From 5c65f7f9224c458a13220afbaa4a6c4745d25310 Mon Sep 17 00:00:00 2001
From: eyjhb <eyjhbb@gmail.com>
Date: Thu, 2 Jan 2025 17:18:31 +0100
Subject: [PATCH] authelia.nginx: add auth proxy headers to shared info

---
 .../gerd/services/authelia/authelia-nginx.nix | 23 ++++++++++++-------
 machines/gerd/services/member-website/app.py  |  9 ++++----
 .../gerd/services/member-website/default.nix  |  8 +++++++
 machines/gerd/services/miniflux.nix           |  2 +-
 4 files changed, 29 insertions(+), 13 deletions(-)

diff --git a/machines/gerd/services/authelia/authelia-nginx.nix b/machines/gerd/services/authelia/authelia-nginx.nix
index dce7a9e..12ad8fa 100644
--- a/machines/gerd/services/authelia/authelia-nginx.nix
+++ b/machines/gerd/services/authelia/authelia-nginx.nix
@@ -51,10 +51,10 @@ let
     auth_request_set $email $upstream_http_remote_email;
     
     ## Inject the metadata response headers from the variables into the request made to the backend.
-    proxy_set_header Remote-User $user;
-    proxy_set_header Remote-Groups $groups;
-    proxy_set_header Remote-Email $email;
-    proxy_set_header Remote-Name $name;
+    proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.username} $user;
+    proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.groups} $groups;
+    proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.email} $email;
+    proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.name} $name;
     
     ## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
     ## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
@@ -77,10 +77,10 @@ let
   '';
 
   nginxUnsetAuthHeaders = ''
-    proxy_set_header Remote-User "";
-    proxy_set_header Remote-Groups "";
-    proxy_set_header Remote-Email "";
-    proxy_set_header Remote-Name "";
+    proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.username} "";
+    proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.groups} "";
+    proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.email} "";
+    proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.name} "";
   '';
 in {
   mine.shared.lib.authelia.mkProtectedWebsite = websiteConfig: lib.recursiveUpdate websiteConfig {
@@ -91,4 +91,11 @@ in {
   mine.shared.lib.authelia.mkProtectedLocation = vhostLocationConfig: lib.recursiveUpdate vhostLocationConfig {
     extraConfig = (lib.attrByPath [ "extraConfig" ] "" vhostLocationConfig) + "\n" + "include ${autheliaRequest};";
   };
+
+  mine.shared.lib.authelia.protectedHeaders = {
+    username = "Remote-User";
+    groups = "Remote-Groups"; # comma separated string of groups
+    email = "Remote-Email";
+    name = "Remote-Name";
+  };
 }
diff --git a/machines/gerd/services/member-website/app.py b/machines/gerd/services/member-website/app.py
index 70f02e7..c722420 100755
--- a/machines/gerd/services/member-website/app.py
+++ b/machines/gerd/services/member-website/app.py
@@ -8,6 +8,7 @@ import argparse
 import logging
 import json
 import sys
+import os
 
 logging.basicConfig()
 logger = logging.getLogger(__name__)
@@ -94,10 +95,10 @@ def extract_secrets() -> dict[str, str]:
 def index():
     # extract user information
     user_info = {
-        "username": request.headers.get("Remote-User"),
-        "name": request.headers.get("Remote-Name"),
-        "groups": request.headers.get("Remote-Groups"),
-        "email": request.headers.get("Remote-Email"),
+        "username": request.headers.get(os.environ.get("AUTH_PROXY_USERNAME")),
+        "name": request.headers.get(os.environ.get("AUTH_PROXY_NAME")),
+        "groups": request.headers.get(os.environ.get("AUTH_PROXY_GROUPS")),
+        "email": request.headers.get(os.environ.get("AUTH_PROXY_EMAIL")),
     }
     tmpl_firstpass = render_template_string(
         tmpl_index,
diff --git a/machines/gerd/services/member-website/default.nix b/machines/gerd/services/member-website/default.nix
index 738da25..53c5805 100644
--- a/machines/gerd/services/member-website/default.nix
+++ b/machines/gerd/services/member-website/default.nix
@@ -9,6 +9,14 @@ in {
     description = "members area website";
     wantedBy = [ "multi-user.target" ];
     after = [ "networking.target" ];
+
+    environment = {
+      AUTH_PROXY_USERNAME = config.mine.shared.lib.authelia.protectedHeaders.username;
+      AUTH_PROXY_GROUPS = config.mine.shared.lib.authelia.protectedHeaders.groups;
+      AUTH_PROXY_EMAIL = config.mine.shared.lib.authelia.protectedHeaders.email;
+      AUTH_PROXY_NAME = config.mine.shared.lib.authelia.protectedHeaders.name;
+    };
+
     serviceConfig = {
       ExecStart = let
         pythonEnv = pkgs.python3.withPackages(ps: with ps; [ flask ]);
diff --git a/machines/gerd/services/miniflux.nix b/machines/gerd/services/miniflux.nix
index 1303a21..5c6ceaa 100644
--- a/machines/gerd/services/miniflux.nix
+++ b/machines/gerd/services/miniflux.nix
@@ -20,7 +20,7 @@ in {
 
       # use auth proxy
       # TODO: This should be configureable
-      AUTH_PROXY_HEADER = "Remote-User";
+      AUTH_PROXY_HEADER = config.mine.shared.lib.authelia.protectedHeaders.username;
       AUTH_PROXY_USER_CREATION = "true";
     };
   };