Compare commits
3 Commits
56e8b0564d
...
f69cec5ba8
| Author | SHA1 | Date | |
|---|---|---|---|
f69cec5ba8
|
|||
|
c99c0e18d8
|
|||
|
85ac188f10
|
@ -1,18 +1,31 @@
|
|||||||
{ config, lib, pkgs, ... }:
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
let
|
let
|
||||||
inherit (lib) types
|
inherit (lib) types mkIf optionalString;
|
||||||
mkIf
|
|
||||||
optionalString;
|
|
||||||
inherit (builtins) isNull any attrValues;
|
inherit (builtins) isNull any attrValues;
|
||||||
|
|
||||||
getUpstreamFromInstance = instance: let
|
validAuthMethods = [
|
||||||
inherit (config.services.authelia.instances.${instance}.settings) server;
|
"normal"
|
||||||
inherit (server) port;
|
"basic"
|
||||||
host = if server.host == "0.0.0.0" then "127.0.0.1"
|
];
|
||||||
else if lib.hasInfix ":" server.host then
|
getUpstreamFromInstance =
|
||||||
throw "TODO IPv6 not supported in Authelia server address (hard to parse, can't tell if it is [::])."
|
instance:
|
||||||
else server.host;
|
let
|
||||||
in "http://${host}:${port}";
|
inherit (config.services.authelia.instances.${instance}.settings) server;
|
||||||
|
inherit (server) port;
|
||||||
|
host =
|
||||||
|
if server.host == "0.0.0.0" then
|
||||||
|
"127.0.0.1"
|
||||||
|
else if lib.hasInfix ":" server.host then
|
||||||
|
throw "TODO IPv6 not supported in Authelia server address (hard to parse, can't tell if it is [::])."
|
||||||
|
else
|
||||||
|
server.host;
|
||||||
|
in
|
||||||
|
"http://${host}:${port}";
|
||||||
|
|
||||||
# use this when reverse proxying to authelia (and only authelia because i
|
# use this when reverse proxying to authelia (and only authelia because i
|
||||||
# like the nixos recommended proxy settings better)
|
# like the nixos recommended proxy settings better)
|
||||||
@ -29,7 +42,8 @@ let
|
|||||||
|
|
||||||
## Basic Proxy Configuration
|
## Basic Proxy Configuration
|
||||||
client_body_buffer_size 128k;
|
client_body_buffer_size 128k;
|
||||||
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
|
# Timeout if the real server is dead.
|
||||||
|
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
|
||||||
proxy_redirect http:// $scheme://;
|
proxy_redirect http:// $scheme://;
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_cache_bypass $cookie_session;
|
proxy_cache_bypass $cookie_session;
|
||||||
@ -53,7 +67,6 @@ let
|
|||||||
proxy_connect_timeout 360;
|
proxy_connect_timeout 360;
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
|
||||||
autheliaLocation = ''
|
autheliaLocation = ''
|
||||||
internal;
|
internal;
|
||||||
|
|
||||||
@ -93,94 +106,177 @@ let
|
|||||||
proxy_set_header X-Forwarded-URI $request_uri;
|
proxy_set_header X-Forwarded-URI $request_uri;
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
genAuthConfig =
|
||||||
|
method:
|
||||||
|
let
|
||||||
|
snippet_regular = ''
|
||||||
|
## Configure the redirection when the authz failure occurs. Lines starting
|
||||||
|
## with 'Modern Method' and 'Legacy Method' should be commented /
|
||||||
|
## uncommented as pairs. The modern method uses the session cookies
|
||||||
|
## configuration's authelia_url value to determine the redirection URL here.
|
||||||
|
## It's much simpler and compatible with the mutli-cookie domain easily.
|
||||||
|
|
||||||
|
## Modern Method: Set the $redirection_url to the Location header of the
|
||||||
|
## response to the Authz endpoint.
|
||||||
|
auth_request_set $redirection_url $upstream_http_location;
|
||||||
|
|
||||||
|
## Modern Method: When there is a 401 response code from the authz endpoint
|
||||||
|
## redirect to the $redirection_url.
|
||||||
|
error_page 401 =302 $redirection_url;
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
''
