commit bafcff9b1556f7e06399104d99768aa0f80030e5 · pyrox.dev/nixpkgs

+2

nixos/doc/manual/release-notes/rl-2405.section.md

··· 398 398 399 399 - `services.zope2` has been removed as `zope2` is unmaintained and was relying on Python2. 400 400 401 + - `services.oauth2_proxy` was renamed to `services.oauth2-proxy`. Also the corresponding service, user and group were renamed. 402 + 401 403 - `services.avahi.nssmdns` got split into `services.avahi.nssmdns4` and `services.avahi.nssmdns6` which enable the mDNS NSS switch for IPv4 and IPv6 respectively. 402 404 Since most mDNS responders only register IPv4 addresses, most users want to keep the IPv6 support disabled to avoid long timeouts. 403 405

+2 -2

nixos/modules/module-list.nix

··· 1256 1256 ./services/security/kanidm.nix 1257 1257 ./services/security/munge.nix 1258 1258 ./services/security/nginx-sso.nix 1259 - ./services/security/oauth2_proxy.nix 1260 - ./services/security/oauth2_proxy_nginx.nix 1259 + ./services/security/oauth2-proxy.nix 1260 + ./services/security/oauth2-proxy-nginx.nix 1261 1261 ./services/security/opensnitch.nix 1262 1262 ./services/security/pass-secret-service.nix 1263 1263 ./services/security/physlock.nix

+124 -125

nixos/modules/services/security/oauth2_proxy.nix nixos/modules/services/security/oauth2-proxy.nix

··· 1 - # NixOS module for oauth2_proxy. 2 - 3 1 { config, lib, pkgs, ... }: 4 2 5 - with lib; 6 3 let 7 - cfg = config.services.oauth2_proxy; 4 + cfg = config.services.oauth2-proxy; 8 5 9 - # oauth2_proxy provides many options that are only relevant if you are using 6 + # oauth2-proxy provides many options that are only relevant if you are using 10 7 # a certain provider. This set maps from provider name to a function that 11 8 # takes the configuration and returns a string that can be inserted into the 12 - # command-line to launch oauth2_proxy. 9 + # command-line to launch oauth2-proxy. 13 10 providerSpecificOptions = { 14 11 azure = cfg: { 15 12 azure-tenant = cfg.azure.tenant; ··· 73 70 } // (getProviderOptions cfg cfg.provider) // cfg.extraConfig; 74 71 75 72 mapConfig = key: attr: 76 - optionalString (attr != null && attr != []) ( 77 - if isDerivation attr then mapConfig key (toString attr) else 78 - if (builtins.typeOf attr) == "set" then concatStringsSep " " 79 - (mapAttrsToList (name: value: mapConfig (key + "-" + name) value) attr) else 80 - if (builtins.typeOf attr) == "list" then concatMapStringsSep " " (mapConfig key) attr else 81 - if (builtins.typeOf attr) == "bool" then "--${key}=${boolToString attr}" else 73 + lib.optionalString (attr != null && attr != []) ( 74 + if lib.isDerivation attr then mapConfig key (toString attr) else 75 + if (builtins.typeOf attr) == "set" then lib.concatStringsSep " " 76 + (lib.mapAttrsToList (name: value: mapConfig (key + "-" + name) value) attr) else 77 + if (builtins.typeOf attr) == "list" then lib.concatMapStringsSep " " (mapConfig key) attr else 78 + if (builtins.typeOf attr) == "bool" then "--${key}=${lib.boolToString attr}" else 82 79 if (builtins.typeOf attr) == "string" then "--${key}='${attr}'" else 83 80 "--${key}=${toString attr}"); 84 81 85 - configString = concatStringsSep " " (mapAttrsToList mapConfig allConfig); 82 + configString = lib.concatStringsSep " " (lib.mapAttrsToList mapConfig allConfig); 86 83 in 87 84 { 88 - options.services.oauth2_proxy = { 89 - enable = mkEnableOption "oauth2_proxy"; 85 + options.services.oauth2-proxy = { 86 + enable = lib.mkEnableOption "oauth2-proxy"; 90 87 91 - package = mkPackageOption pkgs "oauth2-proxy" { }; 88 + package = lib.mkPackageOption pkgs "oauth2-proxy" { }; 92 89 93 90 ############################################## 94 91 # PROVIDER configuration 95 92 # Taken from: https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/providers.go 96 - provider = mkOption { 97 - type = types.enum [ 93 + provider = lib.mkOption { 94 + type = lib.types.enum [ 98 95 "adfs" 99 96 "azure" 100 97 "bitbucket" ··· 116 113 ''; 117 114 }; 118 115 119 - approvalPrompt = mkOption { 120 - type = types.enum ["force" "auto"]; 116 + approvalPrompt = lib.mkOption { 117 + type = lib.types.enum ["force" "auto"]; 121 118 default = "force"; 122 119 description = '' 123 120 OAuth approval_prompt. 124 121 ''; 125 122 }; 126 123 127 - clientID = mkOption { 128 - type = types.nullOr types.str; 124 + clientID = lib.mkOption { 125 + type = lib.types.nullOr lib.types.str; 129 126 description = '' 130 127 The OAuth Client ID. 131 128 ''; 132 129 example = "123456.apps.googleusercontent.com"; 133 130 }; 134 131 135 - oidcIssuerUrl = mkOption { 136 - type = types.nullOr types.str; 132 + oidcIssuerUrl = lib.mkOption { 133 + type = lib.types.nullOr lib.types.str; 137 134 default = null; 138 135 description = '' 139 136 The OAuth issuer URL. ··· 141 138 example = "https://login.microsoftonline.com/{TENANT_ID}/v2.0"; 142 139 }; 143 140 144 - clientSecret = mkOption { 145 - type = types.nullOr types.str; 141 + clientSecret = lib.mkOption { 142 + type = lib.types.nullOr lib.types.str; 146 143 description = '' 147 144 The OAuth Client Secret. 148 145 ''; 149 146 }; 150 147 151 - skipAuthRegexes = mkOption { 152 - type = types.listOf types.str; 148 + skipAuthRegexes = lib.mkOption { 149 + type = lib.types.listOf lib.types.str; 153 150 default = []; 154 151 description = '' 155 152 Skip authentication for requests matching any of these regular ··· 159 156 160 157 # XXX: Not clear whether these two options are mutually exclusive or not. 161 158 email = { 162 - domains = mkOption { 163 - type = types.listOf types.str; 159 + domains = lib.mkOption { 160 + type = lib.types.listOf lib.types.str; 164 161 default = []; 165 162 description = '' 166 163 Authenticate emails with the specified domains. Use ··· 168 165 ''; 169 166 }; 170 167 171 - addresses = mkOption { 172 - type = types.nullOr types.lines; 168 + addresses = lib.mkOption { 169 + type = lib.types.nullOr lib.types.lines; 173 170 default = null; 174 171 description = '' 175 172 Line-separated email addresses that are allowed to authenticate. ··· 177 174 }; 178 175 }; 179 176 180 - loginURL = mkOption { 181 - type = types.nullOr types.str; 177 + loginURL = lib.mkOption { 178 + type = lib.types.nullOr lib.types.str; 182 179 default = null; 183 180 description = '' 184 181 Authentication endpoint. ··· 190 187 example = "https://provider.example.com/oauth/authorize"; 191 188 }; 192 189 193 - redeemURL = mkOption { 194 - type = types.nullOr types.str; 190 + redeemURL = lib.mkOption { 191 + type = lib.types.nullOr lib.types.str; 195 192 default = null; 196 193 description = '' 197 194 Token redemption endpoint. ··· 203 200 example = "https://provider.example.com/oauth/token"; 204 201 }; 205 202 206 - validateURL = mkOption { 207 - type = types.nullOr types.str; 203 + validateURL = lib.mkOption { 204 + type = lib.types.nullOr lib.types.str; 208 205 default = null; 209 206 description = '' 210 207 Access token validation endpoint. ··· 216 213 example = "https://provider.example.com/user/emails"; 217 214 }; 218 215 219 - redirectURL = mkOption { 216 + redirectURL = lib.mkOption { 220 217 # XXX: jml suspects this is always necessary, but the command-line 221 218 # doesn't require it so making it optional. 