nullbite/nixfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

authelia: more wip

Browse Source
This commit is contained in:
NullBite 2024-07-14 13:27:58 -04:00
parent 56e8b0564d
commit 85ac188f10
Signed by: nullbite
GPG Key ID: 6C4D545385D4925A
1 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
hosts/rpi4/authelia.nix
View File

@ -5,6 +5,7 @@ let
optionalString; optionalString;
inherit (builtins) isNull any attrValues; inherit (builtins) isNull any attrValues;
validAuthMethods = [ "normal" "basic" ];
getUpstreamFromInstance = instance: let getUpstreamFromInstance = instance: let
inherit (config.services.authelia.instances.${instance}.settings) server; inherit (config.services.authelia.instances.${instance}.settings) server;
inherit (server) port; inherit (server) port;
@ -29,7 +30,8 @@ let
## Basic Proxy Configuration ## Basic Proxy Configuration
client_body_buffer_size 128k; client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead. # Timeout if the real server is dead.
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_redirect http:// $scheme://; proxy_redirect http:// $scheme://;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_cache_bypass $cookie_session; proxy_cache_bypass $cookie_session;
@ -142,6 +144,16 @@ in
endpoint URL. endpoint URL.
''; '';
}; };
method = lib.mkOption {
description = ''
Default Authelia authentication method to use for all locations
in this virtualHost. Authentication is disabled by default for
all locations if this is set to `null`.
'';
type = with types; nullOr oneOf validAuthMethods;
default = "regular";
example = "basic";
};
}; };
}; };
config = { config = {
@ -154,6 +166,7 @@ in
locations = let locations = let
api = "${config.authelia.upstream}/api/authz/auth-request"; api = "${config.authelia.upstream}/api/authz/auth-request";
in lib.mkIf (!(isNull config.authelia.upstream)) { in lib.mkIf (!(isNull config.authelia.upstream)) {
# just setup both, they can't be accessed externally anyways.
"/internal/authelia/authz" = { "/internal/authelia/authz" = {
proxyPass = api; proxyPass = api;
recommendedProxyConfig = false; recommendedProxyConfig = false;
@ -175,6 +188,23 @@ in
locationModule' = vhostAttrs: { name, config, ... }: let locationModule' = vhostAttrs: { name, config, ... }: let
vhostConfig = vhostAttrs.config; vhostConfig = vhostAttrs.config;
in { in {
options.authelia.method = lib.mkOption {
description = ''
Authelia authentication method to use for this location.
Authentication is disabled for this location if this is set to
`null`.
'';
type = with types; nullOr oneOf validAuthMethods;
default = vhostConfig.authelia.method;
example = "basic";
};
config = lib.mkIf (!(isNull vhostConfig.authelia.upstream)) &&
(!(lib.strings.hasPrefix "/internal/authelia/" name))
lib.mkMerge [
(lib.mkIf config.authelia.method == "regular" {
})
];
}; };
in { in {