|
||||||
|
## Send a subrequest to Authelia to verify if the user is authenticated and
|
||||||
|
# has permission to access the resource.
|
||||||
|
|
||||||
|
auth_request /internal/authelia/authz${optionalString method == "basic" "/basic"};
|
||||||
|
|
||||||
|
## Save the upstream metadata response headers from Authelia to variables.
|
||||||
|
auth_request_set $user $upstream_http_remote_user;
|
||||||
|
auth_request_set $groups $upstream_http_remote_groups;
|
||||||
|
auth_request_set $name $upstream_http_remote_name;
|
||||||
|
auth_request_set $email $upstream_http_remote_email;
|
||||||
|
|
||||||
|
## Inject the metadata response headers from the variables into the request
|
||||||
|
## made to the backend.
|
||||||
|
proxy_set_header Remote-User $user;
|
||||||
|
proxy_set_header Remote-Groups $groups;
|
||||||
|
proxy_set_header Remote-Name $name;
|
||||||
|
proxy_set_header Remote-Email $email;
|
||||||
|
|
||||||
|
${optionalString method == "regular" snippet_regular}
|
||||||
|
'';
|
||||||
|
genAuthConfigPkg =
|
||||||
|
method: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method);
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
# authelia
|
# authelia
|
||||||
options.services.nginx = let
|
options.services.nginx =
|
||||||
mkAttrsOfSubmoduleOpt = module: lib.mkOption { type = with types; attrsOf (submodule module); };
|
let
|
||||||
|
mkAttrsOfSubmoduleOpt = module: lib.mkOption { type = with types; attrsOf (submodule module); };
|
||||||
|
|
||||||
# make system config accessible from submodules
|
# make system config accessible from submodules
|
||||||
systemConfig = config;
|
systemConfig = config;
|
||||||
|
|
||||||
# submodule definitions
|
# submodule definitions
|
||||||
vhostModule = { name, config, ... }@attrs: {
|
vhostModule =
|
||||||
options = {
|
{ name, config, ... }@attrs:
|
||||||
locations = mkAttrsOfSubmoduleOpt (locationModule' attrs);
|
{
|
||||||
authelia = {
|
options = {
|
||||||
endpoint = {
|
locations = mkAttrsOfSubmoduleOpt (locationModule' attrs);
|
||||||
instance = lib.mkOption {
|
authelia = {
|
||||||
description = ''
|
endpoint = {
|
||||||
Local Authelia instance to act as the authentication endpoint.
|
instance = lib.mkOption {
|
||||||
This virtualHost will be configured to provide the
|
description = ''
|
||||||
public-facing authentication service.
|
Local Authelia instance to act as the authentication endpoint.
|
||||||
'';
|
This virtualHost will be configured to provide the
|
||||||
type = with types; nullOr str;
|
public-facing authentication service.
|
||||||
default = null;
|
'';
|
||||||
};
|
type = with types; nullOr str;
|
||||||
upstream = lib.mkOption {
|
default = null;
|
||||||
description = ''
|
};
|
||||||
Internal URL of the Authelia endpoint to forward authentication
|
upstream = lib.mkOption {
|
||||||
requests to.
|
description = ''
|
||||||
'';
|
Internal URL of the Authelia endpoint to forward authentication
|
||||||
type = with types; nullOr str;
|
requests to.
|
||||||
default = null;
|
'';
|
||||||
|
type = with types; nullOr str;
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
instance = lib.mkOption {
|
||||||
|
description = ''
|
||||||
|
Local Authelia instance to use. Setting this option will
|
||||||
|
automatically configure Authelia on the specified virtualHost
|
||||||
|
with the given instance of Authelia.
|
||||||
|
'';
|
||||||
|
type = with types; nullOr str;
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
upstream = lib.mkOption {
|
||||||
|
description = ''
|
||||||
|
Internal URL of the Authelia endpoint to forward authorization
|
||||||
|
requests to. This should not be the public-facing authentication
|
||||||
|
endpoint URL.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
method = lib.mkOption {
|
||||||
|
description = ''
|
||||||
|
Default Authelia authentication method to use for all locations
|
||||||
|
in this virtualHost. Authentication is disabled by default for
|
||||||
|
all locations if this is set to `null`.
|
||||||
|
'';
|
||||||
|
type = with types; nullOr oneOf validAuthMethods;
|
||||||
|
default = "regular";
|
||||||
|
example = "basic";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
instance = lib.mkOption {
|
config = {
|
||||||
description = ''
|
authelia.upstream = mkIf (!(isNull config.authelia.instance)) (
|
||||||
Local Authelia instance to use. Setting this option will
|
getUpstreamFromInstance config.authelia.instance
|
||||||
automatically configure Authelia on the specified virtualHost
|
);
|
||||||
with the given instance of Authelia.
