diff options
Diffstat (limited to 'modules/services/nginx/sso/default.nix')
| -rw-r--r-- | modules/services/nginx/sso/default.nix | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/modules/services/nginx/sso/default.nix b/modules/services/nginx/sso/default.nix new file mode 100644 index 0000000..27ed7d6 --- /dev/null +++ b/modules/services/nginx/sso/default.nix @@ -0,0 +1,80 @@ +# I must override the module to allow having runtime secrets +{ config, lib, pkgs, utils, ... }: +let + cfg = config.services.nginx.sso; + pkg = lib.getBin cfg.package; + confPath = "/var/lib/nginx-sso/config.json"; +in { + disabledModules = [ "services/security/nginx-sso.nix" ]; + options.services.nginx.sso = with lib; { + enable = mkEnableOption "nginx-sso service"; + package = mkOption { + type = types.package; + default = pkgs.nginx-sso; + defaultText = "pkgs.nginx-sso"; + description = '' + The nginx-sso package that should be used. + ''; + }; + configuration = mkOption { + type = types.attrsOf types.unspecified; + default = { }; + example = literalExample '' + { + listen = { addr = "127.0.0.1"; port = 8080; }; + providers.token.tokens = { + myuser = "MyToken"; + }; + acl = { + rule_sets = [ + { + rules = [ { field = "x-application"; equals = "MyApp"; } ]; + allow = [ "myuser" ]; + } + ]; + }; + } + ''; + description = '' + nginx-sso configuration + (<link xlink:href="https://github.com/Luzifer/nginx-sso/wiki/Main-Configuration">documentation</link>) + as a Nix attribute set. + ''; + }; + }; + config = lib.mkIf cfg.enable { + systemd.services.nginx-sso = { + description = "Nginx SSO Backend"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + StateDirectory = "nginx-sso"; + WorkingDirectory = "/var/lib/nginx-sso"; + # The files to be merged might not have the correct permissions + ExecStartPre = "+${ + pkgs.writeScript "merge-nginx-sso-config" '' + #!${pkgs.bash}/bin/bash + rm -f '${confPath}' + ${utils.genJqSecretsReplacementSnippet cfg.configuration confPath} + # Fix permissions + chown nginx-sso:nginx-sso ${confPath} + chmod 0600 ${confPath} + '' + }"; + ExecStart = lib.mkForce '' + ${pkg}/bin/nginx-sso \ + --config ${confPath} \ + --frontend-dir ${pkg}/share/frontend + ''; + Restart = "always"; + User = "nginx-sso"; + Group = "nginx-sso"; + }; + }; + users.users.nginx-sso = { + isSystemUser = true; + group = "nginx-sso"; + }; + users.groups.nginx-sso = { }; + }; +} |