222 - type = types.nullOr types.str; 219 + type = lib.types.nullOr lib.types.str; 223 220 default = null; 224 221 description = '' 225 222 The OAuth2 redirect URL. ··· 228 225 }; 229 226 230 227 azure = { 231 - tenant = mkOption { 232 - type = types.str; 228 + tenant = lib.mkOption { 229 + type = lib.types.str; 233 230 default = "common"; 234 231 description = '' 235 232 Go to a tenant-specific or common (tenant-independent) endpoint. 236 233 ''; 237 234 }; 238 235 239 - resource = mkOption { 240 - type = types.str; 236 + resource = lib.mkOption { 237 + type = lib.types.str; 241 238 description = '' 242 239 The resource that is protected. 243 240 ''; ··· 245 242 }; 246 243 247 244 google = { 248 - adminEmail = mkOption { 249 - type = types.str; 245 + adminEmail = lib.mkOption { 246 + type = lib.types.str; 250 247 description = '' 251 248 The Google Admin to impersonate for API calls. 252 249 ··· 258 255 ''; 259 256 }; 260 257 261 - groups = mkOption { 262 - type = types.listOf types.str; 258 + groups = lib.mkOption { 259 + type = lib.types.listOf lib.types.str; 263 260 default = []; 264 261 description = '' 265 262 Restrict logins to members of these Google groups. 266 263 ''; 267 264 }; 268 265 269 - serviceAccountJSON = mkOption { 270 - type = types.path; 266 + serviceAccountJSON = lib.mkOption { 267 + type = lib.types.path; 271 268 description = '' 272 269 The path to the service account JSON credentials. 273 270 ''; ··· 275 272 }; 276 273 277 274 github = { 278 - org = mkOption { 279 - type = types.nullOr types.str; 275 + org = lib.mkOption { 276 + type = lib.types.nullOr lib.types.str; 280 277 default = null; 281 278 description = '' 282 279 Restrict logins to members of this organisation. 283 280 ''; 284 281 }; 285 282 286 - team = mkOption { 287 - type = types.nullOr types.str; 283 + team = lib.mkOption { 284 + type = lib.types.nullOr lib.types.str; 288 285 default = null; 289 286 description = '' 290 287 Restrict logins to members of this team. ··· 295 292 296 293 #################################################### 297 294 # UPSTREAM Configuration 298 - upstream = mkOption { 299 - type = with types; coercedTo str (x: [x]) (listOf str); 295 + upstream = lib.mkOption { 296 + type = with lib.types; coercedTo str (x: [x]) (listOf str); 300 297 default = []; 301 298 description = '' 302 299 The http url(s) of the upstream endpoint or `file://` ··· 304 301 ''; 305 302 }; 306 303 307 - passAccessToken = mkOption { 308 - type = types.bool; 304 + passAccessToken = lib.mkOption { 305 + type = lib.types.bool; 309 306 default = false; 310 307 description = '' 311 308 Pass OAuth access_token to upstream via X-Forwarded-Access-Token header. 