nullbite/nixfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

authelia: apparently it's outdated (revert later)

Browse Source
This commit is contained in:
NullBite 2024-07-15 00:23:43 -04:00
parent aaf75bb899
commit 7a0dcc7e28
Signed by: nullbite
GPG Key ID: 6C4D545385D4925A
1 changed files with 42 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
hosts/rpi4/authelia.nix
View File

@ -80,8 +80,12 @@ let
## Headers
## The headers starting with X-* are required.
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Content-Length "";
proxy_set_header Connection "";
@ -103,59 +107,39 @@ let
proxy_connect_timeout 240;
'';
autheliaLocationConfig = pkgs.writeText "authelia-location.conf" autheliaLocation;
autheliaBasicLocationConfig = pkgs.writeText "authelia-location-basic.conf" ''
${autheliaLocation}
# Auth Basic Headers
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-URI $request_uri;
'';
genAuthConfig =
method:
let
snippet_regular = ''
## Configure the redirection when the authz failure occurs. Lines starting
## with 'Modern Method' and 'Legacy Method' should be commented /
## uncommented as pairs. The modern method uses the session cookies
## configuration's authelia_url value to determine the redirection URL here.
## It's much simpler and compatible with the mutli-cookie domain easily.
## Modern Method: Set the $redirection_url to the Location header of the
## response to the Authz endpoint.
auth_request_set $redirection_url $upstream_http_location;
## Modern Method: When there is a 401 response code from the authz endpoint
## redirect to the $redirection_url.
error_page 401 =302 $redirection_url;
autheliaBasicLocationConfig = autheliaLocationConfig;
genAuthConfig = method: endpoint: let
redirect = ''
## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
error_page 401 =302 ${endpoint}/?rd=$target_url;
'';
in
''
## Send a subrequest to Authelia to verify if the user is authenticated and
# has permission to access the resource.
in ''
auth_request /internal/authelia/authz${optionalString (method == "basic") "/basic"};
## Save the upstream metadata response headers from Authelia to variables.
## Set the $target_url variable based on the original request.
## Comment this line if you're using nginx without the http_set_misc module.
# set_escape_uri $target_url $scheme://$http_host$request_uri;
## Uncomment this line if you're using NGINX without the http_set_misc module.
set $target_url $scheme://$http_host$request_uri;
## Save the upstream response headers from Authelia to variables.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
## Inject the metadata response headers from the variables into the request
## made to the backend.
## Inject the response headers from the variables into the request made to the backend.
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email;
${optionalString (method == "regular") snippet_regular}
${optionalString (method == "regular") redirect}
'';
genAuthConfigPkg =
method: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method);
method: endpoint: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method endpoint);
in
{
# authelia
@ -174,6 +158,7 @@ in
locations = mkAttrsOfSubmoduleOpt (genLocationModule attrs);
authelia = {
endpoint = {
# endpoint settings
instance = lib.mkOption {
description = ''
Local Authelia instance to act as the authentication endpoint.
@ -192,6 +177,13 @@ in
default = null;
};
};
# client settings
endpointURL = lib.mkOption {
description = ''
(temporary) authelia endpoint redirect URL.
'';
type = with types; str;
};
instance = lib.mkOption {
description = ''
Local Authelia instance to use. Setting this option will
@ -233,7 +225,7 @@ in
# authelia nginx internal endpoints
locations =
let
api = "${config.authelia.upstream}/api/authz/auth-request";
api = "${config.authelia.upstream}/api/verify";
in
lib.mkMerge [
(lib.mkIf (!(isNull config.authelia.upstream)) {
@ -246,7 +238,7 @@ in
'';
};
"/internal/authelia/authz/basic" = {
proxyPass = "${api}/basic";
proxyPass = "${api}?auth=basic";
recommendedProxySettings = false;
extraConfig = ''
include ${autheliaBasicLocationConfig};
@ -291,6 +283,14 @@ in
default = vhostConfig.authelia.method;
example = "basic";
};
options.authelia.endpointURL = lib.mkOption {
description = ''
(temporary) authelia endpoint redirect URL.
'';
type = with types; str;
default = vhostConfig.authelia.endpointURL;
};
config =
lib.mkIf
(
@ -300,7 +300,7 @@ in
)
{
extraConfig = ''
include ${genAuthConfigPkg config.authelia.method};
include ${genAuthConfigPkg config.authelia.method config.authelia.endpointURL};
'';
};
};