feat: Use import auth for caddy

2025-08-02 04:34:32 +05:30
parent 1a5d5a24da
commit ccf73d7f82
13 changed files with 93 additions and 103 deletions
--- a/nixos/mirai/services/authelia.nix
+++ b/nixos/mirai/services/authelia.nix
@@ -45,14 +45,14 @@
            rules = let
              bypass_api = domain: [
                {
-                  domain = domain;
+                  inherit domain;
                  policy = "bypass";
                  resources = [
                    "^/api([/?].*)?$"
                  ];
                }
                {
-                  domain = domain;
+                  inherit domain;
                  policy = "one_factor";
                }
              ];
@@ -61,13 +61,7 @@
              ++ (bypass_api "radarr.tsuba.darksailor.dev")
              ++ (bypass_api "lidarr.tsuba.darksailor.dev")
              ++ (bypass_api "bazarr.tsuba.darksailor.dev")
-              ++ (bypass_api "prowlarr.tsuba.darksailor.dev")
-              ++ [
-                {
-                  domain = "llama.ryu.darksailor.dev";
-                  policy = "one_factor";
-                }
-              ];
+              ++ (bypass_api "prowlarr.tsuba.darksailor.dev");
          };
          storage = {
            local = {
--- a/nixos/mirai/services/caddy.nix
+++ b/nixos/mirai/services/caddy.nix
@@ -2,6 +2,14 @@
  services = {
    caddy = {
      enable = true;
+      extraConfig = ''
+        (auth) {
+           forward_auth localhost:5555 {
+               uri /api/authz/forward-auth?authelia_url=https://auth.darksailor.dev
+               copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+           }
+        }
+      '';
    };
  };
 }
--- a/nixos/mirai/services/excalidraw.nix
+++ b/nixos/mirai/services/excalidraw.nix
@@ -10,10 +10,7 @@
    };
  };
  services.caddy.virtualHosts."draw.darksailor.dev".extraConfig = ''
-    forward_auth localhost:5555 {
-        uri /api/authz/forward-auth
-        copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
-    }
+    import auth
    reverse_proxy localhost:5959
  '';
  services.authelia = {
--- a/nixos/mirai/services/gitea.nix
+++ b/nixos/mirai/services/gitea.nix
@@ -49,10 +49,7 @@
    };
    caddy = {
      virtualHosts."git.darksailor.dev".extraConfig = ''
-        forward_auth localhost:5555 {
-            uri /api/authz/forward-auth
-            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
-        }
+        import auth
        reverse_proxy localhost:3000
      '';
    };
--- a/nixos/mirai/services/grafana.nix
+++ b/nixos/mirai/services/grafana.nix
@@ -17,10 +17,7 @@
    # };
    caddy = {
      virtualHosts."grafana.darksailor.dev".extraConfig = ''
-        forward_auth localhost:5555 {
-            uri /api/authz/forward-auth
-            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
-        }
+        import auth
        reverse_proxy localhost:${builtins.toString config.services.grafana.settings.server.http_port}
      '';
    };
--- a/nixos/mirai/services/homepage.nix
+++ b/nixos/mirai/services/homepage.nix
@@ -166,10 +166,7 @@
    };
    caddy = {
      virtualHosts."dashboard.darksailor.dev".extraConfig = ''
-        forward_auth localhost:5555 {
-            uri /api/authz/forward-auth
-            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
-        }
+        import auth
        reverse_proxy localhost:${builtins.toString config.services.homepage-dashboard.listenPort}
      '';
    };
--- a/nixos/mirai/services/llama.nix
+++ b/nixos/mirai/services/llama.nix
@@ -45,10 +45,7 @@

    caddy = {
      virtualHosts."llama.darksailor.dev".extraConfig = ''
-        forward_auth localhost:5555 {
-            uri /api/authz/forward-auth
-            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
-        }
+        import auth
        reverse_proxy localhost:${builtins.toString config.services.open-webui.port}
      '';
      virtualHosts."ollama.darksailor.dev".extraConfig = ''
--- a/nixos/mirai/services/navidrome.nix
+++ b/nixos/mirai/services/navidrome.nix
@@ -10,10 +10,7 @@
    };
    caddy = {
      virtualHosts."music.darksailor.dev".extraConfig = ''
-        forward_auth localhost:5555 {
-            uri /api/authz/forward-auth
-            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
-        }
+        import auth
        reverse_proxy localhost:4533
      '';
    };
--- a/nixos/mirai/services/nextcloud.nix
+++ b/nixos/mirai/services/nextcloud.nix
@@ -5,7 +5,7 @@
 }: {
  sops = {
    secrets."nextcloud/adminpass".owner = config.users.users.nextcloud.name;
-    secrets."authelia/oidc/nextcloud/client_id".owner = config.users.users.nextcloud.name;
+    # secrets."authelia/oidc/nextcloud/client_id".owner = config.users.users.nextcloud.name;
    secrets."authelia/oidc/nextcloud/client_secret".owner = config.users.users.nextcloud.name;
  };
  imports = [
@@ -47,57 +47,58 @@
    #     port = 8080; # NOT an exposed port
    #   }
    # ];
-    authelia.instances.darksailor = {
-      settings = {
-        definitions = {
-          user_attributes = {
-            is_nextcloud_admin = {
-              expression = ''"nextcloud-admins" in groups"'';
-            };
-          };
-        };
-        identity_providers = {
-          oidc = {
-            claims_policies = {
-              custom_claims = {
-                is_nextcloud_admin = {};
-              };
-            };
-            scopes = {
-              nextcloud_userinfo = {
-                claims = ["is_nextcloud_admin"];
-              };