312 309 ''; 313 310 }; 314 311 315 - passBasicAuth = mkOption { 316 - type = types.bool; 312 + passBasicAuth = lib.mkOption { 313 + type = lib.types.bool; 317 314 default = true; 318 315 description = '' 319 316 Pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream. 320 317 ''; 321 318 }; 322 319 323 - basicAuthPassword = mkOption { 324 - type = types.nullOr types.str; 320 + basicAuthPassword = lib.mkOption { 321 + type = lib.types.nullOr lib.types.str; 325 322 default = null; 326 323 description = '' 327 324 The password to set when passing the HTTP Basic Auth header. 328 325 ''; 329 326 }; 330 327 331 - passHostHeader = mkOption { 332 - type = types.bool; 328 + passHostHeader = lib.mkOption { 329 + type = lib.types.bool; 333 330 default = true; 334 331 description = '' 335 332 Pass the request Host Header to upstream. 336 333 ''; 337 334 }; 338 335 339 - signatureKey = mkOption { 340 - type = types.nullOr types.str; 336 + signatureKey = lib.mkOption { 337 + type = lib.types.nullOr lib.types.str; 341 338 default = null; 342 339 description = '' 343 340 GAP-Signature request signature key. ··· 346 343 }; 347 344 348 345 cookie = { 349 - domain = mkOption { 350 - type = types.nullOr types.str; 346 + domain = lib.mkOption { 347 + type = lib.types.nullOr lib.types.str; 351 348 default = null; 352 349 description = '' 353 350 Optional cookie domains to force cookies to (ie: `.yourcompany.com`). ··· 357 354 example = ".yourcompany.com"; 358 355 }; 359 356 360 - expire = mkOption { 361 - type = types.str; 357 + expire = lib.mkOption { 358 + type = lib.types.str; 362 359 default = "168h0m0s"; 363 360 description = '' 364 361 Expire timeframe for cookie. 365 362 ''; 366 363 }; 367 364 368 - httpOnly = mkOption { 369 - type = types.bool; 365 + httpOnly = lib.mkOption { 366 + type = lib.types.bool; 370 367 default = true; 371 368 description = '' 372 369 Set HttpOnly cookie flag. 373 370 ''; 374 371 }; 375 372 376 - name = mkOption { 377 - type = types.str; 373 + name = lib.mkOption { 374 + type = lib.types.str; 378 375 default = "_oauth2_proxy"; 379 376 description = '' 380 377 The name of the cookie that the oauth_proxy creates. 381 378 ''; 382 379 }; 383 380 384 - refresh = mkOption { 381 + refresh = lib.mkOption { 385 382 # XXX: Unclear what the behavior is when this is not specified. 386 - type = types.nullOr types.str; 383 + type = lib.types.nullOr lib.types.str; 387 384 default = null; 388 385 description = '' 389 386 Refresh the cookie after this duration; 0 to disable. ··· 391 388 example = "168h0m0s"; 392 389 }; 393 390 394 - secret = mkOption { 395 - type = types.nullOr types.str; 391 + secret = lib.mkOption { 392 + type = lib.types.nullOr lib.types.str; 396 393 description = '' 397 394 The seed string for secure cookies. 398 395 ''; 399 396 }; 400 397 401 - secure = mkOption { 402 - type = types.bool; 398 + secure = lib.mkOption { 399 + type = lib.types.bool; 403 400 default = true; 404 401 description = '' 405 402 Set secure (HTTPS) cookie flag. ··· 410 407 #################################################### 411 408 # OAUTH2 PROXY configuration 412 409 413 - httpAddress = mkOption { 414 - type = types.str; 410 + httpAddress = lib.mkOption { 411 + type = lib.types.str; 415 412 default = "http://127.0.0.1:4180"; 416 413 description = '' 417 414 HTTPS listening address. This module does not expose the port by ··· 421 418 }; 422 419 423 420 htpasswd = { 424 - file = mkOption { 425 - type = types.nullOr types.path; 421 + file = lib.mkOption { 422 + type = lib.types.nullOr lib.types.path; 426 423 default = null; 427 424 description = '' 428 