secrets: authelia stuff

rpi4: submodule extension test

minor remove test thing (squash later)

move authelia into separate file

rpi4: add some options for authelia (wip)

authelia: wip

authelia: more wip

authelia: format

authelia: wip

authelia: fixes

authelia: configure endpoint i think

hosts/rpi4/authelia.nix

@@ -0,0 +1,339 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib) types mkIf optionalString;
+  inherit (builtins)
+    isNull
+    any
+    all
+    attrValues
+    toString
+    ;
+
+  inherit (config.services) nginx;
+
+  validAuthMethods = [
+    "regular"
+    "basic"
+  ];
+  getUpstreamFromInstance =
+    instance:
+    let
+      inherit (config.services.authelia.instances.${instance}.settings) server;
+      inherit (server) port;
+      host =
+        if server.host == "0.0.0.0" then
+          "127.0.0.1"
+        else if lib.hasInfix ":" server.host then
+          throw "TODO IPv6 not supported in Authelia server address (hard to parse, can't tell if it is [::])."
+        else
+          server.host;
+    in
+    "http://${host}:${toString port}";
+
+  # use this when reverse proxying to authelia (and only authelia because i
+  # like the nixos recommended proxy settings better)
+  autheliaProxyConfig = pkgs.writeText "authelia-proxy-config.conf" ''
+    ## Headers
+    proxy_set_header Host $host;
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-URI $request_uri;
+    proxy_set_header X-Forwarded-Ssl on;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Real-IP $remote_addr;
+
+    ## Basic Proxy Configuration
+    client_body_buffer_size 128k;
+    # Timeout if the real server is dead.
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+    proxy_redirect  http://  $scheme://;
+    proxy_http_version 1.1;
+    proxy_cache_bypass $cookie_session;
+    proxy_no_cache $cookie_session;
+    proxy_buffers 64 256k;
+
+    ## Trusted Proxies Configuration
+    ## Please read the following documentation before configuring this:
+    ##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
+    # set_real_ip_from 10.0.0.0/8;
+    # set_real_ip_from 172.16.0.0/12;
+    # set_real_ip_from 192.168.0.0/16;
+    # set_real_ip_from fc00::/7;
+    real_ip_header X-Forwarded-For;
+    real_ip_recursive on;
+
+    ## Advanced Proxy Configuration
+    send_timeout 5m;
+    proxy_read_timeout 360;
+    proxy_send_timeout 360;
+    proxy_connect_timeout 360;
+  '';
+
+  autheliaLocation = ''
+    internal;
+
+    ## Headers
+    ## The headers starting with X-* are required.
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Original-Method $request_method;
+    proxy_set_header X-Forwarded-Method $request_method;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-Uri $request_uri;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Content-Length "";
+    proxy_set_header Connection "";
+
+    ## Basic Proxy Configuration
+    proxy_pass_request_body off;
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
+    proxy_redirect http:// $scheme://;
+    proxy_http_version 1.1;
+    proxy_cache_bypass $cookie_session;
+    proxy_no_cache $cookie_session;
+    proxy_buffers 4 32k;
+    client_body_buffer_size 128k;
+
+    ## Advanced Proxy Configuration
+    send_timeout 5m;
+    proxy_read_timeout 240;
+    proxy_send_timeout 240;
+    proxy_connect_timeout 240;
+  '';
+  autheliaLocationConfig = pkgs.writeText "authelia-location.conf" autheliaLocation;
+  autheliaBasicLocationConfig = autheliaLocationConfig;
+  genAuthConfig = method: endpoint: let
+      redirect = ''
+        ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
+        error_page 401 =302 ${endpoint}/?rd=$target_url;
+      '';
+    in ''
+      auth_request /internal/authelia/authz${optionalString (method == "basic") "/basic"};
+
+      ## Set the $target_url variable based on the original request.
+
+      ## Comment this line if you're using nginx without the http_set_misc module.
+      # set_escape_uri $target_url $scheme://$http_host$request_uri;
+
+      ## Uncomment this line if you're using NGINX without the http_set_misc module.
+      set $target_url $scheme://$http_host$request_uri;
+
