From 56e8b0564de3263ad19dfa26fb822e4cb7b2ed16 Mon Sep 17 00:00:00 2001
From: NullBite <me@nullbite.com>
Date: Sun, 14 Jul 2024 03:06:27 -0400
Subject: [PATCH] authelia: wip

---
 hosts/rpi4/authelia.nix | 114 +++++++++++++++++++++++++++++++++++++---
 1 file changed, 108 insertions(+), 6 deletions(-)

diff --git a/hosts/rpi4/authelia.nix b/hosts/rpi4/authelia.nix
index a25376e..a15d309 100644
--- a/hosts/rpi4/authelia.nix
+++ b/hosts/rpi4/authelia.nix
@@ -1,7 +1,9 @@
 { config, lib, pkgs, ... }:
 let
-  inherit (lib) types;
-  inherit (builtins) isNull;
+  inherit (lib) types
+    mkIf
+    optionalString;
+  inherit (builtins) isNull any attrValues;
 
   getUpstreamFromInstance = instance: let
     inherit (config.services.authelia.instances.${instance}.settings) server;
@@ -11,6 +13,86 @@ let
         throw "TODO IPv6 not supported in Authelia server address (hard to parse, can't tell if it is [::])."
       else server.host;
   in "http://${host}:${port}";
+
+  # use this when reverse proxying to authelia (and only authelia because i
+  # like the nixos recommended proxy settings better)
+  autheliaProxyConfig = pkgs.writeText "authelia-proxy-config.conf" ''
+    ## Headers
+    proxy_set_header Host $host;
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-URI $request_uri;
+    proxy_set_header X-Forwarded-Ssl on;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Real-IP $remote_addr;
+
+    ## Basic Proxy Configuration
+    client_body_buffer_size 128k;
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
+    proxy_redirect  http://  $scheme://;
+    proxy_http_version 1.1;
+    proxy_cache_bypass $cookie_session;
+    proxy_no_cache $cookie_session;
+    proxy_buffers 64 256k;
+
+    ## Trusted Proxies Configuration
+    ## Please read the following documentation before configuring this:
+    ##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
+    # set_real_ip_from 10.0.0.0/8;
+    # set_real_ip_from 172.16.0.0/12;
+    # set_real_ip_from 192.168.0.0/16;
+    # set_real_ip_from fc00::/7;
+    real_ip_header X-Forwarded-For;
+    real_ip_recursive on;
+
+    ## Advanced Proxy Configuration
+    send_timeout 5m;
+    proxy_read_timeout 360;
+    proxy_send_timeout 360;
+    proxy_connect_timeout 360;
+  '';
+
+
+  autheliaLocation = ''
+    internal;
+
+    ## Headers
+    ## The headers starting with X-* are required.
+    proxy_set_header X-Original-Method $request_method;
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Content-Length "";
+    proxy_set_header Connection "";
+
+    ## Basic Proxy Configuration
+    proxy_pass_request_body off;
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
+    proxy_redirect http:// $scheme://;
+    proxy_http_version 1.1;
+    proxy_cache_bypass $cookie_session;
+    proxy_no_cache $cookie_session;
+    proxy_buffers 4 32k;
+    client_body_buffer_size 128k;
+
+    ## Advanced Proxy Configuration
+    send_timeout 5m;
+    proxy_read_timeout 240;
+    proxy_send_timeout 240;
+    proxy_connect_timeout 240;
+  '';
+  autheliaLocationConfig = pkgs.writeText "authelia-location.conf" autheliaLocation;
+  autheliaBasicLocationConfig = pkgs.writeText "authelia-location-basic.conf" ''
+    ${autheliaLocation}
+
+    # Auth Basic Headers
+    proxy_set_header X-Original-Method $request_method;
+    proxy_set_header X-Forwarded-Method $request_method;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-URI $request_uri;
+  '';
+
 in
 {
   # authelia
@@ -63,10 +145,30 @@ in
         };
       };
       config = {
-        authelia.upstream = lib.mkIf (!(isNull config.authelia.instance))
+        authelia.upstream = mkIf (!(isNull config.authelia.instance))
           (getUpstreamFromInstance config.authelia.instance);
-        authelia.endpoint.upstream = lib.mkIf (!(isNull config.authelia.endpoint.instance))
+        authelia.endpoint.upstream = mkIf (!(isNull config.authelia.endpoint.instance))
           (getUpstreamFromInstance config.authelia.endpoint.instance);
+
+        # authelia nginx internal endpoints
+        locations = let
+          api = "${config.authelia.upstream}/api/authz/auth-request";
+        in lib.mkIf (!(isNull config.authelia.upstream)) {
+          "/internal/authelia/authz" = {
+            proxyPass = api;
+            recommendedProxyConfig = false;
+            extraConfig = ''
+              include ${autheliaLocationConfig};
+            '';
+          };
+          "/internal/authelia/authz/basic" = {
+            proxyPass = "${api}/basic";
+            recommendedProxyConfig = false;
+            extraConfig = ''
+              include ${autheliaBasicLocationConfig};
+            '';
+          };
+        };
       };
     };
 
@@ -80,10 +182,10 @@ in
   };
 
   # TODO check if any vhosts have authelia configured
-  config = lib.mkIf false {
+  config = mkIf false {
 
     assertions = [
-      # TODO vhost cannot be both auth endpoint and regular reverse proxy
+      # TODO vhost cannot be both auth endpoint proxy and regular reverse proxy
     ];
   };
 }