rpi4: migrate Authelia config

Update Authelia module

This reverts commit 7a0dcc7e28ab0e789a17e6aaab4ad2c59946d2cd.

authelia: fix getUpstreamFromInstance

hosts/rpi4/authelia.nix

@@ -24,16 +24,18 @@ let
     instance:
     let
       inherit (config.services.authelia.instances.${instance}.settings) server;
-      inherit (server) port;
-      host =
-        if server.host == "0.0.0.0" then
+      port = server.port or 9091;
+      host = server.host or "127.0.0.1";
+
+      targetHost = 
+        if host == "0.0.0.0" then
           "127.0.0.1"
-        else if lib.hasInfix ":" server.host then
+        else if lib.hasInfix ":" host then
           throw "TODO IPv6 not supported in Authelia server address (hard to parse, can't tell if it is [::])."
         else
-          server.host;
+          host;
     in
-    "http://${host}:${toString port}";
+    "http://${targetHost}:${toString port}";
 
   # use this when reverse proxying to authelia (and only authelia because i
   # like the nixos recommended proxy settings better)
@@ -80,12 +82,8 @@ let
 
     ## Headers
     ## The headers starting with X-* are required.
-    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
     proxy_set_header X-Original-Method $request_method;
-    proxy_set_header X-Forwarded-Method $request_method;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header X-Forwarded-Host $http_host;
-    proxy_set_header X-Forwarded-Uri $request_uri;
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
     proxy_set_header X-Forwarded-For $remote_addr;
     proxy_set_header Content-Length "";
     proxy_set_header Connection "";
@@ -107,39 +105,59 @@ let
     proxy_connect_timeout 240;
   '';
   autheliaLocationConfig = pkgs.writeText "authelia-location.conf" autheliaLocation;
-  autheliaBasicLocationConfig = autheliaLocationConfig;
-  genAuthConfig = method: endpoint: let
-      redirect = ''
-        ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
-        error_page 401 =302 ${endpoint}/?rd=$target_url;
+  autheliaBasicLocationConfig = pkgs.writeText "authelia-location-basic.conf" ''
+    ${autheliaLocation}
+
+    # Auth Basic Headers
+    proxy_set_header X-Original-Method $request_method;
+    proxy_set_header X-Forwarded-Method $request_method;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-URI $request_uri;
   '';
-    in ''
+
+  genAuthConfig =
+    method:
+    let
+      snippet_regular = ''
+        ## Configure the redirection when the authz failure occurs. Lines starting
+        ## with 'Modern Method' and 'Legacy Method' should be commented /
+        ## uncommented as pairs. The modern method uses the session cookies
+        ## configuration's authelia_url value to determine the redirection URL here.
+        ## It's much simpler and compatible with the mutli-cookie domain easily.
+
+        ## Modern Method: Set the $redirection_url to the Location header of the
+        ## response to the Authz endpoint.
+        auth_request_set $redirection_url $upstream_http_location;
+
+        ## Modern Method: When there is a 401 response code from the authz endpoint
+        ## redirect to the $redirection_url.
+        error_page 401 =302 $redirection_url;
+      '';
+    in
+    ''
+      ## Send a subrequest to Authelia to verify if the user is authenticated and
+      # has permission to access the resource.
+
       auth_request /internal/authelia/authz${optionalString (method == "basic") "/basic"};
 
-      ## Set the $target_url variable based on the original request.
-
-      ## Comment this line if you're using nginx without the http_set_misc module.
-      # set_escape_uri $target_url $scheme://$http_host$request_uri;
-
-      ## Uncomment this line if you're using NGINX without the http_set_misc module.
-      set $target_url $scheme://$http_host$request_uri;
-
-      ## Save the upstream response headers from Authelia to variables.
+      ## Save the upstream metadata response headers from Authelia to variables.
       auth_request_set $user $upstream_http_remote_user;
       auth_request_set $groups $upstream_http_remote_groups;
       auth_request_set $name $upstream_http_remote_name;
       auth_request_set $email $upstream_http_remote_email;
 
-      ## Inject the response headers from the variables into the request made to the backend.
+      ## Inject the metadata response headers from the variables into the request
+      ## made to the backend.
       proxy_set_header Remote-User $user;
       proxy_set_header Remote-Groups $groups;
       proxy_set_header Remote-Name $name;
       proxy_set_header Remote-Email $email;
 
