Oauth2 proxy
services.oauth2-proxy.approvalPrompt
OAuth approval_prompt.
Type: one of "force", "auto"
Default
"force"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.azure.resource
The resource that is protected.
Type: string
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.azure.tenant
Go to a tenant-specific or common (tenant-independent) endpoint.
Type: string
Default
"common"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.basicAuthPassword
The password to set when passing the HTTP Basic Auth header.
Type: null or string
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.clientID
The OAuth Client ID.
Type: null or string
Example
"123456.apps.googleusercontent.com"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.clientSecret
The OAuth Client Secret.
Type: null or string
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.cookie.domain
Optional cookie domains to force cookies to (ie: .yourcompany.com).
The longest domain matching the request's host will be used (or the shortest
cookie domain if there is no match).
Type: null or string
Default
null
Example
".yourcompany.com"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.cookie.expire
Expire timeframe for cookie.
Type: string
Default
"168h0m0s"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.cookie.httpOnly
Set HttpOnly cookie flag.
Type: boolean
Default
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.cookie.name
The name of the cookie that the oauth_proxy creates.
Type: string
Default
"_oauth2_proxy"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.cookie.refresh
Refresh the cookie after this duration; 0 to disable.
Type: null or string
Default
null
Example
"168h0m0s"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.cookie.secret
The seed string for secure cookies.
Type: null or string
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.cookie.secure
Set secure (HTTPS) cookie flag.
Type: boolean
Default
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.customTemplatesDir
Path to custom HTML templates.
Type: null or path
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.email.addresses
Line-separated email addresses that are allowed to authenticate.
Type: null or strings concatenated with "\n"
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.email.domains
Authenticate emails with the specified domains. Use
* to authenticate any email.
Type: list of string
Default
[ ]
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.enable
Whether to enable oauth2-proxy.
Type: boolean
Default
false
Example
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.extraConfig
Extra config to pass to oauth2-proxy.
Type: attribute set of anything
Default
{ }
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.github.org
Restrict logins to members of this organisation.
Type: null or string
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.github.team
Restrict logins to members of this team.
Type: null or string
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.google.adminEmail
The Google Admin to impersonate for API calls.
Only users with access to the Admin APIs can access the Admin SDK Directory API, thus the service account needs to impersonate one of those users to access the Admin SDK Directory API.
Type: string
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.google.groups
Restrict logins to members of these Google groups.
Type: list of string
Default
[ ]
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.google.serviceAccountJSON
The path to the service account JSON credentials.
Type: path
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.htpasswd.displayForm
Display username / password login form if an htpasswd file is provided.
Type: boolean
Default
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.htpasswd.file
Additionally authenticate against a htpasswd file. Entries must be
created with htpasswd -s for SHA encryption.
Type: null or path
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.httpAddress
HTTPS listening address. This module does not expose the port by
default. If you want this URL to be accessible to other machines, please
add the port to networking.firewall.allowedTCPPorts.
Type: string
Default
"http://127.0.0.1:4180"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.keyFile
oauth2-proxy allows passing sensitive configuration via environment variables. Make a file that contains lines like OAUTH2_PROXY_CLIENT_SECRET=asdfasdfasdf.apps.googleuserscontent.com and specify the path here.
Type: null or path
Default
null
Example
"/run/keys/oauth2-proxy"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.loginURL
Authentication endpoint.
You only need to set this if you are using a self-hosted provider (e.g. Github Enterprise). If you're using a publicly hosted provider (e.g github.com), then the default works.
Type: null or string
Default
null
Example
"https://provider.example.com/oauth/authorize"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.nginx.domain
The domain under which the oauth2-proxy will be accesible and the path of cookies are set to.
This setting must be set to ensure back-redirects are working properly
if oauth2-proxy is configured with {option}services.oauth2-proxy.cookie.domain
or multiple {option}services.oauth2-proxy.nginx.virtualHosts that are not on the same domain.
