rpi4: multi instance auth for url shortener

2024-07-15 17:47:20 -04:00 · 2024-07-15 17:47:20 -04:00 · c415426c49
commit c415426c49
parent 29e620f018
1 changed files with 21 additions and 8 deletions
--- a/hosts/rpi4/services.nix
+++ b/hosts/rpi4/services.nix
@ -81,7 +81,7 @@
      8123
    ];

-    services.authelia.instances.main = {
+    services.authelia.instances = lib.mapAttrs (inst: opts: {
      enable = true;
      secrets = {
        jwtSecretFile = config.age.secrets.authelia-jwt.path;
@ -89,11 +89,15 @@
      };
      settings = {
        access_control.default_policy = "one_factor";
-        storage.local.path = "/var/lib/authelia-main/db.sqlite";
-        session.domain = "protogen.io";
-        notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
+        storage.local.path = "/var/lib/authelia-${inst}/db.sqlite";
+        session.domain = "${opts.domain}";
+        notifier.filesystem.filename = "/var/lib/authelia-${inst}/notification.txt";
        authentication_backend.file.path = config.age.secrets.authelia-users.path;
      };
+    }) {
+      main.domain = "protogen.io";
+      nbt-sh.domain = "nbt.sh";
+      proot-link.domain = "proot.link";
    };

    services.nginx = {
@ -122,8 +126,8 @@
            basicAuthFile = config.age.secrets.htpasswd.path;
          })
          (lib.mkIf authelia {
-            authelia.instance = "main";
-            authelia.endpointURL = "https://auth.protogen.io";
+            authelia.instance = lib.mkDefault "main";
+            authelia.endpointURL = lib.mkDefault "https://auth.protogen.io";
          })
          extraConfig
        ];
@ -197,9 +201,18 @@

        # URL shortener
        "nbt.sh" = mkProxy { port = 8090; extraConfig.serverAliases = [ "proot.link" ]; };
+
        "admin.nbt.sh" = mkProxy { authelia = true; port = 8091; extraConfig = {
-          # authelia version in NixOS does not support multiple domains, use basic
-          authelia.method = "basic"; serverAliases = [ "admin.proot.link" ];
+          authelia = {
+            instance = "nbt-sh";
+            endpointURL = "https://auth.nbt.sh";
+          };
+        };};
+        "admin.proot.link" = mkProxy { authelia = true; port = 8091; extraConfig = {
+          authelia = {
+            instance = "proot-link";
+            endpointURL = "https://auth.proot.link";
+          };
        };};

        # uptime