From ccf73d7f82130552120237082d06dde01723fa77 Mon Sep 17 00:00:00 2001 From: uttarayan21 Date: Sat, 2 Aug 2025 04:34:32 +0530 Subject: [PATCH] feat: Use import auth for caddy --- nixos/mirai/services/authelia.nix | 12 +--- nixos/mirai/services/caddy.nix | 8 +++ nixos/mirai/services/excalidraw.nix | 5 +- nixos/mirai/services/gitea.nix | 5 +- nixos/mirai/services/grafana.nix | 5 +- nixos/mirai/services/homepage.nix | 5 +- nixos/mirai/services/llama.nix | 5 +- nixos/mirai/services/navidrome.nix | 5 +- nixos/mirai/services/nextcloud.nix | 107 ++++++++++++++-------------- nixos/mirai/services/paperless.nix | 5 +- nixos/mirai/services/seafile.nix | 6 +- nixos/mirai/services/vscode.nix | 5 +- nixos/tsuba/services/caddy.nix | 23 ++++-- 13 files changed, 93 insertions(+), 103 deletions(-) diff --git a/nixos/mirai/services/authelia.nix b/nixos/mirai/services/authelia.nix index 349749c3..9bbfd1fc 100644 --- a/nixos/mirai/services/authelia.nix +++ b/nixos/mirai/services/authelia.nix @@ -45,14 +45,14 @@ rules = let bypass_api = domain: [ { - domain = domain; + inherit domain; policy = "bypass"; resources = [ "^/api([/?].*)?$" ]; } { - domain = domain; + inherit domain; policy = "one_factor"; } ]; @@ -61,13 +61,7 @@ ++ (bypass_api "radarr.tsuba.darksailor.dev") ++ (bypass_api "lidarr.tsuba.darksailor.dev") ++ (bypass_api "bazarr.tsuba.darksailor.dev") - ++ (bypass_api "prowlarr.tsuba.darksailor.dev") - ++ [ - { - domain = "llama.ryu.darksailor.dev"; - policy = "one_factor"; - } - ]; + ++ (bypass_api "prowlarr.tsuba.darksailor.dev"); }; storage = { local = { diff --git a/nixos/mirai/services/caddy.nix b/nixos/mirai/services/caddy.nix index 027404ee..ec9add9e 100644 --- a/nixos/mirai/services/caddy.nix +++ b/nixos/mirai/services/caddy.nix @@ -2,6 +2,14 @@ services = { caddy = { enable = true; + extraConfig = '' + (auth) { + forward_auth localhost:5555 { + uri /api/authz/forward-auth?authelia_url=https://auth.darksailor.dev + copy_headers Remote-User Remote-Groups Remote-Name Remote-Email + } + } + ''; }; }; } diff --git a/nixos/mirai/services/excalidraw.nix b/nixos/mirai/services/excalidraw.nix index 180f630b..08fb46fd 100644 --- a/nixos/mirai/services/excalidraw.nix +++ b/nixos/mirai/services/excalidraw.nix @@ -10,10 +10,7 @@ }; }; services.caddy.virtualHosts."draw.darksailor.dev".extraConfig = '' - forward_auth localhost:5555 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } + import auth reverse_proxy localhost:5959 ''; services.authelia = { diff --git a/nixos/mirai/services/gitea.nix b/nixos/mirai/services/gitea.nix index 926a0496..0705787b 100644 --- a/nixos/mirai/services/gitea.nix +++ b/nixos/mirai/services/gitea.nix @@ -49,10 +49,7 @@ }; caddy = { virtualHosts."git.darksailor.dev".extraConfig = '' - forward_auth localhost:5555 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } + import auth reverse_proxy localhost:3000 ''; }; diff --git a/nixos/mirai/services/grafana.nix b/nixos/mirai/services/grafana.nix index 94e3f702..16c7bb60 100644 --- a/nixos/mirai/services/grafana.nix +++ b/nixos/mirai/services/grafana.nix @@ -17,10 +17,7 @@ # }; caddy = { virtualHosts."grafana.darksailor.dev".extraConfig = '' - forward_auth localhost:5555 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } + import auth reverse_proxy localhost:${builtins.toString config.services.grafana.settings.server.http_port} ''; }; diff --git a/nixos/mirai/services/homepage.nix b/nixos/mirai/services/homepage.nix index 79477ccf..01d3225a 100644 --- a/nixos/mirai/services/homepage.nix +++ b/nixos/mirai/services/homepage.nix @@ -166,10 +166,7 @@ }; caddy = { virtualHosts."dashboard.darksailor.dev".extraConfig = '' - forward_auth localhost:5555 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } + import auth reverse_proxy localhost:${builtins.toString config.services.homepage-dashboard.listenPort} ''; }; diff --git a/nixos/mirai/services/llama.nix b/nixos/mirai/services/llama.nix index ed18d157..e38ae71a 100644 --- a/nixos/mirai/services/llama.nix +++ b/nixos/mirai/services/llama.nix @@ -45,10 +45,7 @@ caddy = { virtualHosts."llama.darksailor.dev".extraConfig = '' - forward_auth localhost:5555 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } + import auth reverse_proxy localhost:${builtins.toString config.services.open-webui.port} ''; virtualHosts."ollama.darksailor.dev".extraConfig = '' diff --git a/nixos/mirai/services/navidrome.nix b/nixos/mirai/services/navidrome.nix index 0bc48634..394bf372 100644 --- a/nixos/mirai/services/navidrome.nix +++ b/nixos/mirai/services/navidrome.nix @@ -10,10 +10,7 @@ }; caddy = { virtualHosts."music.darksailor.dev".extraConfig = '' - forward_auth localhost:5555 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } + import auth reverse_proxy localhost:4533 ''; }; diff --git a/nixos/mirai/services/nextcloud.nix b/nixos/mirai/services/nextcloud.nix index e0cefadc..7b2ced1b 