425 Additionally authenticate against a htpasswd file. Entries must be ··· 430 427 ''; 431 428 }; 432 429 433 - displayForm = mkOption { 434 - type = types.bool; 430 + displayForm = lib.mkOption { 431 + type = lib.types.bool; 435 432 default = true; 436 433 description = '' 437 434 Display username / password login form if an htpasswd file is provided. ··· 439 436 }; 440 437 }; 441 438 442 - customTemplatesDir = mkOption { 443 - type = types.nullOr types.path; 439 + customTemplatesDir = lib.mkOption { 440 + type = lib.types.nullOr lib.types.path; 444 441 default = null; 445 442 description = '' 446 443 Path to custom HTML templates. 447 444 ''; 448 445 }; 449 446 450 - reverseProxy = mkOption { 451 - type = types.bool; 447 + reverseProxy = lib.mkOption { 448 + type = lib.types.bool; 452 449 default = false; 453 450 description = '' 454 451 In case when running behind a reverse proxy, controls whether headers ··· 458 455 ''; 459 456 }; 460 457 461 - proxyPrefix = mkOption { 462 - type = types.str; 458 + proxyPrefix = lib.mkOption { 459 + type = lib.types.str; 463 460 default = "/oauth2"; 464 461 description = '' 465 462 The url root path that this proxy should be nested under. ··· 467 464 }; 468 465 469 466 tls = { 470 - enable = mkOption { 471 - type = types.bool; 467 + enable = lib.mkOption { 468 + type = lib.types.bool; 472 469 default = false; 473 470 description = '' 474 471 Whether to serve over TLS. 475 472 ''; 476 473 }; 477 474 478 - certificate = mkOption { 479 - type = types.path; 475 + certificate = lib.mkOption { 476 + type = lib.types.path; 480 477 description = '' 481 478 Path to certificate file. 482 479 ''; 483 480 }; 484 481 485 - key = mkOption { 486 - type = types.path; 482 + key = lib.mkOption { 483 + type = lib.types.path; 487 484 description = '' 488 485 Path to private key file. 489 486 ''; 490 487 }; 491 488 492 - httpsAddress = mkOption { 493 - type = types.str; 489 + httpsAddress = lib.mkOption { 490 + type = lib.types.str; 494 491 default = ":443"; 495 492 description = '' 496 493 `addr:port` to listen on for HTTPS clients. ··· 502 499 }; 503 500 }; 504 501 505 - requestLogging = mkOption { 506 - type = types.bool; 502 + requestLogging = lib.mkOption { 503 + type = lib.types.bool; 507 504 default = true; 508 505 description = '' 509 506 Log requests to stdout. ··· 514 511 # UNKNOWN 515 512 516 513 # XXX: Is this mandatory? Is it part of another group? Is it part of the provider specification? 517 - scope = mkOption { 514 + scope = lib.mkOption { 518 515 # XXX: jml suspects this is always necessary, but the command-line 519 516 # doesn't require it so making it optional. 520 - type = types.nullOr types.str; 517 + type = lib.types.nullOr lib.types.str; 521 518 default = null; 522 519 description = '' 523 520 OAuth scope specification. 524 521 ''; 525 522 }; 526 523 527 - profileURL = mkOption { 528 - type = types.nullOr types.str; 524 + profileURL = lib.mkOption { 525 + type = lib.types.nullOr lib.types.str; 529 526 default = null; 530 527 description = '' 531 528 Profile access endpoint. 532 529 ''; 533 530 }; 534 531 535 - setXauthrequest = mkOption { 536 - type = types.nullOr types.bool; 532 + setXauthrequest = lib.mkOption { 533 + type = lib.types.nullOr lib.types.bool; 537 534 default = false; 538 535 description = '' 539 536 Set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode). Setting this to 'null' means using the upstream default (false). 