+      ## Save the upstream response headers from Authelia to variables.
+      auth_request_set $user $upstream_http_remote_user;
+      auth_request_set $groups $upstream_http_remote_groups;
+      auth_request_set $name $upstream_http_remote_name;
+      auth_request_set $email $upstream_http_remote_email;
+
+      ## Inject the response headers from the variables into the request made to the backend.
+      proxy_set_header Remote-User $user;
+      proxy_set_header Remote-Groups $groups;
+      proxy_set_header Remote-Name $name;
+      proxy_set_header Remote-Email $email;
+
+      ${optionalString (method == "regular") redirect}
+    '';
+  genAuthConfigPkg =
+    method: endpoint: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method endpoint);
+in
+{
+  # authelia
+  options.services.nginx =
+    let
+      mkAttrsOfSubmoduleOpt = module: lib.mkOption { type = with types; attrsOf (submodule module); };
+
+      # make system config accessible from submodules
+      systemConfig = config;
+
+      # submodule definitions
+      vhostModule =
+        { name, config, ... }@attrs:
+        {
+          options = {
+            locations = mkAttrsOfSubmoduleOpt (genLocationModule attrs);
+            authelia = {
+              endpoint = {
+                # endpoint settings
+                instance = lib.mkOption {
+                  description = ''
+                    Local Authelia instance to act as the authentication endpoint.
+                    This virtualHost will be configured to provide the
+                    public-facing authentication service.
+                  '';
+                  type = with types; nullOr str;
+                  default = null;
+                };
+                upstream = lib.mkOption {
+                  description = ''
+                    Internal URL of the Authelia endpoint to forward authentication
+                    requests to.
+                  '';
+                  type = with types; nullOr str;
+                  default = null;
+                };
+              };
+              # client settings
+              endpointURL = lib.mkOption {
+                description = ''
+                  (temporary) authelia endpoint redirect URL.
+                '';
+                type = with types; str;
+              };
+              instance = lib.mkOption {
+                description = ''
+                  Local Authelia instance to use. Setting this option will
+                  automatically configure Authelia on the specified virtualHost
+                  with the given instance of Authelia.
+                '';
+                type = with types; nullOr str;
+                default = null;
+              };
+              upstream = lib.mkOption {
+                description = ''
+                  Internal URL of the Authelia endpoint to forward authorization
+                  requests to. This should not be the public-facing authentication
+                  endpoint URL.
+                '';
+                type = with types; nullOr str;
+                default = null;
+              };
+              method = lib.mkOption {
+                description = ''
+                  Default Authelia authentication method to use for all locations
+                  in this virtualHost. Authentication is disabled by default for
+                  all locations if this is set to `null`.
+                '';
+                type = with types; nullOr (enum validAuthMethods);
+                default = "regular";
+                example = "basic";
+              };
+            };
+          };
+          config = {
+            authelia.upstream = mkIf (!(isNull config.authelia.instance)) (
+              getUpstreamFromInstance config.authelia.instance
+            );
+            authelia.endpoint.upstream = mkIf (!(isNull config.authelia.endpoint.instance)) (
+              getUpstreamFromInstance config.authelia.endpoint.instance
+            );
+
+            forceSSL = lib.mkIf (!(isNull config.authelia.endpoint.upstream)) true;
+
+            # authelia nginx internal endpoints
+            locations =
+              let
