nullbite/nixfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

authelia: format

Browse Source
This commit is contained in:
NullBite 2024-07-14 13:28:07 -04:00
parent 85ac188f10
commit c99c0e18d8
Signed by: nullbite
GPG Key ID: 6C4D545385D4925A
1 changed files with 138 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

251
hosts/rpi4/authelia.nix
View File

@ -1,19 +1,31 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
let let
inherit (lib) types inherit (lib) types mkIf optionalString;
mkIf
optionalString;
inherit (builtins) isNull any attrValues; inherit (builtins) isNull any attrValues;
validAuthMethods = [ "normal" "basic" ]; validAuthMethods = [
getUpstreamFromInstance = instance: let "normal"
inherit (config.services.authelia.instances.${instance}.settings) server; "basic"
inherit (server) port; ];
host = if server.host == "0.0.0.0" then "127.0.0.1" getUpstreamFromInstance =
else if lib.hasInfix ":" server.host then instance:
throw "TODO IPv6 not supported in Authelia server address (hard to parse, can't tell if it is [::])." let
else server.host; inherit (config.services.authelia.instances.${instance}.settings) server;
in "http://${host}:${port}"; inherit (server) port;
host =
if server.host == "0.0.0.0" then
"127.0.0.1"
else if lib.hasInfix ":" server.host then
throw "TODO IPv6 not supported in Authelia server address (hard to parse, can't tell if it is [::])."
else
server.host;
in
"http://${host}:${port}";
# use this when reverse proxying to authelia (and only authelia because i # use this when reverse proxying to authelia (and only authelia because i
# like the nixos recommended proxy settings better) # like the nixos recommended proxy settings better)
@ -55,7 +67,6 @@ let
proxy_connect_timeout 360; proxy_connect_timeout 360;
''; '';
autheliaLocation = '' autheliaLocation = ''
internal; internal;
@ -98,119 +109,133 @@ let
in in
{ {
# authelia # authelia
options.services.nginx = let options.services.nginx =
mkAttrsOfSubmoduleOpt = module: lib.mkOption { type = with types; attrsOf (submodule module); }; let
mkAttrsOfSubmoduleOpt = module: lib.mkOption { type = with types; attrsOf (submodule module); };
# make system config accessible from submodules # make system config accessible from submodules
systemConfig = config; systemConfig = config;
# submodule definitions # submodule definitions
vhostModule = { name, config, ... }@attrs: { vhostModule =
options = { { name, config, ... }@attrs:
locations = mkAttrsOfSubmoduleOpt (locationModule' attrs); {
authelia = { options = {
endpoint = { locations = mkAttrsOfSubmoduleOpt (locationModule' attrs);
instance = lib.mkOption { authelia = {
description = '' endpoint = {
Local Authelia instance to act as the authentication endpoint. instance = lib.mkOption {
This virtualHost will be configured to provide the description = ''
public-facing authentication service. Local Authelia instance to act as the authentication endpoint.
''; This virtualHost will be configured to provide the
type = with types; nullOr str; public-facing authentication service.
default = null; '';
}; type = with types; nullOr str;
upstream = lib.mkOption { default = null;
description = '' };
Internal URL of the Authelia endpoint to forward authentication upstream = lib.mkOption {
requests to. description = ''
''; Internal URL of the Authelia endpoint to forward authentication
type = with types; nullOr str; requests to.
default = null; '';
type = with types; nullOr str;
default = null;
};
};
instance = lib.mkOption {
description = ''
Local Authelia instance to use. Setting this option will
automatically configure Authelia on the specified virtualHost
with the given instance of Authelia.
'';
type = with types; nullOr str;
default = null;
};
upstream = lib.mkOption {
description = ''
Internal URL of the Authelia endpoint to forward authorization
requests to. This should not be the public-facing authentication
endpoint URL.
'';
};
method = lib.mkOption {
description = ''
Default Authelia authentication method to use for all locations
