nixos/rauthy: init

NixOS · Jan 5, 2025 · d526fa7 · d526fa7
1 parent 6d3d017
commit d526fa7
Show file tree

Hide file tree

Showing 4 changed files with 124 additions and 0 deletions.
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -1367,6 +1367,7 @@
   ./services/security/opensnitch.nix
   ./services/security/pass-secret-service.nix
   ./services/security/physlock.nix
+  ./services/security/rauthy.nix
   ./services/security/shibboleth-sp.nix
   ./services/security/sks.nix
   ./services/security/sshguard.nix

diff --git a/nixos/modules/services/security/rauthy.nix b/nixos/modules/services/security/rauthy.nix
@@ -0,0 +1,84 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+
+let
+  inherit (lib)
+    maintainers
+    mkIf
+    mkEnableOption
+    mkPackageOption
+    mkOption
+    ;
+  inherit (lib.types)
+    nullOr
+    path
+    attrs
+    ;
+
+  cfg = config.services.rauthy;
+  format = pkgs.formats.ini { };
+  configFile = format.generate "rauthy.cfg" cfg.settings;
+in
+{
+  meta.maintainers = with maintainers; [
+    gepbird
+  ];
+
+  options.services.rauthy = {
+    enable = mkEnableOption "Rauthy";
+
+    package = mkPackageOption pkgs "rauthy" { };
+
+    environmentFile = mkOption {
+      type = nullOr path;
+      default = null;
+      example = "/run/secrets/rauthy.cfg";
+      description = ''
+        Environment file to inject e.g. secrets into the configuration.
+      '';
+    };
+
+    settings = mkOption {
+      type = attrs;
+      default = { };
+      example = {
+        PROXY_MODE = true;
+      };
+      description = ''
+        Additional key-value pair configuration options.
+        See https://sebadob.github.io/rauthy/config/production_config.html.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.rauthy = {
+      description = "rauthy";
+      after = [
+        "postgresql.service"
+      ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Type = "simple";
+        WorkingDirecotry = "/var/lib/rauthy";
+        # rauthy must find rauthy.cfg in the cwd
+        ExecStartPre = pkgs.writeShellScript "rauthy-pre" ''
+          ln -sf ${configFile} /var/lib/rauthy/rauthy.cfg
+        '';
+        ExecStart = pkgs.writeShellScript "rauthy-start" ''
+          cd /var/lib/rauthy
+          ${cfg.package}/bin/rauthy
+        '';
+        StateDirectory = "rauthy";
+        EnvironmentFile = [
+          configFile
+        ] ++ lib.optional (cfg.environmentFile != null) cfg.environmentFile;
+      };
+    };
+  };
+}
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
@@ -885,6 +885,7 @@ in {
   ragnarwm = handleTest ./ragnarwm.nix {};
   rasdaemon = handleTest ./rasdaemon.nix {};
   rathole = handleTest ./rathole.nix {};
+  rauthy = handleTest ./rauthy.nix {};
   readarr = handleTest ./readarr.nix {};
   realm = handleTest ./realm.nix {};
   redis = handleTest ./redis.nix {};

diff --git a/nixos/tests/rauthy.nix b/nixos/tests/rauthy.nix
@@ -0,0 +1,38 @@
+import ./make-test-python.nix (
+  {
+    lib,
+    ...
+  }:
+  {
+    name = "rauthy";
+    meta.maintainers = with lib.maintainers; [
+      gepbird
+    ];
+
+    nodes.machine =
+      {
+        ...
+      }:
+      {
+        services.rauthy = {
+          enable = true;
+        };
+
+        services.postgresql = {
+          enable = true;
+          ensureDatabases = [ "rauthy" ];
+          ensureUsers = [
+            {
+              name = "rauthy";
+              ensureDBOwnership = true;
+            }
+          ];
+        };
+      };
+
+    testScript = ''
+      machine.wait_for_unit("rauthy.service")
+      machine.succeed("sleep 5")
+    '';
+  }
+)