secrets: add authelia session secret

This reverts commit 7a0dcc7e28ab0e789a17e6aaab4ad2c59946d2cd.

flake.lock

@@ -773,11 +773,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1721116560,
+        "lastModified": 1721302034,
-        "narHash": "sha256-++TYlGMAJM1Q+0nMVaWBSEvEUjRs7ZGiNQOpqbQApCU=",
+        "narHash": "sha256-BbJWsYURqMw4/SzR+f2gqdwrPGHP/FWRb9BS0UHLJCA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9355fa86e6f27422963132c2c9aeedb0fb963d93",
+        "rev": "ef681401c8318af5c354fc96530f5ab67d1f1ed9",
         "type": "github"
       },
       "original": {

hosts/rpi4/authelia.nix

@@ -80,12 +80,8 @@ let
 
     ## Headers
     ## The headers starting with X-* are required.
-    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
     proxy_set_header X-Original-Method $request_method;
-    proxy_set_header X-Forwarded-Method $request_method;
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header X-Forwarded-Host $http_host;
-    proxy_set_header X-Forwarded-Uri $request_uri;
     proxy_set_header X-Forwarded-For $remote_addr;
     proxy_set_header Content-Length "";
     proxy_set_header Connection "";
@@ -107,39 +103,59 @@ let
     proxy_connect_timeout 240;
   '';
   autheliaLocationConfig = pkgs.writeText "authelia-location.conf" autheliaLocation;
-  autheliaBasicLocationConfig = autheliaLocationConfig;
+  autheliaBasicLocationConfig = pkgs.writeText "authelia-location-basic.conf" ''
-  genAuthConfig = method: endpoint: let
+    ${autheliaLocation}
-      redirect = ''
+
-        ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
+    # Auth Basic Headers
-        error_page 401 =302 ${endpoint}/?rd=$target_url;
+    proxy_set_header X-Original-Method $request_method;
+    proxy_set_header X-Forwarded-Method $request_method;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-URI $request_uri;
   '';
-    in ''
+
+  genAuthConfig =
+    method:
+    let
+      snippet_regular = ''
+        ## Configure the redirection when the authz failure occurs. Lines starting
+        ## with 'Modern Method' and 'Legacy Method' should be commented /
+        ## uncommented as pairs. The modern method uses the session cookies
+        ## configuration's authelia_url value to determine the redirection URL here.
+        ## It's much simpler and compatible with the mutli-cookie domain easily.
+
+        ## Modern Method: Set the $redirection_url to the Location header of the
+        ## response to the Authz endpoint.
+        auth_request_set $redirection_url $upstream_http_location;
+
+        ## Modern Method: When there is a 401 response code from the authz endpoint
+        ## redirect to the $redirection_url.
+        error_page 401 =302 $redirection_url;
+      '';
+    in
+    ''
+      ## Send a subrequest to Authelia to verify if the user is authenticated and
+      # has permission to access the resource.
+
       auth_request /internal/authelia/authz${optionalString (method == "basic") "/basic"};
 
-      ## Set the $target_url variable based on the original request.
+      ## Save the upstream metadata response headers from Authelia to variables.
-
-      ## Comment this line if you're using nginx without the http_set_misc module.
-      # set_escape_uri $target_url $scheme://$http_host$request_uri;
-
-      ## Uncomment this line if you're using NGINX without the http_set_misc module.
-      set $target_url $scheme://$http_host$request_uri;
-
-      ## Save the upstream response headers from Authelia to variables.
       auth_request_set $user $upstream_http_remote_user;
       auth_request_set $groups $upstream_http_remote_groups;
       auth_request_set $name $upstream_http_remote_name;
       auth_request_set $email $upstream_http_remote_email;
 
-      ## Inject the response headers from the variables into the request made to the backend.
+      ## Inject the metadata response headers from the variables into the request
+      ## made to the backend.
       proxy_set_header Remote-User $user;
       proxy_set_header Remote-Groups $groups;
       proxy_set_header Remote-Name $name;
       proxy_set_header Remote-Email $email;
 
