nullbite/nixfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: nullbite:f69cec5ba8804544a89f7c1e24b82b8de467a249
Branches Tags
nullbite:main
nullbite:feature/refactor-module-args
nullbite:flake-parts-hosts
nullbite:feature/tmpfiles-workaround
nullbite:wip/unified-lts-kernel
nullbite:wip/lanzaboote
nullbite:authelia
nullbite:btrfs
nullbite:wip/theme-helper
nullbite:wip/unstable
nullbite:archive/authelia
..
compare: nullbite:56e8b0564de3263ad19dfa26fb822e4cb7b2ed16
Branches Tags
nullbite:main
nullbite:feature/refactor-module-args
nullbite:flake-parts-hosts
nullbite:feature/tmpfiles-workaround
nullbite:wip/unified-lts-kernel
nullbite:wip/lanzaboote
nullbite:authelia
nullbite:btrfs
nullbite:wip/theme-helper
nullbite:wip/unstable
nullbite:archive/authelia

No commits in common. "f69cec5ba8804544a89f7c1e24b82b8de467a249" and "56e8b0564de3263ad19dfa26fb822e4cb7b2ed16" have entirely different histories.
f69cec5ba8 ... 56e8b0564d

1 changed files with 91 additions and 187 deletions
Show Stats Expand all files Collapse all files