100644 --- a/nixos/mirai/services/nextcloud.nix +++ b/nixos/mirai/services/nextcloud.nix @@ -5,7 +5,7 @@ }: { sops = { secrets."nextcloud/adminpass".owner = config.users.users.nextcloud.name; - secrets."authelia/oidc/nextcloud/client_id".owner = config.users.users.nextcloud.name; + # secrets."authelia/oidc/nextcloud/client_id".owner = config.users.users.nextcloud.name; secrets."authelia/oidc/nextcloud/client_secret".owner = config.users.users.nextcloud.name; }; imports = [ @@ -47,57 +47,58 @@ # port = 8080; # NOT an exposed port # } # ]; - authelia.instances.darksailor = { - settings = { - definitions = { - user_attributes = { - is_nextcloud_admin = { - expression = ''"nextcloud-admins" in groups"''; - }; - }; - }; - identity_providers = { - oidc = { - claims_policies = { - custom_claims = { - is_nextcloud_admin = {}; - }; - }; - scopes = { - nextcloud_userinfo = { - claims = ["is_nextcloud_admin"]; - }; - }; - clients = [ - { - client_name = "Nextcloud"; - client_id = "nextcloud"; - client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/nextcloud/client_secret".path}" }}''; - public = false; - authorization_policy = "one_factor"; - require_pkce = true; - pkce_challenge_method = "S256"; - claims_policy = "nextcloud_userinfo"; - redirect_uris = [ - "https://cloud.darksailor.dev/apps/oidc_login/oidc" - ]; - scopes = [ - "openid" - "profile" - "email" - "groups" - "nextcloud_userinfo" - ]; - response_types = ["code"]; - grant_types = ["authorization_code"]; - # access_token_signed_response_alg = "none"; - userinfo_signed_response_alg = "none"; - token_endpoint_auth_method = "client_secret_basic"; - } - ]; - }; - }; - }; - }; + + # authelia.instances.darksailor = { + # settings = { + # definitions = { + # user_attributes = { + # is_nextcloud_admin = { + # expression = ''"nextcloud-admins" in groups"''; + # }; + # }; + # }; + # identity_providers = { + # oidc = { + # claims_policies = { + # custom_claims = { + # is_nextcloud_admin = {}; + # }; + # }; + # scopes = { + # nextcloud_userinfo = { + # claims = ["is_nextcloud_admin"]; + # }; + # }; + # clients = [ + # { + # client_name = "Nextcloud"; + # client_id = "nextcloud"; + # client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/nextcloud/client_secret".path}" }}''; + # public = false; + # authorization_policy = "one_factor"; + # require_pkce = true; + # pkce_challenge_method = "S256"; + # claims_policy = "nextcloud_userinfo"; + # redirect_uris = [ + # "https://cloud.darksailor.dev/apps/oidc_login/oidc" + # ]; + # scopes = [ + # "openid" + # "profile" + # "email" + # "groups" + # "nextcloud_userinfo" + # ]; + # response_types = ["code"]; + # grant_types = ["authorization_code"]; + # # access_token_signed_response_alg = "none"; + # userinfo_signed_response_alg = "none"; + # token_endpoint_auth_method = "client_secret_basic"; + # } + # ]; + # }; + # }; + # }; + # }; }; } diff --git a/nixos/mirai/services/paperless.nix b/nixos/mirai/services/paperless.nix index 9ed6ff7d..0d5bad47 100644 --- a/nixos/mirai/services/paperless.nix +++ b/nixos/mirai/services/paperless.nix @@ -18,10 +18,7 @@ }; caddy = { virtualHosts."paperless.darksailor.dev".extraConfig = '' - forward_auth localhost:5555 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } + import auth reverse_proxy localhost:28981 ''; }; diff --git a/nixos/mirai/services/seafile.nix b/nixos/mirai/services/seafile.nix index d5621339..ba72606a 100644 --- a/nixos/mirai/services/seafile.nix +++ b/nixos/mirai/services/seafile.nix @@ -37,11 +37,7 @@ }; caddy = { virtualHosts."cloud.darksailor.dev".extraConfig = '' - forward_auth localhost:5555 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } - + import auth reverse_proxy unix//run/seahub/gunicorn.sock ''; }; diff --git a/nixos/mirai/services/vscode.nix b/nixos/mirai/services/vscode.nix index 3adb07d2..d37c9d83 100644 --- a/nixos/mirai/services/vscode.nix +++ b/nixos/mirai/services/vscode.nix @@ -9,10 +9,7 @@ }; caddy = { virtualHosts."code.darksailor.dev".extraConfig = '' - forward_auth localhost:5555 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } + import auth reverse_proxy localhost:3000 ''; }; diff --git a/nixos/tsuba/services/caddy.nix b/nixos/tsuba/services/caddy.nix index e5be757f..99ead64e 100644 --- a/nixos/tsuba/services/caddy.nix +++ b/nixos/tsuba/services/caddy.nix @@ -12,6 +12,11 @@ }; }; services = { + tailscaleAuth = { + enable = true; + user = config.services.caddy.user; + group = config.services.caddy.group; + }; caddy = { enable = true; extraConfig = '' @@ -24,10 +29,20 @@ } } (auth) { - forward_auth auth.darksailor.dev { - uri /api/authz/forward_auth?rd=https://auth.darksailor.dev - copy_headers Remote-User Remote-Groups Remote-Name Remote-Email - } + forward_auth unix/${config.services.tailscaleAuth.socketPath} { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } + } ''; package = pkgs.caddy.withPlugins {