Compare commits
4 Commits
f69cec5ba8
...
da27cbc9a0
| Author | SHA1 | Date | |
|---|---|---|---|
da27cbc9a0
|
|||
|
dffeccfd5a
|
|||
|
c7d16e6427
|
|||
|
efefce538d
|
@ -6,10 +6,18 @@
|
||||
}:
|
||||
let
|
||||
inherit (lib) types mkIf optionalString;
|
||||
inherit (builtins) isNull any attrValues;
|
||||
inherit (builtins)
|
||||
isNull
|
||||
any
|
||||
all
|
||||
attrValues
|
||||
toString
|
||||
;
|
||||
|
||||
inherit (config.services) nginx;
|
||||
|
||||
validAuthMethods = [
|
||||
"normal"
|
||||
"regular"
|
||||
"basic"
|
||||
];
|
||||
getUpstreamFromInstance =
|
||||
@ -25,7 +33,7 @@ let
|
||||
else
|
||||
server.host;
|
||||
in
|
||||
"http://${host}:${port}";
|
||||
"http://${host}:${toString port}";
|
||||
|
||||
# use this when reverse proxying to authelia (and only authelia because i
|
||||
# like the nixos recommended proxy settings better)
|
||||
@ -72,8 +80,12 @@ let
|
||||
|
||||
## Headers
|
||||
## The headers starting with X-* are required.
|
||||
proxy_set_header X-Original-Method $request_method;
|
||||
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||
proxy_set_header X-Original-Method $request_method;
|
||||
proxy_set_header X-Forwarded-Method $request_method;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header X-Forwarded-Uri $request_uri;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Content-Length "";
|
||||
proxy_set_header Connection "";
|
||||
@ -95,59 +107,39 @@ let
|
||||
proxy_connect_timeout 240;
|
||||
'';
|
||||
autheliaLocationConfig = pkgs.writeText "authelia-location.conf" autheliaLocation;
|
||||
autheliaBasicLocationConfig = pkgs.writeText "authelia-location-basic.conf" ''
|
||||
${autheliaLocation}
|
||||
|
||||
# Auth Basic Headers
|
||||
proxy_set_header X-Original-Method $request_method;
|
||||
proxy_set_header X-Forwarded-Method $request_method;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header X-Forwarded-URI $request_uri;
|
||||
'';
|
||||
|
||||
genAuthConfig =
|
||||
method:
|
||||
let
|
||||
snippet_regular = ''
|
||||
## Configure the redirection when the authz failure occurs. Lines starting
|
||||
## with 'Modern Method' and 'Legacy Method' should be commented /
|
||||
## uncommented as pairs. The modern method uses the session cookies
|
||||
## configuration's authelia_url value to determine the redirection URL here.
|
||||
## It's much simpler and compatible with the mutli-cookie domain easily.
|
||||
|
||||
## Modern Method: Set the $redirection_url to the Location header of the
|
||||
## response to the Authz endpoint.
|
||||
auth_request_set $redirection_url $upstream_http_location;
|
||||
|
||||
## Modern Method: When there is a 401 response code from the authz endpoint
|
||||
## redirect to the $redirection_url.
|
||||
error_page 401 =302 $redirection_url;
|
||||
autheliaBasicLocationConfig = autheliaLocationConfig;
|
||||
genAuthConfig = method: endpoint: let
|
||||
redirect = ''
|
||||
## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
|
||||
error_page 401 =302 ${endpoint}/?rd=$target_url;
|
||||
'';
|
||||
in
|
||||
''
|
||||
## Send a subrequest to Authelia to verify if the user is authenticated and
|
||||
# has permission to access the resource.
|
||||
in ''
|
||||
auth_request /internal/authelia/authz${optionalString (method == "basic") "/basic"};
|
||||
|
||||
auth_request /internal/authelia/authz${optionalString method == "basic" "/basic"};
|
||||
## Set the $target_url variable based on the original request.
|
||||
|
||||
## Save the upstream metadata response headers from Authelia to variables.
|
||||
## Comment this line if you're using nginx without the http_set_misc module.
|
||||
# set_escape_uri $target_url $scheme://$http_host$request_uri;
|
||||
|
||||
## Uncomment this line if you're using NGINX without the http_set_misc module.
|
||||
set $target_url $scheme://$http_host$request_uri;
