authelia.nginx: add auth proxy headers to shared info

machines/gerd/services/authelia/authelia-nginx.nix

@@ -51,10 +51,10 @@ let
     auth_request_set $email $upstream_http_remote_email;
     
     ## Inject the metadata response headers from the variables into the request made to the backend.
-    proxy_set_header Remote-User $user;
-    proxy_set_header Remote-Groups $groups;
-    proxy_set_header Remote-Email $email;
-    proxy_set_header Remote-Name $name;
+    proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.username} $user;
+    proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.groups} $groups;
+    proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.email} $email;
+    proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.name} $name;
     
     ## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
     ## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
@@ -77,10 +77,10 @@ let
   '';
 
   nginxUnsetAuthHeaders = ''
-    proxy_set_header Remote-User "";
-    proxy_set_header Remote-Groups "";
-    proxy_set_header Remote-Email "";
-    proxy_set_header Remote-Name "";
+    proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.username} "";
+    proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.groups} "";
+    proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.email} "";
+    proxy_set_header ${config.mine.shared.lib.authelia.protectedHeaders.name} "";
   '';
 in {
   mine.shared.lib.authelia.mkProtectedWebsite = websiteConfig: lib.recursiveUpdate websiteConfig {
@@ -91,4 +91,11 @@ in {
   mine.shared.lib.authelia.mkProtectedLocation = vhostLocationConfig: lib.recursiveUpdate vhostLocationConfig {
     extraConfig = (lib.attrByPath [ "extraConfig" ] "" vhostLocationConfig) + "\n" + "include ${autheliaRequest};";
   };
+
+  mine.shared.lib.authelia.protectedHeaders = {
+    username = "Remote-User";
+    groups = "Remote-Groups"; # comma separated string of groups
+    email = "Remote-Email";
+    name = "Remote-Name";
+  };
 }

machines/gerd/services/member-website/app.py

@@ -8,6 +8,7 @@ import argparse
 import logging
 import json
 import sys
+import os
 
 logging.basicConfig()
 logger = logging.getLogger(__name__)
@@ -94,10 +95,10 @@ def extract_secrets() -> dict[str, str]:
 def index():
     # extract user information
     user_info = {
-        "username": request.headers.get("Remote-User"),
-        "name": request.headers.get("Remote-Name"),
-        "groups": request.headers.get("Remote-Groups"),
-        "email": request.headers.get("Remote-Email"),
+        "username": request.headers.get(os.environ.get("AUTH_PROXY_USERNAME")),
+        "name": request.headers.get(os.environ.get("AUTH_PROXY_NAME")),
+        "groups": request.headers.get(os.environ.get("AUTH_PROXY_GROUPS")),
+        "email": request.headers.get(os.environ.get("AUTH_PROXY_EMAIL")),
     }
     tmpl_firstpass = render_template_string(
         tmpl_index,

machines/gerd/services/member-website/default.nix

@@ -9,6 +9,14 @@ in {
     description = "members area website";
     wantedBy = [ "multi-user.target" ];
     after = [ "networking.target" ];
+
+    environment = {
+      AUTH_PROXY_USERNAME = config.mine.shared.lib.authelia.protectedHeaders.username;
+      AUTH_PROXY_GROUPS = config.mine.shared.lib.authelia.protectedHeaders.groups;
+      AUTH_PROXY_EMAIL = config.mine.shared.lib.authelia.protectedHeaders.email;
+      AUTH_PROXY_NAME = config.mine.shared.lib.authelia.protectedHeaders.name;
+    };
+
     serviceConfig = {
       ExecStart = let
         pythonEnv = pkgs.python3.withPackages(ps: with ps; [ flask ]);

machines/gerd/services/miniflux.nix

@@ -20,7 +20,7 @@ in {
 
       # use auth proxy
       # TODO: This should be configureable
-      AUTH_PROXY_HEADER = "Remote-User";
+      AUTH_PROXY_HEADER = config.mine.shared.lib.authelia.protectedHeaders.username;
       AUTH_PROXY_USER_CREATION = "true";
     };
   };