fricloud/server-configs
2
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

authelia.nginx: add auth proxy headers to shared info

Browse source
This commit is contained in:
eyjhb 2025-01-02 17:18:31 +01:00
parent 9fd8d7b900
commit 5c65f7f922
No known key found for this signature in database
GPG key ID: 609F508E3239F920
4 changed files with 29 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
machines/gerd/services/authelia/authelia-nginx.nix
View file

@ -51,10 +51,10 @@ let
auth_request_set $email $upstream_http_remote_email; auth_request_set $email $upstream_http_remote_email;
## Inject the metadata response headers from the variables into the request made to the backend. ## Inject the metadata response headers from the variables into the request made to the backend.
proxy_set_header Remote-User $user; proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.username} $user;
proxy_set_header Remote-Groups $groups; proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.groups} $groups;
proxy_set_header Remote-Email $email; proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.email} $email;
proxy_set_header Remote-Name $name; proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.name} $name;
## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method' ## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url ## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
@ -77,10 +77,10 @@ let
''; '';
nginxUnsetAuthHeaders = '' nginxUnsetAuthHeaders = ''
proxy_set_header Remote-User ""; proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.username} "";
proxy_set_header Remote-Groups ""; proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.groups} "";
proxy_set_header Remote-Email ""; proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.email} "";
proxy_set_header Remote-Name ""; proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.name} "";
''; '';
in { in {
mine.shared.lib.authelia.mkProtectedWebsite = websiteConfig: lib.recursiveUpdate websiteConfig { mine.shared.lib.authelia.mkProtectedWebsite = websiteConfig: lib.recursiveUpdate websiteConfig {
@ -91,4 +91,11 @@ in {
mine.shared.lib.authelia.mkProtectedLocation = vhostLocationConfig: lib.recursiveUpdate vhostLocationConfig { mine.shared.lib.authelia.mkProtectedLocation = vhostLocationConfig: lib.recursiveUpdate vhostLocationConfig {
extraConfig = (lib.attrByPath [ "extraConfig" ] "" vhostLocationConfig) + "\n" + "include ${autheliaRequest};"; extraConfig = (lib.attrByPath [ "extraConfig" ] "" vhostLocationConfig) + "\n" + "include ${autheliaRequest};";
}; };
mine.shared.lib.authelia.protectedHeaders = {
username = "Remote-User";
groups = "Remote-Groups"; # comma separated string of groups
email = "Remote-Email";
name = "Remote-Name";
};
} }

9
machines/gerd/services/member-website/app.py
View file

@ -8,6 +8,7 @@ import argparse
import logging import logging
import json import json
import sys import sys
import os
logging.basicConfig() logging.basicConfig()
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -94,10 +95,10 @@ def extract_secrets() -> dict[str, str]:
def index(): def index():
# extract user information # extract user information
user_info = { user_info = {
"username": request.headers.get("Remote-User"), "username": request.headers.get(os.environ.get("AUTH_PROXY_USERNAME")),
"name": request.headers.get("Remote-Name"), "name": request.headers.get(os.environ.get("AUTH_PROXY_NAME")),
"groups": request.headers.get("Remote-Groups"), "groups": request.headers.get(os.environ.get("AUTH_PROXY_GROUPS")),
"email": request.headers.get("Remote-Email"), "email": request.headers.get(os.environ.get("AUTH_PROXY_EMAIL")),
} }
tmpl_firstpass = render_template_string( tmpl_firstpass = render_template_string(
tmpl_index, tmpl_index,

8
machines/gerd/services/member-website/default.nix
View file

@ -9,6 +9,14 @@ in {
description = "members area website"; description = "members area website";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "networking.target" ]; after = [ "networking.target" ];
environment = {
AUTH_PROXY_USERNAME = config.mine.shared.lib.authelia.protectedHeaders.username;
AUTH_PROXY_GROUPS = config.mine.shared.lib.authelia.protectedHeaders.groups;
AUTH_PROXY_EMAIL = config.mine.shared.lib.authelia.protectedHeaders.email;
AUTH_PROXY_NAME = config.mine.shared.lib.authelia.protectedHeaders.name;
};
serviceConfig = { serviceConfig = {
ExecStart = let ExecStart = let
pythonEnv = pkgs.python3.withPackages(ps: with ps; [ flask ]); pythonEnv = pkgs.python3.withPackages(ps: with ps; [ flask ]);

2
machines/gerd/services/miniflux.nix
View file

@ -20,7 +20,7 @@ in {
# use auth proxy # use auth proxy
# TODO: This should be configureable # TODO: This should be configureable
AUTH_PROXY_HEADER = "Remote-User"; AUTH_PROXY_HEADER = config.mine.shared.lib.authelia.protectedHeaders.username;
AUTH_PROXY_USER_CREATION = "true"; AUTH_PROXY_USER_CREATION = "true";
}; };
}; };