-      ${optionalString (method == "regular") redirect}
+      ${optionalString (method == "regular") snippet_regular}
     '';
   genAuthConfigPkg =
-    method: endpoint: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method endpoint);
+    method: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method);
 in
 {
   # authelia
@@ -158,7 +174,6 @@ in
             locations = mkAttrsOfSubmoduleOpt (genLocationModule attrs);
             authelia = {
               endpoint = {
-                # endpoint settings
                 instance = lib.mkOption {
                   description = ''
                     Local Authelia instance to act as the authentication endpoint.
@@ -177,13 +192,6 @@ in
                   default = null;
                 };
               };
-              # client settings
-              endpointURL = lib.mkOption {
-                description = ''
-                  (temporary) authelia endpoint redirect URL.
-                '';
-                type = with types; str;
-              };
               instance = lib.mkOption {
                 description = ''
                   Local Authelia instance to use. Setting this option will
@@ -227,7 +235,7 @@ in
             # authelia nginx internal endpoints
             locations =
               let
-                api = "${config.authelia.upstream}/api/verify";
+                api = "${config.authelia.upstream}/api/authz/auth-request";
               in
               lib.mkMerge [
                 (lib.mkIf (!(isNull config.authelia.upstream)) {
@@ -240,7 +248,7 @@ in
                     '';
                   };
                   "/internal/authelia/authz/basic" = {
-                    proxyPass = "${api}?auth=basic";
+                    proxyPass = "${api}/basic";
                     recommendedProxySettings = false;
                     extraConfig = ''
                       include ${autheliaBasicLocationConfig};
@@ -285,14 +293,6 @@ in
             default = vhostConfig.authelia.method;
             example = "basic";
           };
-          options.authelia.endpointURL = lib.mkOption {
-            description = ''
-              (temporary) authelia endpoint redirect URL.
-            '';
-            type = with types; str;
-            default = vhostConfig.authelia.endpointURL;
-          };
-
           config =
             lib.mkIf
               (
@@ -302,7 +302,7 @@ in
               )
               {
                 extraConfig = ''
-                  include ${genAuthConfigPkg config.authelia.method config.authelia.endpointURL};
+                  include ${genAuthConfigPkg config.authelia.method};
                 '';
               };
         };