-            };
-            clients = [
-              {
-                client_name = "Nextcloud";
-                client_id = "nextcloud";
-                client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/nextcloud/client_secret".path}" }}'';
-                public = false;
-                authorization_policy = "one_factor";
-                require_pkce = true;
-                pkce_challenge_method = "S256";
-                claims_policy = "nextcloud_userinfo";
-                redirect_uris = [
-                  "https://cloud.darksailor.dev/apps/oidc_login/oidc"
-                ];
-                scopes = [
-                  "openid"
-                  "profile"
-                  "email"
-                  "groups"
-                  "nextcloud_userinfo"
-                ];
-                response_types = ["code"];
-                grant_types = ["authorization_code"];
-                # access_token_signed_response_alg = "none";
-                userinfo_signed_response_alg = "none";
-                token_endpoint_auth_method = "client_secret_basic";
-              }
-            ];
-          };
-        };
-      };
-    };
+
+    # authelia.instances.darksailor = {
+    #   settings = {
+    #     definitions = {
+    #       user_attributes = {
+    #         is_nextcloud_admin = {
+    #           expression = ''"nextcloud-admins" in groups"'';
+    #         };
+    #       };
+    #     };
+    #     identity_providers = {
+    #       oidc = {
+    #         claims_policies = {
+    #           custom_claims = {
+    #             is_nextcloud_admin = {};
+    #           };
+    #         };
+    #         scopes = {
+    #           nextcloud_userinfo = {
+    #             claims = ["is_nextcloud_admin"];
+    #           };
+    #         };
+    #         clients = [
+    #           {
+    #             client_name = "Nextcloud";
+    #             client_id = "nextcloud";
+    #             client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/nextcloud/client_secret".path}" }}'';
+    #             public = false;
+    #             authorization_policy = "one_factor";
+    #             require_pkce = true;
+    #             pkce_challenge_method = "S256";
+    #             claims_policy = "nextcloud_userinfo";
+    #             redirect_uris = [
+    #               "https://cloud.darksailor.dev/apps/oidc_login/oidc"
+    #             ];
+    #             scopes = [
+    #               "openid"
+    #               "profile"
+    #               "email"
+    #               "groups"
+    #               "nextcloud_userinfo"
+    #             ];
+    #             response_types = ["code"];
+    #             grant_types = ["authorization_code"];
+    #             # access_token_signed_response_alg = "none";
+    #             userinfo_signed_response_alg = "none";
+    #             token_endpoint_auth_method = "client_secret_basic";
+    #           }
+    #         ];
+    #       };
+    #     };
+    #   };
+    # };
  };
 }
--- a/nixos/mirai/services/paperless.nix
+++ b/nixos/mirai/services/paperless.nix
@@ -18,10 +18,7 @@
    };
    caddy = {
      virtualHosts."paperless.darksailor.dev".extraConfig = ''
-        forward_auth localhost:5555 {
-            uri /api/authz/forward-auth
-            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
-        }
+        import auth
        reverse_proxy localhost:28981
      '';
    };
--- a/nixos/mirai/services/seafile.nix
+++ b/nixos/mirai/services/seafile.nix
@@ -37,11 +37,7 @@
    };
    caddy = {
      virtualHosts."cloud.darksailor.dev".extraConfig = ''
-        forward_auth localhost:5555 {
-            uri /api/authz/forward-auth
-            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
-        }
-
+        import auth
        reverse_proxy unix//run/seahub/gunicorn.sock
      '';
    };
--- a/nixos/mirai/services/vscode.nix
+++ b/nixos/mirai/services/vscode.nix
@@ -9,10 +9,7 @@
    };
    caddy = {
      virtualHosts."code.darksailor.dev".extraConfig = ''
-        forward_auth localhost:5555 {
-            uri /api/authz/forward-auth
-            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
-        }
+        import auth
        reverse_proxy localhost:3000
      '';
    };
--- a/nixos/tsuba/services/caddy.nix
+++ b/nixos/tsuba/services/caddy.nix
@@ -12,6 +12,11 @@
    };
  };
  services = {
+    tailscaleAuth = {
+      enable = true;
+      user = config.services.caddy.user;
+      group = config.services.caddy.group;
+    };
    caddy = {
      enable = true;
      extraConfig = ''
@@ -24,10 +29,20 @@
            }
        }
        (auth) {
-           forward_auth auth.darksailor.dev {
-               uri /api/authz/forward_auth?rd=https://auth.darksailor.dev
-               copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
-           }
+           forward_auth unix/${config.services.tailscaleAuth.socketPath} {
+                uri /auth
+                header_up Remote-Addr {remote_host}
+                header_up Remote-Port {remote_port}
+                header_up Original-URI {uri}
+                copy_headers {
+                    Tailscale-User>X-Webauth-User
+                    Tailscale-Name>X-Webauth-Name
+                    Tailscale-Login>X-Webauth-Login
+                    Tailscale-Tailnet>X-Webauth-Tailnet
+                    Tailscale-Profile-Picture>X-Webauth-Profile-Picture
+                }
+            }
+
        }
      '';
      package = pkgs.caddy.withPlugins {