chore(auth): further generalize authn

So that it's possible to plug another OAuth2 instance.

Signed-off-by: Raito Bezarius <raito@lix.systems>

nix/coordinator.nix

@@ -19,9 +19,47 @@ in
         type = lib.types.path;
         description = "File containing a list of nix workers";
       };
-      oauth2SecretFile = lib.mkOption {
+
+      oauth2 = {
+        name = lib.mkOption {
+          type = lib.types.str;
+          description = "Name of the OAuth2 login method";
+        };
+
+        icon = lib.mkOption {
+          type = lib.types.str;
+          description = "FontAwesome string for the icon associated to the OAuth2 login";
+          default = "fa-login";
+          example = "fa-login";
+        };
+
+        clientId = lib.mkOption {
+          type = lib.types.str;
+          description = "Client ID for the OAuth2 authentication";
+        };
+
+        clientSecretFile = lib.mkOption {
           type = lib.types.path;
-        description = "File containing an OAuth 2 client secret";
+          description = "Path to a file containing an OAuth 2 client secret";
+        };
+
+        resourceEndpoint = lib.mkOption {
+          type = lib.types.str;
+          description = "URL to the OAuth 2 resource";
+          example = "https://identity.lix.systems";
+        };
+
+        authUri = lib.mkOption {
+          type = lib.types.str;
+          description = "Authentication URI";
+          example = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth";
+        };
+
+        tokenUri = lib.mkOption {
+          type = lib.types.str;
+          description = "Token URI";
+          example = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token";
+        };
       };
       buildSystems = lib.mkOption {
         type = lib.types.listOf lib.types.str;
@@ -150,23 +188,23 @@ in
       home = "/var/lib/buildbot";
       extraImports = ''
         from datetime import timedelta
-        from buildbot_nix import GerritNixConfigurator, read_secret_file
+        from buildbot_nix import GerritNixConfigurator, read_secret_file, make_oauth2_method, OAuth2Config
+
+        # TODO(raito): make me configurable from the NixOS module.
+        # how?
+        CustomOAuth2 = make_oauth2_method(OAuth2Config(
+          name=${builtins.toJSON cfg.oauth2.name},
+          faIcon=${builtins.toJSON cfg.oauth2.icon},
+          resourceEndpoint=${builtins.toJSON cfg.oauth2.resourceEndpoint},
+          authUri=${builtins.toJSON cfg.oauth2.authUri},
+          tokenUri=${builtins.toJSON cfg.oauth2.tokenUri}
+        ))
       '';
       configurators = [
         ''
           util.JanitorConfigurator(logHorizon=timedelta(weeks=4), hour=12, dayOfWeek=6)
         ''
         ''
-          # TODO(raito): make me configurable from the NixOS module.
-          # how?
-          LixSystemsOAuth2 = make_oauth2_method(OAuth2Config(
-            name='Lix',
-            faIcon='fa-login',
-            resourceEndpoint='https://identity.lix.systems',
-            authUri='https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth',
-            tokenUri='https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token'
-          )
-
           GerritNixConfigurator(
               "${cfg.gerrit.domain}",
               "${cfg.gerrit.username}",
@@ -184,7 +222,7 @@ in
                 inherit (cfg.binaryCache) bucket region endpoint;
                 profile = "default";
               }},
-              auth_method=LixSystemsOAuth2('buildbot',
+              auth_method=CustomOAuth2(${builtins.toJSON cfg.oauth2.clientId},
                 read_secret_file('buildbot-oauth2-secret'),
                 autologin=True
               )
@@ -230,7 +268,7 @@ in
         # in master.py we read secrets from $CREDENTIALS_DIRECTORY
         LoadCredential = [
           "buildbot-nix-workers:${cfg.workersFile}"
-          "buildbot-oauth2-secret:${cfg.oauth2SecretFile}"
+          "buildbot-oauth2-secret:${cfg.oauth2.clientSecretFile}"
         ];
       };
     };