|
authelia.endpoint.upstream = mkIf (!(isNull config.authelia.endpoint.instance)) (
|
||||||
'';
|
getUpstreamFromInstance config.authelia.endpoint.instance
|
||||||
type = with types; nullOr str;
|
);
|
||||||
default = null;
|
|
||||||
};
|
# authelia nginx internal endpoints
|
||||||
upstream = lib.mkOption {
|
locations =
|
||||||
description = ''
|
let
|
||||||
Internal URL of the Authelia endpoint to forward authorization
|
api = "${config.authelia.upstream}/api/authz/auth-request";
|
||||||
requests to. This should not be the public-facing authentication
|
in
|
||||||
endpoint URL.
|
lib.mkIf (!(isNull config.authelia.upstream)) {
|
||||||
'';
|
# just setup both, they can't be accessed externally anyways.
|
||||||
|
"/internal/authelia/authz" = {
|
||||||
|
proxyPass = api;
|
||||||
|
recommendedProxyConfig = false;
|
||||||
|
extraConfig = ''
|
||||||
|
include ${autheliaLocationConfig};
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"/internal/authelia/authz/basic" = {
|
||||||
|
proxyPass = "${api}/basic";
|
||||||
|
recommendedProxyConfig = false;
|
||||||
|
extraConfig = ''
|
||||||
|
include ${autheliaBasicLocationConfig};
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
config = {
|
|
||||||
authelia.upstream = mkIf (!(isNull config.authelia.instance))
|
|
||||||
(getUpstreamFromInstance config.authelia.instance);
|
|
||||||
authelia.endpoint.upstream = mkIf (!(isNull config.authelia.endpoint.instance))
|
|
||||||
(getUpstreamFromInstance config.authelia.endpoint.instance);
|
|
||||||
|
|
||||||
# authelia nginx internal endpoints
|
locationModule' =
|
||||||
locations = let
|
vhostAttrs:
|
||||||
api = "${config.authelia.upstream}/api/authz/auth-request";
|
{ name, config, ... }:
|
||||||
in lib.mkIf (!(isNull config.authelia.upstream)) {
|
let
|
||||||
"/internal/authelia/authz" = {
|
vhostConfig = vhostAttrs.config;
|
||||||
proxyPass = api;
|
in
|
||||||
recommendedProxyConfig = false;
|
{
|
||||||
extraConfig = ''
|
options.authelia.method = lib.mkOption {
|
||||||
include ${autheliaLocationConfig};
|
description = ''
|
||||||
'';
|
Authelia authentication method to use for this location.
|
||||||
};
|
Authentication is disabled for this location if this is set to
|
||||||
"/internal/authelia/authz/basic" = {
|
`null`.
|
||||||
proxyPass = "${api}/basic";
|
|
||||||
recommendedProxyConfig = false;
|
|
||||||
extraConfig = ''
|
|
||||||
include ${autheliaBasicLocationConfig};
|
|
||||||
'';
|
'';
|
||||||
|
type = with types; nullOr oneOf validAuthMethods;
|
||||||
|
default = vhostConfig.authelia.method;
|
||||||
|
example = "basic";
|
||||||
};
|
};
|
||||||
|
config =
|
||||||
|
lib.mkIf (!(lib.strings.hasPrefix "/internal/authelia/" name))
|
||||||
|
&& (!(isNull vhostConfig.authelia.upstream))
|
||||||
|
&& (!(isNull config.authelia.method)) {
|
||||||
|
extraConfig = ''
|
||||||
|
include ${genAuthConfigPkg config.authelia.method};
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
locationModule' = vhostAttrs: { name, config, ... }: let
|
in
|
||||||
vhostConfig = vhostAttrs.config;
|
{
|
||||||
in {
|
virtualHosts = mkAttrsOfSubmoduleOpt vhostModule;
|
||||||
};
|
};
|
||||||
|
|
||||||
in {
|
|
||||||
virtualHosts = mkAttrsOfSubmoduleOpt vhostModule;
|
|
||||||
};
|
|
||||||
|
|
||||||
# TODO check if any vhosts have authelia configured
|
# TODO check if any vhosts have authelia configured
|
||||||
config = mkIf false {
|
config = mkIf false {
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user