nullbite/nixfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: nullbite:f69cec5ba8804544a89f7c1e24b82b8de467a249
Branches Tags
nullbite:main
nullbite:feature/refactor-module-args
nullbite:flake-parts-hosts
nullbite:feature/tmpfiles-workaround
nullbite:wip/unified-lts-kernel
nullbite:wip/lanzaboote
nullbite:authelia
nullbite:btrfs
nullbite:wip/theme-helper
nullbite:wip/unstable
nullbite:archive/authelia
...
compare: nullbite:da27cbc9a007420b5a8bb212ac68cafa722c7e32
Branches Tags
nullbite:main
nullbite:feature/refactor-module-args
nullbite:flake-parts-hosts
nullbite:feature/tmpfiles-workaround
nullbite:wip/unified-lts-kernel
nullbite:wip/lanzaboote
nullbite:authelia
nullbite:btrfs
nullbite:wip/theme-helper
nullbite:wip/unstable
nullbite:archive/authelia

4 Commits
f69cec5ba8 ... da27cbc9a0

Author SHA1 Message Date
NullBite
da27cbc9a0
authelia: set forceSSL for endpoint 2024-07-15 00:39:46 -04:00
NullBite
dffeccfd5a
authelia: apparently it's outdated (revert later) 2024-07-15 00:23:43 -04:00
NullBite
c7d16e6427
authelia: configure endpoint i think 2024-07-14 23:57:31 -04:00
NullBite
efefce538d
authelia: fixes 2024-07-14 22:31:51 -04:00
1 changed files with 129 additions and 77 deletions
Show Stats Expand all files Collapse all files

206
hosts/rpi4/authelia.nix
View File

@ -6,10 +6,18 @@
}: }:
let let
inherit (lib) types mkIf optionalString; inherit (lib) types mkIf optionalString;
inherit (builtins) isNull any attrValues; inherit (builtins)
isNull
any
all
attrValues
toString
;
inherit (config.services) nginx;
validAuthMethods = [ validAuthMethods = [
"normal" "regular"
"basic" "basic"
]; ];
getUpstreamFromInstance = getUpstreamFromInstance =
@ -25,7 +33,7 @@ let
else else
server.host; server.host;
in in
"http://${host}:${port}"; "http://${host}:${toString port}";
# use this when reverse proxying to authelia (and only authelia because i # use this when reverse proxying to authelia (and only authelia because i
# like the nixos recommended proxy settings better) # like the nixos recommended proxy settings better)
@ -72,8 +80,12 @@ let
## Headers ## Headers
## The headers starting with X-* are required. ## The headers starting with X-* are required.
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
proxy_set_header Connection ""; proxy_set_header Connection "";
@ -95,59 +107,39 @@ let
proxy_connect_timeout 240; proxy_connect_timeout 240;
''; '';
autheliaLocationConfig = pkgs.writeText "authelia-location.conf" autheliaLocation; autheliaLocationConfig = pkgs.writeText "authelia-location.conf" autheliaLocation;
autheliaBasicLocationConfig = pkgs.writeText "authelia-location-basic.conf" '' autheliaBasicLocationConfig = autheliaLocationConfig;
${autheliaLocation} genAuthConfig = method: endpoint: let
redirect = ''
# Auth Basic Headers ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
proxy_set_header X-Original-Method $request_method; error_page 401 =302 ${endpoint}/?rd=$target_url;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-URI $request_uri;
'';
genAuthConfig =
method:
let
snippet_regular = ''
## Configure the redirection when the authz failure occurs. Lines starting
## with 'Modern Method' and 'Legacy Method' should be commented /
## uncommented as pairs. The modern method uses the session cookies
## configuration's authelia_url value to determine the redirection URL here.
## It's much simpler and compatible with the mutli-cookie domain easily.
## Modern Method: Set the $redirection_url to the Location header of the
## response to the Authz endpoint.
auth_request_set $redirection_url $upstream_http_location;
## Modern Method: When there is a 401 response code from the authz endpoint
## redirect to the $redirection_url.
error_page 401 =302 $redirection_url;
''; '';
in in ''
'' auth_request /internal/authelia/authz${optionalString (method == "basic") "/basic"};
## Send a subrequest to Authelia to verify if the user is authenticated and
# has permission to access the resource.
auth_request /internal/authelia/authz${optionalString method == "basic" "/basic"}; ## Set the $target_url variable based on the original request.