-      ${optionalString (method == "regular") redirect}
+      ${optionalString (method == "regular") snippet_regular}
     '';
   genAuthConfigPkg =
-    method: endpoint: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method endpoint);
+    method: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method);
 in
 {
   # authelia
@@ -158,7 +176,6 @@ in
             locations = mkAttrsOfSubmoduleOpt (genLocationModule attrs);
             authelia = {
               endpoint = {
-                # endpoint settings
                 instance = lib.mkOption {
                   description = ''
                     Local Authelia instance to act as the authentication endpoint.
@@ -177,13 +194,6 @@ in
                   default = null;
                 };
               };
-              # client settings
-              endpointURL = lib.mkOption {
-                description = ''
-                  (temporary) authelia endpoint redirect URL.
-                '';
-                type = with types; str;
-              };
               instance = lib.mkOption {
                 description = ''
                   Local Authelia instance to use. Setting this option will
@@ -227,7 +237,7 @@ in
             # authelia nginx internal endpoints
             locations =
               let
-                api = "${config.authelia.upstream}/api/verify";
+                api = "${config.authelia.upstream}/api/authz/auth-request";
               in
               lib.mkMerge [
                 (lib.mkIf (!(isNull config.authelia.upstream)) {
@@ -240,7 +250,7 @@ in
                     '';
                   };
                   "/internal/authelia/authz/basic" = {
-                    proxyPass = "${api}?auth=basic";
+                    proxyPass = "${api}/basic";
                     recommendedProxySettings = false;
                     extraConfig = ''
                       include ${autheliaBasicLocationConfig};
@@ -285,14 +295,6 @@ in
             default = vhostConfig.authelia.method;
             example = "basic";
           };
-          options.authelia.endpointURL = lib.mkOption {
-            description = ''
-              (temporary) authelia endpoint redirect URL.
-            '';
-            type = with types; str;
-            default = vhostConfig.authelia.endpointURL;
-          };
-
           config =
             lib.mkIf
               (
@@ -302,7 +304,7 @@ in
               )
               {
                 extraConfig = ''
-                  include ${genAuthConfigPkg config.authelia.method config.authelia.endpointURL};
+                  include ${genAuthConfigPkg config.authelia.method};
                 '';
               };
         };

hosts/rpi4/services.nix

@@ -40,6 +40,12 @@
       mode = "0750";
     };
 
+    age.secrets.authelia-session = {
+      file = ../../secrets/authelia-session.age;
+      group = "authelia-shared";
+      mode = "0750";
+    };
+
     users.groups.secrets = {};
     users.users.acme.extraGroups = [ "secrets" ];
 
@@ -92,7 +98,23 @@
       settings = {
         access_control.default_policy = "one_factor";
         storage.local.path = "/var/lib/authelia-${inst}/db.sqlite";
-        session.domain = "${opts.domain}";
+        session.cookies = [
+          {
+            domain = "protogen.io";
+            authelia_url = "https://auth.protogen.io";
+            default_redirection_url = "https://searx.protogen.io";
+          }
+          {
+            domain = "nbt.sh";
+            authelia_url = "https://auth.nbt.sh";
+            default_redirection_url = "https://admin.nbt.sh";
+          }
+          {
+            domain = "proot.link";
+            authelia_url = "https://auth.proot.link";
+            default_redirection_url = "https://admin.proot.link";
+          }
+        ];
         notifier.filesystem.filename = "/var/lib/authelia-${inst}/notification.txt";
         authentication_backend.file.path = config.age.secrets.authelia-users.path;
         server.port = lib.mkIf (opts ? port) (opts.port or null);
@@ -102,14 +124,6 @@
         domain = "protogen.io";
         # port = 9091 # default
       };
-      nbt-sh = {
-        domain = "nbt.sh";
-        port = 9092;
-      };
-      proot-link = {
-        domain = "proot.link";
-        port = 9093;
-      };
     };
 
     services.nginx = {
@@ -139,7 +153,6 @@
           })
           (lib.mkIf authelia {
             authelia.instance = lib.mkDefault "main";
-            authelia.endpointURL = lib.mkDefault "https://auth.protogen.io";
           })
           extraConfig
         ];
@@ -158,8 +171,8 @@
         mkReverseProxy = port: mkProxy { inherit port; };
       in (lib.mapAttrs (domain: instance: { forceSSL = true; inherit useACMEHost; authelia.endpoint = { inherit instance; };}) {
         "auth.protogen.io" = "main";
-        "auth.nbt.sh" = "nbt-sh";
-        "auth.proot.link" = "proot-link";
+        "auth.nbt.sh" = "main";
+        "auth.proot.link" = "main";
       }) // {
         "changedetection.protogen.io" = mkReverseProxy 5000;
 