540 537 ''; 541 538 }; 542 539 543 - extraConfig = mkOption { 540 + extraConfig = lib.mkOption { 544 541 default = {}; 545 - type = types.attrsOf types.anything; 542 + type = lib.types.attrsOf lib.types.anything; 546 543 description = '' 547 544 Extra config to pass to oauth2-proxy. 548 545 ''; 549 546 }; 550 547 551 - keyFile = mkOption { 552 - type = types.nullOr types.path; 548 + keyFile = lib.mkOption { 549 + type = lib.types.nullOr lib.types.path; 553 550 default = null; 554 551 description = '' 555 552 oauth2-proxy allows passing sensitive configuration via environment variables. ··· 557 554 OAUTH2_PROXY_CLIENT_SECRET=asdfasdfasdf.apps.googleuserscontent.com 558 555 and specify the path here. 559 556 ''; 560 - example = "/run/keys/oauth2_proxy"; 557 + example = "/run/keys/oauth2-proxy"; 561 558 }; 562 - 563 559 }; 564 560 565 - config = mkIf cfg.enable { 561 + imports = [ 562 + (lib.mkRenamedOptionModule [ "services" "oauth2_proxy" ] [ "services" "oauth2-proxy" ]) 563 + ]; 566 564 567 - services.oauth2_proxy = mkIf (cfg.keyFile != null) { 568 - clientID = mkDefault null; 569 - clientSecret = mkDefault null; 570 - cookie.secret = mkDefault null; 565 + config = lib.mkIf cfg.enable { 566 + services.oauth2-proxy = lib.mkIf (cfg.keyFile != null) { 567 + clientID = lib.mkDefault null; 568 + clientSecret = lib.mkDefault null; 569 + cookie.secret = lib.mkDefault null; 571 570 }; 572 571 573 - users.users.oauth2_proxy = { 572 + users.users.oauth2-proxy = { 574 573 description = "OAuth2 Proxy"; 575 574 isSystemUser = true; 576 - group = "oauth2_proxy"; 575 + group = "oauth2-proxy"; 577 576 }; 578 577 579 - users.groups.oauth2_proxy = {}; 578 + users.groups.oauth2-proxy = {}; 580 579 581 - systemd.services.oauth2_proxy = { 580 + systemd.services.oauth2-proxy = { 582 581 description = "OAuth2 Proxy"; 583 582 path = [ cfg.package ]; 584 583 wantedBy = [ "multi-user.target" ]; ··· 586 585 after = [ "network-online.target" ]; 587 586 588 587 serviceConfig = { 589 - User = "oauth2_proxy"; 588 + User = "oauth2-proxy"; 590 589 Restart = "always"; 591 590 ExecStart = "${cfg.package}/bin/oauth2-proxy ${configString}"; 592 - EnvironmentFile = mkIf (cfg.keyFile != null) cfg.keyFile; 591 + EnvironmentFile = lib.mkIf (cfg.keyFile != null) cfg.keyFile; 593 592 }; 594 593 }; 595 594

+27 -28

nixos/modules/services/security/oauth2_proxy_nginx.nix nixos/modules/services/security/oauth2-proxy-nginx.nix

··· 1 1 { config, lib, ... }: 2 - with lib; 3 2 let 4 - cfg = config.services.oauth2_proxy.nginx; 3 + cfg = config.services.oauth2-proxy.nginx; 5 4 in 6 5 { 7 - options.services.oauth2_proxy.nginx = { 8 - proxy = mkOption { 9 - type = types.str; 10 - default = config.services.oauth2_proxy.httpAddress; 11 - defaultText = literalExpression "config.services.oauth2_proxy.httpAddress"; 6 + options.services.oauth2-proxy.nginx = { 7 + proxy = lib.mkOption { 8 + type = lib.types.str; 9 + default = config.services.oauth2-proxy.httpAddress; 10 + defaultText = lib.literalExpression "config.services.oauth2-proxy.httpAddress"; 12 11 description = '' 13 - The address of the reverse proxy endpoint for oauth2_proxy 12 + The address of the reverse proxy endpoint for oauth2-proxy 14 13 ''; 15 14 }; 16 15 17 - domain = mkOption { 18 - type = types.str; 16 + domain = lib.mkOption { 17 + type = lib.types.str; 19 18 description = '' 20 - The domain under which the oauth2_proxy will be accesible and the path of cookies are set to. 19 + The domain under which the oauth2-proxy will be accesible and the path of cookies are set to. 21 20 This setting must be set to ensure back-redirects are working properly 22 - if oauth2-proxy is configured with {option}`services.oauth2_proxy.cookie.domain` 23 - or multiple {option}`services.oauth2_proxy.nginx.virtualHosts` that are not on the same domain. 