## Save the upstream metadata response headers from Authelia to variables. ## Comment this line if you're using nginx without the http_set_misc module.
# set_escape_uri $target_url $scheme://$http_host$request_uri;
## Uncomment this line if you're using NGINX without the http_set_misc module.
set $target_url $scheme://$http_host$request_uri;
## Save the upstream response headers from Authelia to variables.
auth_request_set $user $upstream_http_remote_user; auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups; auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name; auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email; auth_request_set $email $upstream_http_remote_email;
## Inject the metadata response headers from the variables into the request ## Inject the response headers from the variables into the request made to the backend.
## made to the backend.
proxy_set_header Remote-User $user; proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name; proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email; proxy_set_header Remote-Email $email;
${optionalString method == "regular" snippet_regular} ${optionalString (method == "regular") redirect}
''; '';
genAuthConfigPkg = genAuthConfigPkg =
method: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method); method: endpoint: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method endpoint);
in in
{ {
# authelia # authelia
@ -163,9 +155,10 @@ in
{ name, config, ... }@attrs: { name, config, ... }@attrs:
{ {
options = { options = {
locations = mkAttrsOfSubmoduleOpt (locationModule' attrs); locations = mkAttrsOfSubmoduleOpt (genLocationModule attrs);
authelia = { authelia = {
endpoint = { endpoint = {
# endpoint settings
instance = lib.mkOption { instance = lib.mkOption {
description = '' description = ''
Local Authelia instance to act as the authentication endpoint. Local Authelia instance to act as the authentication endpoint.
@ -184,6 +177,13 @@ in
default = null; default = null;
}; };
}; };
# client settings
endpointURL = lib.mkOption {
description = ''
(temporary) authelia endpoint redirect URL.
'';
type = with types; str;
};
instance = lib.mkOption { instance = lib.mkOption {
description = '' description = ''
Local Authelia instance to use. Setting this option will Local Authelia instance to use. Setting this option will
@ -199,6 +199,8 @@ in
requests to. This should not be the public-facing authentication requests to. This should not be the public-facing authentication
endpoint URL. endpoint URL.
''; '';
type = with types; nullOr str;
default = null;
}; };
method = lib.mkOption { method = lib.mkOption {
description = '' description = ''
@ -206,7 +208,7 @@ in
in this virtualHost. Authentication is disabled by default for in this virtualHost. Authentication is disabled by default for
all locations if this is set to `null`. all locations if this is set to `null`.
''; '';
type = with types; nullOr oneOf validAuthMethods; type = with types; nullOr (enum validAuthMethods);
default = "regular"; default = "regular";
example = "basic"; example = "basic";
}; };
@ -220,32 +222,53 @@ in
getUpstreamFromInstance config.authelia.endpoint.instance getUpstreamFromInstance config.authelia.endpoint.instance
); );
forceSSL = lib.mkIf (!(isNull config.authelia.endpoint.upstream)) true;
# authelia nginx internal endpoints # authelia nginx internal endpoints
locations = locations =
let let
api = "${config.authelia.upstream}/api/authz/auth-request"; api = "${config.authelia.upstream}/api/verify";
in in
lib.mkIf (!(isNull config.authelia.upstream)) { lib.mkMerge [
# just setup both, they can't be accessed externally anyways. (lib.mkIf (!(isNull config.authelia.upstream)) {
"/internal/authelia/authz" = { # just setup both, they can't be accessed externally anyways.
proxyPass = api; "/internal/authelia/authz" = {
recommendedProxyConfig = false; proxyPass = api;
extraConfig = '' recommendedProxySettings = false;
include ${autheliaLocationConfig}; extraConfig = ''
''; include ${autheliaLocationConfig};
}; '';
"/internal/authelia/authz/basic" = { };
proxyPass = "${api}/basic"; "/internal/authelia/authz/basic" = {
recommendedProxyConfig = false; proxyPass = "${api}?auth=basic";
extraConfig = '' recommendedProxySettings = false;
include ${autheliaBasicLocationConfig}; extraConfig = ''
''; include ${autheliaBasicLocationConfig};
}; '';
}; };
})
(lib.mkIf (!(isNull config.authelia.endpoint.upstream)) {
"/" = {
extraConfig = ''
include "${autheliaProxyConfig}";
'';
proxyPass = "${config.authelia.endpoint.upstream}";
recommendedProxySettings = false;
};
"= /api/verify" = {
proxyPass = "${config.authelia.endpoint.upstream}";
recommendedProxySettings = false;
};
"/api/authz" = {
proxyPass = "${config.authelia.endpoint.upstream}";
recommendedProxySettings = false;
};
})
];
}; };
}; };
locationModule' = genLocationModule =
vhostAttrs: vhostAttrs:
{ name, config, ... }: { name, config, ... }:
let let
@ -258,18 +281,30 @@ in
Authentication is disabled for this location if this is set to Authentication is disabled for this location if this is set to
`null`. `null`.
''; '';
type = with types; nullOr oneOf validAuthMethods; type = with types; nullOr (enum validAuthMethods);
default = vhostConfig.authelia.method; default = vhostConfig.authelia.method;
example = "basic"; example = "basic";
}; };
options.authelia.endpointURL = lib.mkOption {
description = ''
(temporary) authelia endpoint redirect URL.
'';
type = with types; str;
default = vhostConfig.authelia.endpointURL;
};
config = config =
lib.mkIf (!(lib.strings.hasPrefix "/internal/authelia/" name)) lib.mkIf
&& (!(isNull vhostConfig.authelia.upstream)) (
&& (!(isNull config.authelia.method)) { (!(lib.strings.hasPrefix "/internal/authelia/" name))
extraConfig = '' && (!(isNull vhostConfig.authelia.upstream))
include ${genAuthConfigPkg config.authelia.method}; && (!(isNull config.authelia.method))
''; )
}; {
extraConfig = ''
include ${genAuthConfigPkg config.authelia.method config.authelia.endpointURL};
'';
};
}; };
in in
@ -278,10 +313,27 @@ in
}; };
# TODO check if any vhosts have authelia configured # TODO check if any vhosts have authelia configured
config = mkIf false { config =
let
assertions = [ # TODO later, there are only assertions here
# TODO vhost cannot be both auth endpoint proxy and regular reverse proxy configured = any (
]; vhost: (!(isNull vhost.authelia.upstream)) || (!(isNull vhost.authelia.endpoint.upstream))
}; ) (attrValues nginx.virtualHosts);
in
mkIf true {
assertions = [
{
assertion = all (
vhost: (!(isNull vhost.authelia.upstream)) -> (isNull vhost.authelia.endpoint.upstream)
) (attrValues nginx.virtualHosts);
message = "`services.nginx.virtualHosts.<name>.authelia.upstream` and `services.nginx.virtualHosts.<name>.authelia.endpoint.upstream` cannot be set at the same time.";
}
# {
# assertion = all (
# vhost: vhost.authelia.instance -> config.services.authelia.instances ? "${vhost.authelia.instance}"
# ) (attrValues nginx.virtualHosts);
# message = "`services.authelia.instances.<name>` must be configured if `services.nginx.virtualHosts.<name>.authelia.instance` is set.";
# }
];
};
} }