in this virtualHost. Authentication is disabled by default for
all locations if this is set to `null`.
'';
type = with types; nullOr oneOf validAuthMethods;
default = "regular";
example = "basic";
};
}; };
}; };
instance = lib.mkOption { config = {
description = '' authelia.upstream = mkIf (!(isNull config.authelia.instance)) (
Local Authelia instance to use. Setting this option will getUpstreamFromInstance config.authelia.instance
automatically configure Authelia on the specified virtualHost );
with the given instance of Authelia. authelia.endpoint.upstream = mkIf (!(isNull config.authelia.endpoint.instance)) (
''; getUpstreamFromInstance config.authelia.endpoint.instance
type = with types; nullOr str; );
default = null;
# authelia nginx internal endpoints
locations =
let
api = "${config.authelia.upstream}/api/authz/auth-request";
in
lib.mkIf (!(isNull config.authelia.upstream)) {
# just setup both, they can't be accessed externally anyways.
"/internal/authelia/authz" = {
proxyPass = api;
recommendedProxyConfig = false;
extraConfig = ''
include ${autheliaLocationConfig};
'';
};
"/internal/authelia/authz/basic" = {
proxyPass = "${api}/basic";
recommendedProxyConfig = false;
extraConfig = ''
include ${autheliaBasicLocationConfig};
'';
};
};
}; };
upstream = lib.mkOption { };
locationModule' =
vhostAttrs:
{ name, config, ... }:
let
vhostConfig = vhostAttrs.config;
in
{
options.authelia.method = lib.mkOption {
description = '' description = ''
Internal URL of the Authelia endpoint to forward authorization Authelia authentication method to use for this location.
requests to. This should not be the public-facing authentication Authentication is disabled for this location if this is set to
endpoint URL. `null`.
'';
};
method = lib.mkOption {
description = ''
Default Authelia authentication method to use for all locations
in this virtualHost. Authentication is disabled by default for
all locations if this is set to `null`.
''; '';
type = with types; nullOr oneOf validAuthMethods; type = with types; nullOr oneOf validAuthMethods;
default = "regular"; default = vhostConfig.authelia.method;
example = "basic"; example = "basic";
}; };
config =
lib.mkIf (!(isNull vhostConfig.authelia.upstream))
&& (!(lib.strings.hasPrefix "/internal/authelia/" name)) lib.mkMerge [
(
lib.mkIf config.authelia.method == "regular" {
}
)
];
}; };
};
config = {
authelia.upstream = mkIf (!(isNull config.authelia.instance))
(getUpstreamFromInstance config.authelia.instance);
authelia.endpoint.upstream = mkIf (!(isNull config.authelia.endpoint.instance))
(getUpstreamFromInstance config.authelia.endpoint.instance);
# authelia nginx internal endpoints in
locations = let {
api = "${config.authelia.upstream}/api/authz/auth-request"; virtualHosts = mkAttrsOfSubmoduleOpt vhostModule;
in lib.mkIf (!(isNull config.authelia.upstream)) {
# just setup both, they can't be accessed externally anyways.
"/internal/authelia/authz" = {
proxyPass = api;
recommendedProxyConfig = false;
extraConfig = ''
include ${autheliaLocationConfig};
'';
};
"/internal/authelia/authz/basic" = {
proxyPass = "${api}/basic";
recommendedProxyConfig = false;
extraConfig = ''
include ${autheliaBasicLocationConfig};
'';
};
};
};
}; };
locationModule' = vhostAttrs: { name, config, ... }: let
vhostConfig = vhostAttrs.config;
in {
options.authelia.method = lib.mkOption {
description = ''
Authelia authentication method to use for this location.
Authentication is disabled for this location if this is set to
`null`.
'';
type = with types; nullOr oneOf validAuthMethods;
default = vhostConfig.authelia.method;
example = "basic";
};
config = lib.mkIf (!(isNull vhostConfig.authelia.upstream)) &&
(!(lib.strings.hasPrefix "/internal/authelia/" name))
lib.mkMerge [
(lib.mkIf config.authelia.method == "regular" {
})
];
};
in {
virtualHosts = mkAttrsOfSubmoduleOpt vhostModule;
};
# TODO check if any vhosts have authelia configured # TODO check if any vhosts have authelia configured
config = mkIf false { config = mkIf false {