Type: string
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy-nginx.nix
services.oauth2-proxy.nginx.proxy
The address of the reverse proxy endpoint for oauth2-proxy
Type: string
Default
config.services.oauth2-proxy.httpAddress
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy-nginx.nix
services.oauth2-proxy.nginx.virtualHosts
Nginx virtual hosts to put behind the oauth2 proxy.
You can exclude specific locations by setting auth_request off; in the locations extraConfig setting.
Type: (attribute set of (submodule)) or (list of string) convertible to it
Default
{ }
Example
{"protected.foo.com" = {allowed_emails = ["boss@foo.com"];allowed_groups = ["admins"];};}
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy-nginx.nix
services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_email_domains
List of email domains to allow access to this vhost, or null to allow all.
Type: null or (list of string)
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy-nginx.nix
services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_emails
List of emails to allow access to this vhost, or null to allow all.
Type: null or (list of string)
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy-nginx.nix
services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_groups
List of groups to allow access to this vhost, or null to allow all.
Type: null or (list of string)
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy-nginx.nix
services.oauth2-proxy.oidcIssuerUrl
The OAuth issuer URL.
Type: null or string
Default
null
Example
"https://login.microsoftonline.com/{TENANT_ID}/v2.0"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.package
The oauth2-proxy package to use.
Type: package
Default
pkgs.oauth2-proxy
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.passAccessToken
Pass OAuth access_token to upstream via X-Forwarded-Access-Token header.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.passBasicAuth
Pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream.
Type: boolean
Default
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.passHostHeader
Pass the request Host Header to upstream.
Type: boolean
Default
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.profileURL
Profile access endpoint.
Type: null or string
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.provider
OAuth provider.
Type: one of "adfs", "azure", "bitbucket", "digitalocean", "facebook", "github", "gitlab", "google", "keycloak", "keycloak-oidc", "linkedin", "login.gov", "nextcloud", "oidc"
Default
"google"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.proxyPrefix
The url root path that this proxy should be nested under.
Type: string
Default
"/oauth2"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.redeemURL
Token redemption endpoint.
You only need to set this if you are using a self-hosted provider (e.g. Github Enterprise). If you're using a publicly hosted provider (e.g github.com), then the default works.
Type: null or string
Default
null
Example
"https://provider.example.com/oauth/token"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.redirectURL
The OAuth2 redirect URL.
Type: null or string
Default
null
Example
"https://internalapp.yourcompany.com/oauth2/callback"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.requestLogging
Log requests to stdout.
Type: boolean
Default
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.reverseProxy
In case when running behind a reverse proxy, controls whether headers
like X-Real-Ip are accepted. Usage behind a reverse
proxy will require this flag to be set to avoid logging the reverse
proxy IP address.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.scope
OAuth scope specification.
Type: null or string
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.setXauthrequest
Set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode). Setting this to 'null' means using the upstream default (false).
Type: null or boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.signatureKey
GAP-Signature request signature key.
Type: null or string
Default
null
Example
"sha1:secret0"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.skipAuthRegexes
Skip authentication for requests matching any of these regular expressions.
Type: list of string
Default
[ ]
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.tls.certificate
Path to certificate file.
Type: path
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.tls.enable
Whether to serve over TLS.
Type: boolean
Default
false
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.tls.httpsAddress
addr:port to listen on for HTTPS clients.
Remember to add port to
allowedTCPPorts if you want other machines to be
able to connect to it.
Type: string
Default
":443"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.tls.key
Path to private key file.
Type: path
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.upstream
The http url(s) of the upstream endpoint or file://
paths for static files. Routing is based on the path.
Type: (list of string) or string convertible to it
Default
[ ]
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix
services.oauth2-proxy.validateURL
Access token validation endpoint.
You only need to set this if you are using a self-hosted provider (e.g. Github Enterprise). If you're using a publicly hosted provider (e.g github.com), then the default works.
Type: null or string
Default
null
Example
"https://provider.example.com/user/emails"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/security/oauth2-proxy.nix