@@ -212,19 +225,7 @@
 
         # URL shortener
         "nbt.sh" = mkProxy { port = 8090; extraConfig.serverAliases = [ "proot.link" ]; };
-
-        "admin.nbt.sh" = mkProxy { authelia = true; port = 8091; extraConfig = {
-          authelia = {
-            instance = "nbt-sh";
-            endpointURL = "https://auth.nbt.sh";
-          };
-        };};
-        "admin.proot.link" = mkProxy { authelia = true; port = 8091; extraConfig = {
-          authelia = {
-            instance = "proot-link";
-            endpointURL = "https://auth.proot.link";
-          };
-        };};
+        "admin.nbt.sh" = mkProxy { authelia = true; port = 8091; extraConfig.serverAliases = [ "admin.proot.link" ]; };
 
         # uptime
         "uptime.protogen.io" = mkReverseProxy 3001;
@@ -236,7 +237,6 @@
           useACMEHost = "protogen.io";
           forceSSL = true;
           authelia.instance = "main";
-          authelia.endpointURL = "https://auth.protogen.io";
           locations."/" = {
             inherit root;
             extraConfig = ''

secrets/authelia-session.age

@@ -0,0 +1,47 @@
+age-encryption.org/v1
+-> ssh-ed25519 YUrFgQ 42WuYgB9B/1sV+Q8qvMq/65u1Ed0hREmJKKOATv0r3M
+Ypm4fT9GizmjTTpD51VWs0+cZ1VMOQElDJjxNb8Hv/E
+-> ssh-rsa I7EAZw
+ZOmiFsTngJAdLrGRBmp/oYxkHnP0Jc/dtGMSNrsc8cpGWFmG7jz634V6Z6WPIXDc
+LsRo+UjNQeZzq8Dhayvg0rxi1jG8y6T4jqrDMNL9lHOcLzP2P3tJ7MMiXbTz6REe
+gBxB/dbluFf5QEbKkbg2OgqXdfdb2yqJkVw3TJa8v72sCuLrgGZuVclBlgxISP1x
+UQADBVevUCS9tHE9xCsIEUcZJVFjrsxXnyT0QirqLJTQldpogYuTWAre7gKON7Sr
+fulaKfq/BdKBr5XrtSTh8H1+t0wiQJ1DjfjoghgU8MATFj84yWEyusOAr9YHmFmf
+w1pzy3D2G6OTc8hyWG7JuGunWnnr5D+7WOQwNUjBqMRCcW7wI2Vb0ikkUctJ/4Ws
+XIjL7evBM5HvskwK438lFl+XaBkGXdCWHm6JrOkD3RTLLZFjYQnSdDMIALTUu4MC
+VE+VESpENmq7czckbxJpUKgI+LSS5hPty2DMSHS5SuFW8CV98bPB8TFiR1MMs9Ud
+
+-> ssh-rsa 0pGLuA
+bsz1aks3oNSbtc4NAV+Tm00a4EySmzwSc2kjcssod+TbguoYmyELuuEpPVLbiRmn
+GskJN+6rOHvFKJFtcIn22wEN6n+c445qNzvAPUKq3KFzSYmGtuKJDCvAgY+JkkTg
+lIeViZVSf9rwrGesAixrd7GoaWbrdhifHVIH6fPF6cyb2ufSj8NDDL8Fq55z8Q6d
+YTe25iCtVmrmlKjW5m37sOrSoSsGvhfMMc/VyrYu+Is3SsAzYURKVSH9JgQSTc3X