+                api = "${config.authelia.upstream}/api/verify";
+              in
+              lib.mkMerge [
+                (lib.mkIf (!(isNull config.authelia.upstream)) {
+                  # just setup both, they can't be accessed externally anyways.
+                  "/internal/authelia/authz" = {
+                    proxyPass = api;
+                    recommendedProxySettings = false;
+                    extraConfig = ''
+                      include ${autheliaLocationConfig};
+                    '';
+                  };
+                  "/internal/authelia/authz/basic" = {
+                    proxyPass = "${api}?auth=basic";
+                    recommendedProxySettings = false;
+                    extraConfig = ''
+                      include ${autheliaBasicLocationConfig};
+                    '';
+                  };
+                })
+                (lib.mkIf (!(isNull config.authelia.endpoint.upstream)) {
+                  "/" = {
+                    extraConfig = ''
+                      include "${autheliaProxyConfig}";
+                    '';
+                    proxyPass = "${config.authelia.endpoint.upstream}";
+                    recommendedProxySettings = false;
+                  };
+                  "= /api/verify" = {
+                    proxyPass = "${config.authelia.endpoint.upstream}";
+                    recommendedProxySettings = false;
+                  };
+                  "/api/authz" = {
+                    proxyPass = "${config.authelia.endpoint.upstream}";
+                    recommendedProxySettings = false;
+                  };
+                })
+              ];
+          };
+        };
+
+      genLocationModule =
+        vhostAttrs:
+        { name, config, ... }:
+        let
+          vhostConfig = vhostAttrs.config;
+        in
+        {
+          options.authelia.method = lib.mkOption {
+            description = ''
+              Authelia authentication method to use for this location.
+              Authentication is disabled for this location if this is set to
+              `null`.
+            '';
+            type = with types; nullOr (enum validAuthMethods);
+            default = vhostConfig.authelia.method;
+            example = "basic";
+          };
+          options.authelia.endpointURL = lib.mkOption {
+            description = ''
+              (temporary) authelia endpoint redirect URL.
+            '';
+            type = with types; str;
+            default = vhostConfig.authelia.endpointURL;
+          };
+
+          config =
+            lib.mkIf
+              (
+                (!(lib.strings.hasPrefix "/internal/authelia/" name))
+                && (!(isNull vhostConfig.authelia.upstream))
+                && (!(isNull config.authelia.method))
+              )
+              {
+                extraConfig = ''
+                  include ${genAuthConfigPkg config.authelia.method config.authelia.endpointURL};
+                '';
+              };
+        };
+
+    in
+    {
+      virtualHosts = mkAttrsOfSubmoduleOpt vhostModule;
+    };
+
+  # TODO check if any vhosts have authelia configured
+  config =
+    let
+      # TODO later, there are only assertions here
+      configured = any (
+        vhost: (!(isNull vhost.authelia.upstream)) || (!(isNull vhost.authelia.endpoint.upstream))
+      ) (attrValues nginx.virtualHosts);
+    in
+    mkIf true {
+      assertions = [
+        {
+          assertion = all (
+            vhost: (!(isNull vhost.authelia.upstream)) -> (isNull vhost.authelia.endpoint.upstream)
+          ) (attrValues nginx.virtualHosts);
+          message = "`services.nginx.virtualHosts.<name>.authelia.upstream` and `services.nginx.virtualHosts.<name>.authelia.endpoint.upstream` cannot be set at the same time.";
+        }
+        # {
+        #   assertion = all (
+        #     vhost: vhost.authelia.instance -> config.services.authelia.instances ? "${vhost.authelia.instance}"
+        #   ) (attrValues nginx.virtualHosts);
+        #   message = "`services.authelia.instances.<name>` must be configured if `services.nginx.virtualHosts.<name>.authelia.instance` is set.";
+        # }
+      ];
+    };
+}

hosts/rpi4/services.nix

@@ -2,6 +2,7 @@
 {
   imports = [
     ./gitea.nix
+    ./authelia.nix
   ];
   config = {
 

secrets/authelia-jwt.age

@@ -0,0 +1,45 @@
+age-encryption.org/v1
+-> ssh-ed25519 YUrFgQ ziqefMyK5JhBuM1m/eeTncfAkKBDKaEieismRloliTk
+KFpH2q6ohlNEkdvfpOr2MvPBQN1FcsqAaWRLRsS6bm8
+-> ssh-rsa I7EAZw
+Cl4H7PXAE6HHpKfhJGJy8G53hD9UKKhBDMplB4S3u6xqqLMTZvZucyNExwp0zj9C
+qSyrvn3l1X1HKrCIDvPrdQOJBmM+TD+MCFl2wtHn/nU75/WVrB9MeJuvLyM7UCVR
+zp0/6n6zA/MQmCxr36cD2hzKoFlIKsB/U0L0OuAgOL5dkvW23FpP/tjRynW8waDC
+1zf6kuAAvmSJn0nFnyCV/yAFcKIMU7Iy0OUJc2/o+uZisXxCf1wphYR23Rqv7WDH
++td1ISPsSR/gODCmIPC1FZ5e82/NVuSXWsKVgFX0bZkwopm24Pu93hdhisrXXM+N
+W0uHBFn7cG+C38S17fPe7y9hBsILGypk0xI/fD0jqzbRYBQlz+0UtZi+boGDmYNm
+fkFeI15wNXoRbV1WVNI4TsDRm/RCygURajQyKiQZF42q+aNVVtKKQ9TQRbl9D5hP
+CH4APsxu0Fhx9a3BWOS0QbVdeBnEv8XO/RTfW1e6axi2VeFMD8662HAD7EZKViUc
+
+-> ssh-rsa 0pGLuA
+YAH3yGa/byKTc8fWuakQ5oOc1QgGJ7FNQ0AqL/t+TIUXHHITJeeUgIVZKAyjm1oZ
+Zxv+F1+heYFGXFCnFDUuMip5VffMtxHoafrPbWk0VfCRzbzG5l04bZ5L/0NEDSW2
+EOC2+q0tw9H3v2cqWjZWP87a2kTXqen+Vs4PhJMQRf11zcc8IElueKNR6/PZbcXN
+t/6YReGijeeEoZc8bkpxTQ2DnGI4iDK97GppmqNahZxeSwBplEdJ4LCan/RIxUlL
+CEj2ir30vSwdSrbNMOvSj/sysBbx4zUndHv0MmNr9GSht+NTg7cQ2adWyJj2Wt+D
+oDi/JLFDYAOQRexxrmcqUhr1aC8fz4eSnR6zkTmofXNwnX85/WHdNSy1bZsowHyL
+tZ4rpAkNO/9o6BH/UCM8ehmPRdqJBjA+tDnCTyDYL5WU2+h19qqE1Wl1NrUBGSzV
+6+lbQyZVO1+2PhAYz2qhfgTzeldhYpuXv2u09mGGei+Y8PR5+RMgkM0p2I2PU6Ss
+
+-> ssh-rsa JoBDow
+Ed25YtltDXFwZczfVXQPPTF78fMNWmOGnTT1q9qdoLI9IyMfBLb6okphZKziScrt
+7RXtEU82UUF3Rz2ujxttUrCYQQqSGEg9WY4g6i1cdTl8CeBv2LQ85Wbn0XlabRf4
+muAYf/0UjFF8q/XObxH4k4xN4FGqgGRPvVTIxn7vVBr2XGF6LcexyqDSJshF2bj5
+hBklQ1J0klfq13WaQivrZESbkeBL9hSIA93kOTtyKtZ6ess9mLEFxJ2fIebosPxl
+o0pEYNq+EZHnvf9Xzott3/kgBDVjsGmlOYiidOT+8JrZYXgR6Uzsf4KkeFRuNI1b
+IPsNKz07PsaeLZCtvxLNGkVMpHirZMLAAzjjIgKZRCplNZZsq6CYriWW0Ma/QU9q
+iMjgHw0pWmYPJIToH07gnspjLPhB2vzI+Udhe9YY212ll0xaLSnjZrz19uhXBPTQ
+8N48qctw9c68R938CMg2Qh7ewP5X1Emlp5P17klXKYOCaOQN0nZGG4O9RB9eNwyW
+
+-> ssh-rsa wzTCUg
+Zriz0bud949PspVqI7cx15+5bo5eYZWxdK9+oXnX+a4PJYksP6HsL70oi4Qx5E12
+o9UWqh/lt1XcEQsWw62ZWQJOO/fdN4hn9ZjjwoJKpHn0vKcO1J+C7TzSIyx+jQim
+eMqLxF+8Ct3lS52JdX624YkW8R2hJbU8nP1eqEMxKOtIFi8X/peisoVx7XMtOegg
+bjxVZHEH9WIsPuK5mRtQ/+PU6Rvkbe317W/+HNNxZ9bxKcy2iFwIDCE2QgETOyaq
+AoP0uRiCb0J8xZBQMindOY0Quai1ZxjlWcan0OkSzWV/TXXAzW0j8uukbffHa9+G
+tZy4WdCDdKlYAWSuQGP9OIjDc+JfssiO2y4wmGFWx9ILMREDa++smm57jiqIMmJt
+bN/p1o1jhtvHI6qd5sPnP3c0NsbhUmmRlERT0sCFMV58ZFPJWb2U6wiPChk5FGtj
+X1fePM8F5tqJiyFSLS4t08PzEfJE/mOhvgdJHxtFkMfsQTE1L22gW3BJymnXa+d5
+
+--- oDET0PXBYBfvR9LyBkj4wchAGuXNfUPbRm5XFCzTyrc
+?š¬ò´‘ÍZ^Ô{øÏãoJ<‹³w´ë4c˜ÔO<C394>§t«tŒ;‚0\.½Ó²íyø±‹v©ŒÌÕ¢pîš{{O×pÅiA˜&ûŠîé7 r"o“èEì;Ò

secrets/authelia-storage.age

@@ -0,0 +1,47 @@
+age-encryption.org/v1
+-> ssh-ed25519 YUrFgQ WDWFm6EyWYPOTsqzKTmzk6bvOMlRdJuyZ8EZVzwZQ28
+ivyjF6fOiVVlmI8QGPNLSE3TKDJGnWgjDZQD5J7JZYc
+-> ssh-rsa I7EAZw
+Kofwt0jqFgQPSrjMMtLihOfJvHkXvI8xd5ShXwHZbfLj1PeevKJ1a6yvBTg6il1q
+zmFBf2p6JGsPSP4FEF2cQXbHXhcG2yvXH7+LZFp5Pd0a66wnwWKxMYKyDR3a2AZG
+X7knCMt283xN+LnUrRpg8vMxAW2Au4N3WoFGw7mGEvm8htac5+pcT6zjcN3aMqoz
+0aliee7ECHYsuBUacDW/E4OA/KMJqFQJejcxG3QtmKrhRkWtn403YQGn1v4V2Zrl
+RLNNpBVuC4WaUp1GLcf24DM47v1Yd3jTKh/spyZI9mjrqAOKbKzTxvh3s8XAXgjf
+2rKItIT2qusMiV2MruQdvKbVWpuvxZ9wjYkm/9Z1glNOJCg3LcjpI9Du1/XLXnVU
+HVN3xy95MjTmXJ0iR6PCk1n05oWWghJFsJUxSa/4BMONwj2RTfnBFvEvU6JFVrg7
+kOpeP74vVUIMg+0xBjp2vDzQnWyAtewxohMXX6iof+/xMoyzZZOykONB2D82XKkA
+
+-> ssh-rsa 0pGLuA
+ff105DUqiJwz9Iv3xzLZF3yRYd+mMLMYBEfc8wPWdM6cmyEVYFlHTujPBKgkmTgP
+/YnqmevVI1pYjZuyOfCxRGCJfjDWn/wiDJHD1SFXDt9F3koldIO0nR8bBeiKT+cT
+XyFIrLMuhlGlnufBNMUPed/1uK874xaKVAajgklEE8UvkZM9hAf8yMjsqF7rWexq
+cLfv0wSfKFFKMpZ7acvf0EqWCrickQ+zxMexmBAycEY1SYB8z8DFAHlMtcIl5p0p
+nKwFBWWfb+YLvB9EKn/APt4NyDTu6MY99ZNiZrr+5zNeucmJMbon1K29Bd1BJVjs
+Shcbbxi3WupWS81SEyYWYbLJ2tXj2gmVJkjLGLqY4mRFNjiOzLkameyDz9yOnHhU
+c+LbLZjucKviVzTaDc68lNS9SLdqXSS2wUBc4pvvNMh6fG68r1hHVIzoDrVkwutk
+s6GGffFyZP40vY103NC0aZ6DAju3vXgOxIkdZ17E3hzLXs0bSEeiAMJoNou/UIrr
+
+-> ssh-rsa JoBDow
+B88neb0yJYGomuED6+F1E9rY5SZQfeQYaXpU1ouFehvUwFo6K5xIML1UJXduZ0MG
+PGMcVI8PaMH56PsPeDZNwisaiQFmazZXXlXKnquW3RZO3AcSlTUL6+GNySwalV8O
+o34n06nUD9UfhVBYacPSOroo98OGhJ7td6GHOJwzHFyvI5NkOsdp9AOSRQ46qE2i
+//eD9ktM5iptfDFUlMeuNZaZTaIPWzv+MZhJGuoSkb/HCwoB8hzr9VIUnu/9UbxL
+gxUwOo5DX1kQcJFFkKzuzd2KpZ+jIik/L15zx4fhLnGpAitZ+cTw3UWPRqRMAAFz
+hPFYoNZAfQvYcJqjtUrbxw0NtiiD7djzFLnOcAFIOgZtfg5P/GdO4tslmNYqYkLg
+L/UJHCVyyOjd2h43CxgjHedBGks4DqyjPWOqMf5+nCEKJ/7aBLup9HVrIO10Qo9S
+tp3XugItQAaZnICFfprFGTTVUXavDXz5cKqFQgYykr/UymRXEUW38AWRGuIkGSNd
+
+-> ssh-rsa wzTCUg
+M+5xJugvrRLVGHtM1EVHcIWdUPhYjE/OSfpELLNyB/yOHJuOvipToWPg2MXG87Cu
+T1D1G3xkJkyKfnZIrQfnnfFdALxaBFvGnPkVNs1CBr8M/2wJ22Zkbh894VGORLml
+k/57faaw8h2lzMgt3UqrIQcYl4IGNXkwWjG4IypG2xwSkCuj0Jyn+AxDZe5D/VXh
+MYq7WL8BTpjery/ezCW75QkHCZK4mrQkmvV/5SVpQBBTsVtBZV6ILpihfxbOCmI7
+uTcJE1iDXGB1CgGAv/SfrBLAu0uFcxLfTLhof/b7PCPiyRFIlPMN14b0Jo9I2/Q5
+q7C0WBVjsK9s4ntDkROr78+d0RKDB0JGgiohSVi5hWqghOXHK6ZLoTTlGII4E2Jj
+CpiXHmSKLjuNHVRwoMt4pcDIkwQkWqO7wPQaMqBpRgYS5CopkZnCqJRdPWZ9u7mq
+TjcFuwWxQ1w1A3UfDXw/G5cBitQbyZOpRI7FpzJpdHEJbPCPVPZImPnJ0a/c9GDY
+
+--- M40WlnNfDe3NLZTl9txxouDcEouawZZtecP4n3J/xts
+mѽ6<C2BD><36>üá”,Ê•=°/Qè¡
+ôä~ý®6V9žd¾IýSÔl¡áºµ®QÚìïì,ïÉÙúêÓ¡	c#<07>$,¸GÉá
+Žx½%Ö¡Û…Aö|uhx»Zâ¬ý

secrets/secrets.nix

@@ -16,5 +16,8 @@ in
   "wireguard-rpi4.age".publicKeys = [ rpi4 ] ++ all-user;
   "htpasswd.age".publicKeys = [ rpi4 ] ++ all-user;
   "htpasswd-cam.age".publicKeys = [ rpi4 ] ++ all-user;
+  "authelia-users.age".publicKeys = [ rpi4 ] ++ all-user;
+  "authelia-storage.age".publicKeys = [ rpi4 ] ++ all-user;
+  "authelia-jwt.age".publicKeys = [ rpi4 ] ++ all-user;
 }