gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
69ff9034930b3a9c3735bb1a65009dd9684cf1d5
nixpkgs/nixos/modules/services/security/nginx-sso.nix
Bruno BELANYI f3b85882a2 nixos/nginx-sso: use '/run' to generate config 
Closes #461198.
2025-11-13 11:09:29 +00:00

80 lines
2.1 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
utils,
...
}:
let
cfg = config.services.nginx.sso;
format = pkgs.formats.yaml { };
configPath = "/run/nginx-sso/config.yaml";
secretsReplacement = utils.genJqSecretsReplacement {
loadCredential = true;
} cfg.configuration configPath;
in
{
options.services.nginx.sso = {
enable = lib.mkEnableOption "nginx-sso service";
package = lib.mkPackageOption pkgs "nginx-sso" { };
configuration = lib.mkOption {
type = format.type;
default = { };
example = lib.literalExpression ''
{
listen = { addr = "127.0.0.1"; port = 8080; };
providers.token.tokens = {
myuser = {
_secret = "/path/to/secret/token.txt"; # File content should be the secret token
};
};
acl = {
rule_sets = [
{
rules = [ { field = "x-application"; equals = "MyApp"; } ];
allow = [ "myuser" ];
}
];
};
}
'';
description = ''
nginx-sso configuration
([documentation](https://github.com/Luzifer/nginx-sso/wiki/Main-Configuration))
as a Nix attribute set.
Options containing secret data should be set to an attribute set
with the singleton attribute `_secret` - a string value set to the path
to the file containing the secret value which should be used in the
configuration.
'';
};
};
config = lib.mkIf cfg.enable {
systemd.services.nginx-sso = {
description = "Nginx SSO Backend";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
preStart = secretsReplacement.script;
serviceConfig = {
StateDirectory = "nginx-sso";
WorkingDirectory = "/var/lib/nginx-sso";
RuntimeDirectory = "nginx-sso";
ExecStart = ''
${lib.getExe cfg.package} \
--config ${configPath} \
--frontend-dir ${lib.getBin cfg.package}/share/frontend
'';
LoadCredential = secretsReplacement.credentials;
Restart = "always";
DynamicUser = true;
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink