fix: forward auth improvement in module.nix
This commit is contained in:
parent
e445f8631b
commit
ce85a71eee
1 changed files with 29 additions and 13 deletions
42
module.nix
42
module.nix
|
|
@ -50,10 +50,25 @@ in
|
||||||
description = "Domain for the Caddy virtual host.";
|
description = "Domain for the Caddy virtual host.";
|
||||||
};
|
};
|
||||||
|
|
||||||
forwardAuth = mkOption {
|
forwardAuth = {
|
||||||
type = types.nullOr types.str;
|
enable = mkEnableOption "forward_auth for Caddy";
|
||||||
default = null;
|
|
||||||
description = "URL for forward_auth (e.g. localhost:9090). When set, all requests are authenticated via forward_auth before proxying.";
|
address = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = "Address of the auth service (e.g. localhost:9090).";
|
||||||
|
};
|
||||||
|
|
||||||
|
uri = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "/api/auth";
|
||||||
|
description = "URI to send auth subrequests to.";
|
||||||
|
};
|
||||||
|
|
||||||
|
copyHeaders = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [];
|
||||||
|
description = "Headers to copy from the auth response to the proxied request.";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -317,9 +332,14 @@ in
|
||||||
};
|
};
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "simple";
|
Type = "simple";
|
||||||
|
ExecStartPre = "+${pkgs.writeShellScript "guestbook-prepare" ''
|
||||||
|
mkdir -p ${cfg.dataDir}/entries ${cfg.dataDir}/drawings ${cfg.dataDir}/voice_notes
|
||||||
|
chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir}
|
||||||
|
''}";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
User = cfg.user;
|
User = cfg.user;
|
||||||
Group = cfg.group;
|
Group = cfg.group;
|
||||||
|
ReadWritePaths = [ cfg.dataDir ];
|
||||||
};
|
};
|
||||||
script = ''
|
script = ''
|
||||||
${lib.optionalString cfg.features.telegram.enable ''
|
${lib.optionalString cfg.features.telegram.enable ''
|
||||||
|
|
@ -329,12 +349,6 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
|
||||||
"d ${cfg.dataDir}/entries 0755 ${cfg.user} ${cfg.group} -"
|
|
||||||
"d ${cfg.dataDir}/drawings 0755 ${cfg.user} ${cfg.group} -"
|
|
||||||
"d ${cfg.dataDir}/voice_notes 0755 ${cfg.user} ${cfg.group} -"
|
|
||||||
];
|
|
||||||
|
|
||||||
users.users.${cfg.user} = {
|
users.users.${cfg.user} = {
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
group = cfg.group;
|
group = cfg.group;
|
||||||
|
|
@ -346,9 +360,11 @@ in
|
||||||
|
|
||||||
(mkIf cfg.caddy.enable {
|
(mkIf cfg.caddy.enable {
|
||||||
services.caddy.virtualHosts.${cfg.caddy.domain}.extraConfig = ''
|
services.caddy.virtualHosts.${cfg.caddy.domain}.extraConfig = ''
|
||||||
${lib.optionalString (cfg.caddy.forwardAuth != null) ''
|
${lib.optionalString cfg.caddy.forwardAuth.enable ''
|
||||||
forward_auth ${cfg.caddy.forwardAuth} {
|
forward_auth ${cfg.caddy.forwardAuth.address} {
|
||||||
uri /api/auth
|
uri ${cfg.caddy.forwardAuth.uri}
|
||||||
|
${lib.optionalString (cfg.caddy.forwardAuth.copyHeaders != [])
|
||||||
|
"copy_headers ${lib.concatStringsSep " " cfg.caddy.forwardAuth.copyHeaders}"}
|
||||||
}
|
}
|
||||||
''}
|
''}
|
||||||
reverse_proxy localhost:${toString cfg.port}
|
reverse_proxy localhost:${toString cfg.port}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue