xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nix-configs/modules/services/oauth2Proxy/default.nix
Lucy Hochkamp 28dc0896b9
Some checks failed
ci/woodpecker/push/build-cache Pipeline failed
Details
ci/woodpecker/cron/dependency-pr Pipeline was successful
Details
navidrome
2025-12-04 00:21:41 +01:00

85 lines
2.2 KiB
Nix
Raw Blame History

{
pkgs,
lib,
config,
...
}:
let
inherit (lib)
mkEnableOption
mkIf
mkOption
getExe
;
inherit (lib.types)
pathWith
listOf
;
cfg = config.xyno.services.oauth2Proxy;
settingsFormat = pkgs.formats.toml { };
configFile = settingsFormat.generate "oauth2-proxy.conf" cfg.settings;
absPath = pathWith {
inStore = false;
absolute = true;
};
in
{
options.xyno.services.oauth2Proxy = {
enable = mkEnableOption "oauth2-proxy";
package = lib.mkPackageOption pkgs "oauth2-proxy" { };
settings = mkOption {
type = settingsFormat.type;
description = "what to add to the config toml file";
};
environmentFiles = mkOption {
type = listOf absPath;
default = [ ];
example = [ "/run/secrets/oauth2Proxy" ];
};
};
config = mkIf cfg.enable {
systemd.services.oauth2-proxy = {
wantedBy = [ "multi-user.target" ];
description = "OAuth2 Proxy (66642's less weird version)";
confinement.enable = true;
after = [ "network.target" ];
serviceConfig = {
BindReadOnlyPaths = [
"-/etc/resolv.conf"
"-/run/systemd"
"/etc/hosts"
"${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"
];
ExecStart = "${getExe cfg.package} --config=${configFile}";
EnvironmentFile = cfg.environmentFiles;
DynamicUser = true;
CapabilityBoundingSet = [ "" ];
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
PrivateDevices = true;
UMask = "0022";
SystemCallFilter = [ "@system-service" ];
SystemCallErrorNumber = "EPERM";
LockPersonality = true;
PrivateTmp = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
};
};
};
}
Reference in a new issue View git blame Copy permalink