278
hosts/rpi4/authelia.nix
View File

@ -1,31 +1,18 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
let let
inherit (lib) types mkIf optionalString; inherit (lib) types
mkIf
optionalString;
inherit (builtins) isNull any attrValues; inherit (builtins) isNull any attrValues;
validAuthMethods = [ getUpstreamFromInstance = instance: let
"normal" inherit (config.services.authelia.instances.${instance}.settings) server;
"basic" inherit (server) port;
]; host = if server.host == "0.0.0.0" then "127.0.0.1"
getUpstreamFromInstance = else if lib.hasInfix ":" server.host then
instance: throw "TODO IPv6 not supported in Authelia server address (hard to parse, can't tell if it is [::])."
let else server.host;
inherit (config.services.authelia.instances.${instance}.settings) server; in "http://${host}:${port}";
inherit (server) port;
host =
if server.host == "0.0.0.0" then
"127.0.0.1"
else if lib.hasInfix ":" server.host then
throw "TODO IPv6 not supported in Authelia server address (hard to parse, can't tell if it is [::])."
else
server.host;
in
"http://${host}:${port}";
# use this when reverse proxying to authelia (and only authelia because i # use this when reverse proxying to authelia (and only authelia because i
# like the nixos recommended proxy settings better) # like the nixos recommended proxy settings better)
@ -42,8 +29,7 @@ let
## Basic Proxy Configuration ## Basic Proxy Configuration
client_body_buffer_size 128k; client_body_buffer_size 128k;
# Timeout if the real server is dead. proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_redirect http:// $scheme://; proxy_redirect http:// $scheme://;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_cache_bypass $cookie_session; proxy_cache_bypass $cookie_session;
@ -67,6 +53,7 @@ let
proxy_connect_timeout 360; proxy_connect_timeout 360;
''; '';
autheliaLocation = '' autheliaLocation = ''
internal; internal;
@ -106,177 +93,94 @@ let
proxy_set_header X-Forwarded-URI $request_uri; proxy_set_header X-Forwarded-URI $request_uri;
''; '';
genAuthConfig =
method:
let
snippet_regular = ''
## Configure the redirection when the authz failure occurs. Lines starting
## with 'Modern Method' and 'Legacy Method' should be commented /
## uncommented as pairs. The modern method uses the session cookies
## configuration's authelia_url value to determine the redirection URL here.
## It's much simpler and compatible with the mutli-cookie domain easily.
## Modern Method: Set the $redirection_url to the Location header of the
## response to the Authz endpoint.
auth_request_set $redirection_url $upstream_http_location;
## Modern Method: When there is a 401 response code from the authz endpoint
## redirect to the $redirection_url.
error_page 401 =302 $redirection_url;
'';
in
''
## Send a subrequest to Authelia to verify if the user is authenticated and
# has permission to access the resource.
auth_request /internal/authelia/authz${optionalString method == "basic" "/basic"};
## Save the upstream metadata response headers from Authelia to variables.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
## Inject the metadata response headers from the variables into the request
## made to the backend.
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email;
${optionalString method == "regular" snippet_regular}
'';
genAuthConfigPkg =
method: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method);
in in
{ {
# authelia # authelia
options.services.nginx = options.services.nginx = let
let mkAttrsOfSubmoduleOpt = module: lib.mkOption { type = with types; attrsOf (submodule module); };
mkAttrsOfSubmoduleOpt = module: lib.mkOption { type = with types; attrsOf (submodule module); };
# make system config accessible from submodules # make system config accessible from submodules
systemConfig = config; systemConfig = config;
# submodule definitions # submodule definitions
vhostModule = vhostModule = { name, config, ... }@attrs: {
{ name, config, ... }@attrs: options = {
{ locations = mkAttrsOfSubmoduleOpt (locationModule' attrs);
options = { authelia = {
locations = mkAttrsOfSubmoduleOpt (locationModule' attrs); endpoint = {
authelia = { instance = lib.mkOption {
endpoint = { description = ''
instance = lib.mkOption { Local Authelia instance to act as the authentication endpoint.
description = '' This virtualHost will be configured to provide the
Local Authelia instance to act as the authentication endpoint. public-facing authentication service.
This virtualHost will be configured to provide the
public-facing authentication service.
'';
type = with types; nullOr str;
default = null;
};
upstream = lib.mkOption {
description = ''
Internal URL of the Authelia endpoint to forward authentication
requests to.
'';
type = with types; nullOr str;
default = null;
};
};
instance = lib.mkOption {
description = ''
Local Authelia instance to use. Setting this option will
automatically configure Authelia on the specified virtualHost
with the given instance of Authelia.
'';
type = with types; nullOr str;
default = null;
};
upstream = lib.mkOption {
description = ''
Internal URL of the Authelia endpoint to forward authorization
requests to. This should not be the public-facing authentication
endpoint URL.
'';
};
method = lib.mkOption {
description = ''
Default Authelia authentication method to use for all locations
in this virtualHost. Authentication is disabled by default for
all locations if this is set to `null`.
'';
type = with types; nullOr oneOf validAuthMethods;
default = "regular";
example = "basic";
};
};
};
config = {
authelia.upstream = mkIf (!(isNull config.authelia.instance)) (
getUpstreamFromInstance config.authelia.instance
);
authelia.endpoint.upstream = mkIf (!(isNull config.authelia.endpoint.instance)) (
getUpstreamFromInstance config.authelia.endpoint.instance
);
# authelia nginx internal endpoints
locations =
let
api = "${config.authelia.upstream}/api/authz/auth-request";
in
lib.mkIf (!(isNull config.authelia.upstream)) {
# just setup both, they can't be accessed externally anyways.
"/internal/authelia/authz" = {
proxyPass = api;
recommendedProxyConfig = false;
extraConfig = ''
include ${autheliaLocationConfig};
'';
};
"/internal/authelia/authz/basic" = {
proxyPass = "${api}/basic";
recommendedProxyConfig = false;
extraConfig = ''
include ${autheliaBasicLocationConfig};
'';
};
};
};
};
locationModule' =
vhostAttrs:
{ name, config, ... }:
let
vhostConfig = vhostAttrs.config;
in
{
options.authelia.method = lib.mkOption {
description = ''
Authelia authentication method to use for this location.
Authentication is disabled for this location if this is set to
`null`.
'';
type = with types; nullOr oneOf validAuthMethods;
default = vhostConfig.authelia.method;
example = "basic";
};
config =
lib.mkIf (!(lib.strings.hasPrefix "/internal/authelia/" name))
&& (!(isNull vhostConfig.authelia.upstream))
&& (!(isNull config.authelia.method)) {
extraConfig = ''
include ${genAuthConfigPkg config.authelia.method};
''; '';
type = with types; nullOr str;
default = null;
}; };
upstream = lib.mkOption {
description = ''
Internal URL of the Authelia endpoint to forward authentication
requests to.
'';
type = with types; nullOr str;
default = null;
};
};
instance = lib.mkOption {
description = ''
Local Authelia instance to use. Setting this option will
automatically configure Authelia on the specified virtualHost
with the given instance of Authelia.
'';
type = with types; nullOr str;
default = null;
};
upstream = lib.mkOption {
description = ''
Internal URL of the Authelia endpoint to forward authorization
requests to. This should not be the public-facing authentication
endpoint URL.
'';
};
}; };
};
config = {
authelia.upstream = mkIf (!(isNull config.authelia.instance))
(getUpstreamFromInstance config.authelia.instance);
authelia.endpoint.upstream = mkIf (!(isNull config.authelia.endpoint.instance))
(getUpstreamFromInstance config.authelia.endpoint.instance);
in # authelia nginx internal endpoints
{ locations = let
virtualHosts = mkAttrsOfSubmoduleOpt vhostModule; api = "${config.authelia.upstream}/api/authz/auth-request";
in lib.mkIf (!(isNull config.authelia.upstream)) {
"/internal/authelia/authz" = {
proxyPass = api;
recommendedProxyConfig = false;
extraConfig = ''
include ${autheliaLocationConfig};
'';
};
"/internal/authelia/authz/basic" = {
proxyPass = "${api}/basic";
recommendedProxyConfig = false;
extraConfig = ''
include ${autheliaBasicLocationConfig};
'';
};
};
};
}; };
locationModule' = vhostAttrs: { name, config, ... }: let
vhostConfig = vhostAttrs.config;
in {
};
in {
virtualHosts = mkAttrsOfSubmoduleOpt vhostModule;
};
# TODO check if any vhosts have authelia configured # TODO check if any vhosts have authelia configured
config = mkIf false { config = mkIf false {