21 + if oauth2-proxy is configured with {option}`services.oauth2-proxy.cookie.domain` 22 + or multiple {option}`services.oauth2-proxy.nginx.virtualHosts` that are not on the same domain. 24 23 ''; 25 24 }; 26 25 27 - virtualHosts = mkOption { 26 + virtualHosts = lib.mkOption { 28 27 type = let 29 - vhostSubmodule = types.submodule { 28 + vhostSubmodule = lib.types.submodule { 30 29 options = { 31 - allowed_groups = mkOption { 32 - type = types.nullOr (types.listOf types.str); 30 + allowed_groups = lib.mkOption { 31 + type = lib.types.nullOr (lib.types.listOf lib.types.str); 33 32 description = "List of groups to allow access to this vhost, or null to allow all."; 34 33 default = null; 35 34 }; 36 - allowed_emails = mkOption { 37 - type = types.nullOr (types.listOf types.str); 35 + allowed_emails = lib.mkOption { 36 + type = lib.types.nullOr (lib.types.listOf lib.types.str); 38 37 description = "List of emails to allow access to this vhost, or null to allow all."; 39 38 default = null; 40 39 }; 41 - allowed_email_domains = mkOption { 42 - type = types.nullOr (types.listOf types.str); 40 + allowed_email_domains = lib.mkOption { 41 + type = lib.types.nullOr (lib.types.listOf lib.types.str); 43 42 description = "List of email domains to allow access to this vhost, or null to allow all."; 44 43 default = null; 45 44 }; 46 45 }; 47 46 }; 48 - oldType = types.listOf types.str; 47 + oldType = lib.types.listOf lib.types.str; 49 48 convertFunc = x: 50 - lib.warn "services.oauth2_proxy.nginx.virtualHosts should be an attrset, found ${lib.generators.toPretty {} x}" 49 + lib.warn "services.oauth2-proxy.nginx.virtualHosts should be an attrset, found ${lib.generators.toPretty {} x}" 51 50 lib.genAttrs x (_: {}); 52 - newType = types.attrsOf vhostSubmodule; 53 - in types.coercedTo oldType convertFunc newType; 51 + newType = lib.types.attrsOf vhostSubmodule; 52 + in lib.types.coercedTo oldType convertFunc newType; 54 53 default = {}; 55 54 example = { 56 55 "protected.foo.com" = { ··· 65 64 }; 66 65 }; 67 66 68 - config.services.oauth2_proxy = mkIf (cfg.virtualHosts != [] && (hasPrefix "127.0.0.1:" cfg.proxy)) { 67 + config.services.oauth2-proxy = lib.mkIf (cfg.virtualHosts != [] && (lib.hasPrefix "127.0.0.1:" cfg.proxy)) { 69 68 enable = true; 70 69 }; 71 70 72 - config.services.nginx = mkIf (cfg.virtualHosts != [] && config.services.oauth2_proxy.enable) (mkMerge ([ 71 + config.services.nginx = lib.mkIf (cfg.virtualHosts != [] && config.services.oauth2-proxy.enable) (lib.mkMerge ([ 73 72 { 74 73 virtualHosts.${cfg.domain}.locations."/oauth2/" = { 75 74 proxyPass = cfg.proxy; ··· 79 78 ''; 80 79 }; 81 80 } 82 - ] ++ optional (cfg.virtualHosts != []) { 81 + ] ++ lib.optional (cfg.virtualHosts != []) { 83 82 recommendedProxySettings = true; # needed because duplicate headers 84 83 } ++ (lib.mapAttrsToList (vhost: conf: { 85 84 virtualHosts.${vhost} = {