|
||||
|
||||
## Save the upstream response headers from Authelia to variables.
|
||||
auth_request_set $user $upstream_http_remote_user;
|
||||
auth_request_set $groups $upstream_http_remote_groups;
|
||||
auth_request_set $name $upstream_http_remote_name;
|
||||
auth_request_set $email $upstream_http_remote_email;
|
||||
|
||||
## Inject the metadata response headers from the variables into the request
|
||||
## made to the backend.
|
||||
## Inject the response headers from the variables into the request made to the backend.
|
||||
proxy_set_header Remote-User $user;
|
||||
proxy_set_header Remote-Groups $groups;
|
||||
proxy_set_header Remote-Name $name;
|
||||
proxy_set_header Remote-Email $email;
|
||||
|
||||
${optionalString method == "regular" snippet_regular}
|
||||
${optionalString (method == "regular") redirect}
|
||||
'';
|
||||
genAuthConfigPkg =
|
||||
method: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method);
|
||||
method: endpoint: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method endpoint);
|
||||
in
|
||||
{
|
||||
# authelia
|
||||
@ -163,9 +155,10 @@ in
|
||||
{ name, config, ... }@attrs:
|
||||
{
|
||||
options = {
|
||||
locations = mkAttrsOfSubmoduleOpt (locationModule' attrs);
|
||||
locations = mkAttrsOfSubmoduleOpt (genLocationModule attrs);
|
||||
authelia = {
|
||||
endpoint = {
|
||||
# endpoint settings
|
||||
instance = lib.mkOption {
|
||||
description = ''
|
||||
Local Authelia instance to act as the authentication endpoint.
|
||||
@ -184,6 +177,13 @@ in
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
# client settings
|
||||
endpointURL = lib.mkOption {
|
||||
description = ''
|
||||
(temporary) authelia endpoint redirect URL.
|
||||
'';
|
||||
type = with types; str;
|
||||
};
|
||||
instance = lib.mkOption {
|
||||
description = ''
|
||||
Local Authelia instance to use. Setting this option will
|
||||
@ -199,6 +199,8 @@ in
|
||||
requests to. This should not be the public-facing authentication
|
||||
endpoint URL.
|
||||
'';
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
};
|
||||
method = lib.mkOption {
|
||||
description = ''
|
||||
@ -206,7 +208,7 @@ in
|
||||
in this virtualHost. Authentication is disabled by default for
|
||||
all locations if this is set to `null`.
|
||||
'';
|
||||
type = with types; nullOr oneOf validAuthMethods;
|
||||
type = with types; nullOr (enum validAuthMethods);
|
||||
default = "regular";
|
||||
example = "basic";
|
||||
};
|
||||
@ -220,32 +222,53 @@ in
|
||||
getUpstreamFromInstance config.authelia.endpoint.instance
|
||||
);
|
||||
|
||||
forceSSL = lib.mkIf (!(isNull config.authelia.endpoint.upstream)) true;
|
||||
|
||||
# authelia nginx internal endpoints
|
||||
locations =
|
||||
let
|
||||
api = "${config.authelia.upstream}/api/authz/auth-request";
|
||||
api = "${config.authelia.upstream}/api/verify";
|
||||
in
|
||||
lib.mkIf (!(isNull config.authelia.upstream)) {
|
||||
# just setup both, they can't be accessed externally anyways.
|
||||
"/internal/authelia/authz" = {
|
||||
proxyPass = api;
|
||||
recommendedProxyConfig = false;
|
||||
extraConfig = ''
|
||||
include ${autheliaLocationConfig};
|
||||
'';
|
||||
};
|
||||
"/internal/authelia/authz/basic" = {
|
||||
proxyPass = "${api}/basic";
|
||||
recommendedProxyConfig = false;
|
||||
extraConfig = ''
|
||||
include ${autheliaBasicLocationConfig};
|
||||
'';
|
||||
};
|
||||
};