secrets/authelia-session.age

@@ -0,0 +1,47 @@
+age-encryption.org/v1
+-> ssh-ed25519 YUrFgQ 42WuYgB9B/1sV+Q8qvMq/65u1Ed0hREmJKKOATv0r3M
+Ypm4fT9GizmjTTpD51VWs0+cZ1VMOQElDJjxNb8Hv/E
+-> ssh-rsa I7EAZw
+ZOmiFsTngJAdLrGRBmp/oYxkHnP0Jc/dtGMSNrsc8cpGWFmG7jz634V6Z6WPIXDc
+LsRo+UjNQeZzq8Dhayvg0rxi1jG8y6T4jqrDMNL9lHOcLzP2P3tJ7MMiXbTz6REe
+gBxB/dbluFf5QEbKkbg2OgqXdfdb2yqJkVw3TJa8v72sCuLrgGZuVclBlgxISP1x
+UQADBVevUCS9tHE9xCsIEUcZJVFjrsxXnyT0QirqLJTQldpogYuTWAre7gKON7Sr
+fulaKfq/BdKBr5XrtSTh8H1+t0wiQJ1DjfjoghgU8MATFj84yWEyusOAr9YHmFmf
+w1pzy3D2G6OTc8hyWG7JuGunWnnr5D+7WOQwNUjBqMRCcW7wI2Vb0ikkUctJ/4Ws
+XIjL7evBM5HvskwK438lFl+XaBkGXdCWHm6JrOkD3RTLLZFjYQnSdDMIALTUu4MC
+VE+VESpENmq7czckbxJpUKgI+LSS5hPty2DMSHS5SuFW8CV98bPB8TFiR1MMs9Ud
+
+-> ssh-rsa 0pGLuA
+bsz1aks3oNSbtc4NAV+Tm00a4EySmzwSc2kjcssod+TbguoYmyELuuEpPVLbiRmn
+GskJN+6rOHvFKJFtcIn22wEN6n+c445qNzvAPUKq3KFzSYmGtuKJDCvAgY+JkkTg
+lIeViZVSf9rwrGesAixrd7GoaWbrdhifHVIH6fPF6cyb2ufSj8NDDL8Fq55z8Q6d
+YTe25iCtVmrmlKjW5m37sOrSoSsGvhfMMc/VyrYu+Is3SsAzYURKVSH9JgQSTc3X
+rtGI8Yx2Hgk7z7uFDe3RKDJXV85nZzl0Vhid4TYlZ1QUc9JtsPAm8Sh8SMofNmnD
+GBU3C8j/1bs4qwX/s9UrqJJz0+ibAZ60gM0dr+r805k+hJR7iAiwTh9v3M067bVm
+4fr4xBoqMXr08t6elyQKKJtLweKSnTJQF/6BptcZapwJTWmxO9zrujag5Qse+csR
+jewrsuUddqngOKdHknmQwgoIRzbW3rCtmqjgbDoOvF1xEAONgoDJuUBiULt2elPC
+
+-> ssh-rsa JoBDow
+MbVKzWRHhCenqinwJcGxFW4tMaFfwZtA7Fp6L+f6DTCDbtuE9ovt2bbfJ6/yzJjE
+kEiEnLzNVZbVccdREDdI3kq8wiFJKuBVbOZXCGmk2rgVUzgwXO5FfHqM1dul5foW
+cJuzYfBAtmEnVCI0LjwTw+4nNnMzykhh/9OKjEUQ8bVFH+leFjgAeJdcTD5hWUtG
+w8WAlttos0gnFcxtPm1X+JN1Gyu1oiVGVk+u/hxWs7zAdAixPtICt5ZB3TLelyu8
+yWbMARZ4uLtPzgy0asSlmeOZ8r0oaTHWieLP30F1alsyakFbO6qXQZGEVNfx4z0e
+AvMnPz+SSLQ9OIdThnYOjDDAkT79I5xuY7YeGoDkTy6a8JEo1SdXkf+0SAtE/Ihx
+TTDhar+pjV+eV72fMbhbMvENcVb0o4edP/mCJXl8Wjz/RSlQs+huiF+RDEs0RX18
+iua+wAylwb1ZLYL4hzsxxUodngbroGwglaMMMCbV4wOYR9LPfwP6hy8/EvY30IxU
+
+-> ssh-rsa wzTCUg
+mIms/oP6KFSxBaulSRvNT3oTdMijcUZRQgPCiysvJBkpSSsIpoH2DSBhLqs2z7RS
+XvavUqn6FJCOQHb/c9TXoP00Mwx3X/mpn8mAxddnNH+19ZboFEAj9qgXMuWygjro
+CeO7h0TjYq55pubTS68BWb4BhIvAGQmIeFd7QyozdFOnAQ1Wdw+UjAuRl2GGEIAW
+ztk8yeU2zp5Jo8Nqc6GFNlZR7OYx8mlMAUvkdo53bU7fTM0EfsxRuP9aNO/HXoSS
+8OOGQzt+qefFoqDYWS16ftLafrBqdWps+ivWzn0Bh2CtdemdOKMDosBDtrHcLKL5
+qOgae79fQd5x9HF8UHqunGijgcGxnm0GHOT5mIGWw9ms4RzyhC58HVqOFmS0SIOW
+/SdHspEoFpY3E0ImHbDhDwfOcHbYzLllX9uf+0Nif8SMYGhEMa9loxYK1yKZVGHt
+NiBFidgH/8OECkDjmatBtzigYyq7Tk+Ct2eZZJSAyeP2VVNYT4uqtmp24hfBlLBR
+
+--- anDEUDvExEekm+KJ9jnPJRT52weZhy7l6dCeqeKltr0
+aD=˽˜t.$¡f˜DV›F}3ãzÖ5ücæ3*=¤…-ÚŽù³L?ú–ã˜^
+hP§©È¬Ÿ6T*|îXU¬c”
+IL<EFBFBD>Õ&<ïqŒÏ¶É‡¨jkƒ >ö±ØÐr¶ @%]ÊÀñe϶¡w[¹áy…Ö( l˜½~Ù•têK²Ö{"œöZ¯&ÿ·6r»cÎEüûW2¤0r<30>5¸$­¯”	¡!¸Œ<C2B8>JßÞGOsšÚ‹Ô”Sˆ›†Fm@Ó—a,Jú•ûÓût¨¹}é'¤4:&ÿc0AAz

secrets/secrets.nix

@@ -21,6 +21,7 @@ in
   "authelia-users.age".publicKeys = [ rpi4 ] ++ all-user;
   "authelia-storage.age".publicKeys = [ rpi4 ] ++ all-user;
   "authelia-jwt.age".publicKeys = [ rpi4 ] ++ all-user;
+  "authelia-session.age".publicKeys = [ rpi4 ] ++ all-user;
 
   "restic-rclone.age".publicKeys = [ rpi4 nullbox slab ] ++ all-user;
   "restic-password.age".publicKeys = [ rpi4 nullbox slab ] ++ all-user;