+rtGI8Yx2Hgk7z7uFDe3RKDJXV85nZzl0Vhid4TYlZ1QUc9JtsPAm8Sh8SMofNmnD
+GBU3C8j/1bs4qwX/s9UrqJJz0+ibAZ60gM0dr+r805k+hJR7iAiwTh9v3M067bVm
+4fr4xBoqMXr08t6elyQKKJtLweKSnTJQF/6BptcZapwJTWmxO9zrujag5Qse+csR
+jewrsuUddqngOKdHknmQwgoIRzbW3rCtmqjgbDoOvF1xEAONgoDJuUBiULt2elPC
+
+-> ssh-rsa JoBDow
+MbVKzWRHhCenqinwJcGxFW4tMaFfwZtA7Fp6L+f6DTCDbtuE9ovt2bbfJ6/yzJjE
+kEiEnLzNVZbVccdREDdI3kq8wiFJKuBVbOZXCGmk2rgVUzgwXO5FfHqM1dul5foW
+cJuzYfBAtmEnVCI0LjwTw+4nNnMzykhh/9OKjEUQ8bVFH+leFjgAeJdcTD5hWUtG
+w8WAlttos0gnFcxtPm1X+JN1Gyu1oiVGVk+u/hxWs7zAdAixPtICt5ZB3TLelyu8
+yWbMARZ4uLtPzgy0asSlmeOZ8r0oaTHWieLP30F1alsyakFbO6qXQZGEVNfx4z0e
+AvMnPz+SSLQ9OIdThnYOjDDAkT79I5xuY7YeGoDkTy6a8JEo1SdXkf+0SAtE/Ihx
+TTDhar+pjV+eV72fMbhbMvENcVb0o4edP/mCJXl8Wjz/RSlQs+huiF+RDEs0RX18
+iua+wAylwb1ZLYL4hzsxxUodngbroGwglaMMMCbV4wOYR9LPfwP6hy8/EvY30IxU
+
+-> ssh-rsa wzTCUg
+mIms/oP6KFSxBaulSRvNT3oTdMijcUZRQgPCiysvJBkpSSsIpoH2DSBhLqs2z7RS
+XvavUqn6FJCOQHb/c9TXoP00Mwx3X/mpn8mAxddnNH+19ZboFEAj9qgXMuWygjro
+CeO7h0TjYq55pubTS68BWb4BhIvAGQmIeFd7QyozdFOnAQ1Wdw+UjAuRl2GGEIAW
+ztk8yeU2zp5Jo8Nqc6GFNlZR7OYx8mlMAUvkdo53bU7fTM0EfsxRuP9aNO/HXoSS
+8OOGQzt+qefFoqDYWS16ftLafrBqdWps+ivWzn0Bh2CtdemdOKMDosBDtrHcLKL5
+qOgae79fQd5x9HF8UHqunGijgcGxnm0GHOT5mIGWw9ms4RzyhC58HVqOFmS0SIOW
+/SdHspEoFpY3E0ImHbDhDwfOcHbYzLllX9uf+0Nif8SMYGhEMa9loxYK1yKZVGHt
+NiBFidgH/8OECkDjmatBtzigYyq7Tk+Ct2eZZJSAyeP2VVNYT4uqtmp24hfBlLBR
+
+--- anDEUDvExEekm+KJ9jnPJRT52weZhy7l6dCeqeKltr0
+aD=˽˜t.$¡f˜DV›F}3ãzÖ5ücæ3*=¤…-ÚŽù³L?ú–ã˜^
+hP§©È¬Ÿ6T*|îXU¬c”
+IL<EFBFBD>Õ&<ïqŒÏ¶É‡¨jkƒ >ö±ØÐr¶ @%]ÊÀñe϶¡w[¹áy…Ö( l˜½~Ù•têK²Ö{"œöZ¯&ÿ·6r»cÎEüûW2¤0r<30>5¸$­¯”	¡!¸Œ<C2B8>JßÞGOsšÚ‹Ô”Sˆ›†Fm@Ó—a,Jú•ûÓût¨¹}é'¤4:&ÿc0AAz

secrets/secrets.nix

@@ -21,6 +21,7 @@ in
   "authelia-users.age".publicKeys = [ rpi4 ] ++ all-user;
   "authelia-storage.age".publicKeys = [ rpi4 ] ++ all-user;
   "authelia-jwt.age".publicKeys = [ rpi4 ] ++ all-user;
+  "authelia-session.age".publicKeys = [ rpi4 ] ++ all-user;
 
   "restic-rclone.age".publicKeys = [ rpi4 nullbox slab ] ++ all-user;
   "restic-password.age".publicKeys = [ rpi4 nullbox slab ] ++ all-user;