|
||||
lib.mkMerge [
|
||||
(lib.mkIf (!(isNull config.authelia.upstream)) {
|
||||
# just setup both, they can't be accessed externally anyways.
|
||||
"/internal/authelia/authz" = {
|
||||
proxyPass = api;
|
||||
recommendedProxySettings = false;
|
||||
extraConfig = ''
|
||||
include ${autheliaLocationConfig};
|
||||
'';
|
||||
};
|
||||
"/internal/authelia/authz/basic" = {
|
||||
proxyPass = "${api}?auth=basic";
|
||||
recommendedProxySettings = false;
|
||||
extraConfig = ''
|
||||
include ${autheliaBasicLocationConfig};
|
||||
'';
|
||||
};
|
||||
})
|
||||
(lib.mkIf (!(isNull config.authelia.endpoint.upstream)) {
|
||||
"/" = {
|
||||
extraConfig = ''
|
||||
include "${autheliaProxyConfig}";
|
||||
'';
|
||||
proxyPass = "${config.authelia.endpoint.upstream}";
|
||||
recommendedProxySettings = false;
|
||||
};
|
||||
"= /api/verify" = {
|
||||
proxyPass = "${config.authelia.endpoint.upstream}";
|
||||
recommendedProxySettings = false;
|
||||
};
|
||||
"/api/authz" = {
|
||||
proxyPass = "${config.authelia.endpoint.upstream}";
|
||||
recommendedProxySettings = false;
|
||||
};
|
||||
})
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
locationModule' =
|
||||
genLocationModule =
|
||||
vhostAttrs:
|
||||
{ name, config, ... }:
|
||||
let
|
||||
@ -258,18 +281,30 @@ in
|
||||
Authentication is disabled for this location if this is set to
|
||||
`null`.
|
||||
'';
|
||||
type = with types; nullOr oneOf validAuthMethods;
|
||||
type = with types; nullOr (enum validAuthMethods);
|
||||
default = vhostConfig.authelia.method;
|
||||
example = "basic";
|
||||
};
|
||||
options.authelia.endpointURL = lib.mkOption {
|
||||
description = ''
|
||||
(temporary) authelia endpoint redirect URL.
|
||||
'';
|
||||
type = with types; str;
|
||||
default = vhostConfig.authelia.endpointURL;
|
||||
};
|
||||
|
||||
config =
|
||||
lib.mkIf (!(lib.strings.hasPrefix "/internal/authelia/" name))
|
||||
&& (!(isNull vhostConfig.authelia.upstream))
|
||||
&& (!(isNull config.authelia.method)) {
|
||||
extraConfig = ''
|
||||
include ${genAuthConfigPkg config.authelia.method};
|
||||
'';
|
||||
};
|
||||
lib.mkIf
|
||||
(
|
||||
(!(lib.strings.hasPrefix "/internal/authelia/" name))
|
||||
&& (!(isNull vhostConfig.authelia.upstream))
|
||||
&& (!(isNull config.authelia.method))
|
||||
)
|
||||
{
|
||||
extraConfig = ''
|
||||
include ${genAuthConfigPkg config.authelia.method config.authelia.endpointURL};
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
in
|
||||
@ -278,10 +313,27 @@ in
|
||||
};
|
||||
|
||||
# TODO check if any vhosts have authelia configured
|
||||
config = mkIf false {
|
||||
|
||||
assertions = [
|
||||
# TODO vhost cannot be both auth endpoint proxy and regular reverse proxy
|
||||
];
|
||||
};
|
||||
config =
|
||||
let
|
||||
# TODO later, there are only assertions here
|
||||
configured = any (
|
||||
vhost: (!(isNull vhost.authelia.upstream)) || (!(isNull vhost.authelia.endpoint.upstream))
|
||||
) (attrValues nginx.virtualHosts);
|
||||
in
|
||||
mkIf true {
|
||||
assertions = [
|
||||
{
|
||||
assertion = all (
|
||||
vhost: (!(isNull vhost.authelia.upstream)) -> (isNull vhost.authelia.endpoint.upstream)
|
||||
) (attrValues nginx.virtualHosts);
|
||||
message = "`services.nginx.virtualHosts.<name>.authelia.upstream` and `services.nginx.virtualHosts.<name>.authelia.endpoint.upstream` cannot be set at the same time.";
|
||||
}
|
||||
# {
|
||||
# assertion = all (
|
||||
# vhost: vhost.authelia.instance -> config.services.authelia.instances ? "${vhost.authelia.instance}"
|
||||
# ) (attrValues nginx.virtualHosts);
|
||||
# message = "`services.authelia.instances.<name>` must be configured if `services.nginx.virtualHosts.<name>.authelia.instance` is set.";
|
||||
# }
|
||||
];
|
||||
};
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user