@@ -72,7 +71,6 @@ let
		secure
		expire
		name
		secret
		refresh
		;
		secret-file = if cookie.secretFile != null then "%d/cookie-secret" else null;
		@@ -161,6 +159,7 @@ in

		clientID = lib.mkOption {
		type = lib.types.nullOr lib.types.str;
		default = null;
		description = ''
		The OAuth Client ID.
		'';
		@@ -176,18 +175,11 @@ in
		example = "https://login.microsoftonline.com/{TENANT_ID}/v2.0";
		};

		clientSecret = lib.mkOption {
		type = lib.types.nullOr lib.types.str;
		description = ''
		The OAuth Client Secret.
		'';
		};

		clientSecretFile = lib.mkOption {
		type = lib.types.nullOr lib.types.path;
		default = null;
		description = ''
		Alternative to `clientSecret` and `keyFile`: path to a file containing the OAuth Client Secret.
		The path to a file containing the OAuth Client Secret.
		'';
		example = "/run/keys/oauth2-client-secret";
		};
		@@ -434,18 +426,11 @@ in
		example = "168h0m0s";
		};

		secret = lib.mkOption {
		type = lib.types.nullOr lib.types.str;
		description = ''
		The seed string for secure cookies.
		'';
		};

		secretFile = lib.mkOption {
		type = lib.types.nullOr lib.types.path;
		default = null;
		description = ''
		Alternative to `secret` and `keyFile`: path to a file containing the cookie secret.
		The path to a file containing the seed string for secure cookies.
		'';
		example = "/run/keys/oauth2-cookie-secret";
		};
		@@ -615,19 +600,30 @@ in

		imports = [
		(lib.mkRenamedOptionModule [ "services" "oauth2_proxy" ] [ "services" "oauth2-proxy" ])
		(lib.mkRemovedOptionModule [ "services" "oauth2-proxy" "clientSecret" ] ''
		This option has been removed as it made the client secret world-readable.
		Use services.oauth2-proxy.clientSecretFile instead.
		'')
		(lib.mkRemovedOptionModule [ "services" "oauth2-proxy" "cookie" "secret" ] ''
		This option has been removed as it made the cookie secret world-readable.
		Use services.oauth2-proxy.cookie.secretFile instead.
		'')
		];

		config = lib.mkIf cfg.enable {
		services.oauth2-proxy = lib.mkMerge [
		(lib.mkIf (cfg.keyFile != null \|\| cfg.clientSecretFile != null) {
		clientSecret = lib.mkDefault null;
		})
		(lib.mkIf (cfg.keyFile != null \|\| cfg.cookie.secretFile != null) {
		cookie.secret = lib.mkDefault null;
		})
		(lib.mkIf (cfg.keyFile != null) {
		clientID = lib.mkDefault null;
		})
		assertions = [
		{
		assertion = cfg.clientID != null \|\| cfg.keyFile != null;
		message = "Either services.oauth2-proxy.clientID or services.oauth2-proxy.keyFile must be specified.";
		}
		{
		assertion = cfg.clientSecretFile != null \|\| cfg.keyFile != null;
		message = "Either services.oauth2-proxy.clientSecretFile or services.oauth2-proxy.keyFile must be specified.";
		}
		{
		assertion = cfg.cookie.secretFile != null \|\| cfg.keyFile != null;
		message = "Either services.oauth2-proxy.cookie.secretFile or services.oauth2-proxy.keyFile must be specified.";
		}
		];

		users.users.oauth2-proxy = {

Admin message