add options: selfprivacy.sso.enable && selfprivacy.sso.debug

selfprivacy.sso.enable is true by default.
2025-02-03 01:35:21 +04:00
parent 65548a1e73
commit 331fa63b33
6 changed files with 24 additions and 41 deletions
--- a/auth/auth.nix
+++ b/auth/auth.nix
@@ -1,8 +1,8 @@
 nixpkgs-2411: { config, lib, pkgs, ... }:
 let
-  cfg = config.selfprivacy.modules.auth;
  domain = config.selfprivacy.domain;
-  auth-fqdn = cfg.subdomain + "." + domain;
+  subdomain = "auth";
+  auth-fqdn = subdomain + "." + domain;

  ldap-host = "127.0.0.1";
  ldap-port = 3636;
@@ -46,37 +46,7 @@ let
  lua_path = "${lua_core_path};${lua_lrucache_path};";
 in
 {
-  options.selfprivacy.modules.auth = {
-    enable = (lib.mkOption {
-      default = false;
-      type = lib.types.bool;
-    }) // {
-      meta = {
-        type = "enable";
-      };
-    };
-    subdomain = (lib.mkOption {
-      default = "auth";
-      type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
-    }) // {
-      meta = {
-        widget = "subdomain";
-        type = "string";
-        regex = "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
-        weight = 0;
-      };
-    };
-    debug = (lib.mkOption {
-      default = false;
-      type = lib.types.bool;
-    }) // {
-      meta = {
-        type = "enable";
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
+  config = lib.mkIf config.selfprivacy.sso.enable {
    nixpkgs.overlays = [
      (
        _final: prev: {
@@ -132,7 +102,7 @@ in
        # kanidm is behind a proxy
        trust_x_forward_for = true;

-        log_level = if cfg.debug then "trace" else "info";
+        log_level = if config.selfprivacy.sso.debug then "trace" else "info";
      };
      provision = {
        enable = true;
@@ -151,8 +121,8 @@ in
    services.nginx = {
      enable = true;
      additionalModules =
-        lib.mkIf cfg.debug [ pkgs.nginxModules.lua ];
-      commonHttpConfig = lib.mkIf cfg.debug ''
+        lib.mkIf config.selfprivacy.sso.debug [ pkgs.nginxModules.lua ];
+      commonHttpConfig = lib.mkIf config.selfprivacy.sso.debug ''
        log_format kanidm escape=none '$request $status\n'
                                      '[Request body]: $request_body\n'
                                      '[Header]: $resp_header\n'
@@ -163,7 +133,7 @@ in
        useACMEHost = domain;
        forceSSL = true;
        locations."/" = {
-          extraConfig = lib.mkIf cfg.debug ''
+          extraConfig = lib.mkIf config.selfprivacy.sso.debug ''
            access_log /var/log/nginx/kanidm.log kanidm;

            lua_need_request_body on;
--- a/selfprivacy-module.nix
+++ b/selfprivacy-module.nix
@@ -34,6 +34,18 @@ with lib;
        type = types.nullOr types.bool;
      };
    };
+    sso = {
+      enable = mkOption {
+        description = "Enable SSO.";
+        default = true;
+        type = types.nullOr types.bool;
+      };
+      debug = mkOption {
+        description = "Enable debug for SSO.";
+        default = false;
+        type = types.nullOr types.bool;
+      };
+    };
    stateVersion = mkOption {
      description = "State version of the server";
      type = types.nullOr types.str;
--- a/sp-modules/gitea/module.nix
+++ b/sp-modules/gitea/module.nix
@@ -14,7 +14,7 @@ let
    "gitea-light"
    "gitea-dark"
  ];
-  is-auth-enabled = cfg.enableSso;
+  is-auth-enabled = cfg.enableSso && config.selfprivacy.sso.enable;
  oauth-client-id = "forgejo";
  auth-passthru = config.selfprivacy.passthru.auth;
  oauth2-provider-name = auth-passthru.oauth2-provider-name;
--- a/sp-modules/nextcloud/module.nix
+++ b/sp-modules/nextcloud/module.nix
@@ -12,7 +12,7 @@ let
  hostName = "${cfg.subdomain}.${sp.domain}";
  auth-passthru = config.selfprivacy.passthru.auth;
  cfg = sp.modules.nextcloud;
-  is-auth-enabled = cfg.enableSso;
+  is-auth-enabled = cfg.enableSso && config.selfprivacy.sso.enable;
  ldap_scheme_and_host = "ldaps://${auth-passthru.ldap-host}";

  occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
--- a/sp-modules/roundcube/module.nix
+++ b/sp-modules/roundcube/module.nix
@@ -2,7 +2,7 @@
 let
  domain = config.selfprivacy.domain;
  cfg = config.selfprivacy.modules.roundcube;
-  is-auth-enabled = cfg.enableSso;
+  is-auth-enabled = cfg.enableSso && config.selfprivacy.sso.enable;
  auth-passthru = config.selfprivacy.passthru.auth;
  auth-fqdn = auth-passthru.auth-fqdn;
  sp-module-name = "roundcube";
--- a/sp-modules/simple-nixos-mailserver/common.nix
+++ b/sp-modules/simple-nixos-mailserver/common.nix
@@ -4,7 +4,8 @@ rec {
  domain = config.selfprivacy.domain;
  group = "dovecot2";
  is-auth-enabled =
-    config.selfprivacy.modules.simple-nixos-mailserver.enableSso;
+    config.selfprivacy.modules.simple-nixos-mailserver.enableSso
+    && config.selfprivacy.sso.enable;

  appendSetting =
    { name, file, prefix, suffix ? "", passwordFile, destination }: