servius/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat: Use import auth for caddy

Browse Source
This commit is contained in:
uttarayan21
2025-08-02 04:34:32 +05:30
parent 1a5d5a24da
commit ccf73d7f82
13 changed files with 93 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
nixos/mirai/services/authelia.nix
View File

@@ -45,14 +45,14 @@
rules = let rules = let
bypass_api = domain: [ bypass_api = domain: [
{ {
domain = domain; inherit domain;
policy = "bypass"; policy = "bypass";
resources = [ resources = [
"^/api([/?].*)?$" "^/api([/?].*)?$"
]; ];
} }
{ {
domain = domain; inherit domain;
policy = "one_factor"; policy = "one_factor";
} }
]; ];
@@ -61,13 +61,7 @@
++ (bypass_api "radarr.tsuba.darksailor.dev") ++ (bypass_api "radarr.tsuba.darksailor.dev")
++ (bypass_api "lidarr.tsuba.darksailor.dev") ++ (bypass_api "lidarr.tsuba.darksailor.dev")
++ (bypass_api "bazarr.tsuba.darksailor.dev") ++ (bypass_api "bazarr.tsuba.darksailor.dev")
++ (bypass_api "prowlarr.tsuba.darksailor.dev") ++ (bypass_api "prowlarr.tsuba.darksailor.dev");
++ [
{
domain = "llama.ryu.darksailor.dev";
policy = "one_factor";
}
];
}; };
storage = { storage = {
local = { local = {

8
nixos/mirai/services/caddy.nix
View File

@@ -2,6 +2,14 @@
services = { services = {
caddy = { caddy = {
enable = true; enable = true;
extraConfig = ''
(auth) {
forward_auth localhost:5555 {
uri /api/authz/forward-auth?authelia_url=https://auth.darksailor.dev
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
}
'';
}; };
}; };
} }

5
nixos/mirai/services/excalidraw.nix
View File

@@ -10,10 +10,7 @@
}; };
}; };
services.caddy.virtualHosts."draw.darksailor.dev".extraConfig = '' services.caddy.virtualHosts."draw.darksailor.dev".extraConfig = ''
forward_auth localhost:5555 { import auth
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy localhost:5959 reverse_proxy localhost:5959
''; '';
services.authelia = { services.authelia = {

5
nixos/mirai/services/gitea.nix
View File

@@ -49,10 +49,7 @@
}; };
caddy = { caddy = {
virtualHosts."git.darksailor.dev".extraConfig = '' virtualHosts."git.darksailor.dev".extraConfig = ''
forward_auth localhost:5555 { import auth
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy localhost:3000 reverse_proxy localhost:3000
''; '';
}; };

5
nixos/mirai/services/grafana.nix
View File

@@ -17,10 +17,7 @@
# }; # };
caddy = { caddy = {
virtualHosts."grafana.darksailor.dev".extraConfig = '' virtualHosts."grafana.darksailor.dev".extraConfig = ''
forward_auth localhost:5555 { import auth
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy localhost:${builtins.toString config.services.grafana.settings.server.http_port} reverse_proxy localhost:${builtins.toString config.services.grafana.settings.server.http_port}
''; '';
}; };

5
nixos/mirai/services/homepage.nix
View File

@@ -166,10 +166,7 @@
}; };
caddy = { caddy = {
virtualHosts."dashboard.darksailor.dev".extraConfig = '' virtualHosts."dashboard.darksailor.dev".extraConfig = ''
forward_auth localhost:5555 { import auth
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy localhost:${builtins.toString config.services.homepage-dashboard.listenPort} reverse_proxy localhost:${builtins.toString config.services.homepage-dashboard.listenPort}
''; '';
}; };

5
nixos/mirai/services/llama.nix
View File

@@ -45,10 +45,7 @@
caddy = { caddy = {
virtualHosts."llama.darksailor.dev".extraConfig = '' virtualHosts."llama.darksailor.dev".extraConfig = ''
forward_auth localhost:5555 { import auth
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy localhost:${builtins.toString config.services.open-webui.port} reverse_proxy localhost:${builtins.toString config.services.open-webui.port}
''; '';
virtualHosts."ollama.darksailor.dev".extraConfig = '' virtualHosts."ollama.darksailor.dev".extraConfig = ''

5
nixos/mirai/services/navidrome.nix
View File

@@ -10,10 +10,7 @@
}; };
caddy = { caddy = {
virtualHosts."music.darksailor.dev".extraConfig = '' virtualHosts."music.darksailor.dev".extraConfig = ''
forward_auth localhost:5555 { import auth
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy localhost:4533 reverse_proxy localhost:4533
''; '';
}; };

107
nixos/mirai/services/nextcloud.nix
View File

@@ -5,7 +5,7 @@
}: { }: {
sops = { sops = {
secrets."nextcloud/adminpass".owner = config.users.users.nextcloud.name; secrets."nextcloud/adminpass".owner = config.users.users.nextcloud.name;
secrets."authelia/oidc/nextcloud/client_id".owner = config.users.users.nextcloud.name; # secrets."authelia/oidc/nextcloud/client_id".owner = config.users.users.nextcloud.name;
secrets."authelia/oidc/nextcloud/client_secret".owner = config.users.users.nextcloud.name; secrets."authelia/oidc/nextcloud/client_secret".owner = config.users.users.nextcloud.name;
}; };
imports = [ imports = [
@@ -47,57 +47,58 @@
# port = 8080; # NOT an exposed port # port = 8080; # NOT an exposed port
# } # }
# ]; # ];
authelia.instances.darksailor = {
settings = { # authelia.instances.darksailor = {
definitions = { # settings = {
user_attributes = { # definitions = {
is_nextcloud_admin = { # user_attributes = {
expression = ''"nextcloud-admins" in groups"''; # is_nextcloud_admin = {
}; # expression = ''"nextcloud-admins" in groups"'';
}; # };
}; # };
identity_providers = { # };
oidc = { # identity_providers = {
claims_policies = { # oidc = {
custom_claims = { # claims_policies = {
is_nextcloud_admin = {}; # custom_claims = {
}; # is_nextcloud_admin = {};
}; # };
scopes = { # };
nextcloud_userinfo = { # scopes = {
claims = ["is_nextcloud_admin"]; # nextcloud_userinfo = {
}; # claims = ["is_nextcloud_admin"];
}; # };
clients = [ # };
{ # clients = [
client_name = "Nextcloud"; # {
client_id = "nextcloud"; # client_name = "Nextcloud";
client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/nextcloud/client_secret".path}" }}''; # client_id = "nextcloud";
public = false; # client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/nextcloud/client_secret".path}" }}'';
authorization_policy = "one_factor"; # public = false;
require_pkce = true; # authorization_policy = "one_factor";
pkce_challenge_method = "S256"; # require_pkce = true;
claims_policy = "nextcloud_userinfo"; # pkce_challenge_method = "S256";
redirect_uris = [ # claims_policy = "nextcloud_userinfo";
"https://cloud.darksailor.dev/apps/oidc_login/oidc" # redirect_uris = [
]; # "https://cloud.darksailor.dev/apps/oidc_login/oidc"
scopes = [ # ];
"openid" # scopes = [
"profile" # "openid"
"email" # "profile"
"groups" # "email"
"nextcloud_userinfo" # "groups"
]; # "nextcloud_userinfo"
response_types = ["code"]; # ];
grant_types = ["authorization_code"]; # response_types = ["code"];
# access_token_signed_response_alg = "none"; # grant_types = ["authorization_code"];
userinfo_signed_response_alg = "none"; # # access_token_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_basic"; # userinfo_signed_response_alg = "none";
} # token_endpoint_auth_method = "client_secret_basic";
]; # }
}; # ];
}; # };
}; # };
}; # };
# };
}; };
} }

5
nixos/mirai/services/paperless.nix
View File

@@ -18,10 +18,7 @@
}; };
caddy = { caddy = {
virtualHosts."paperless.darksailor.dev".extraConfig = '' virtualHosts."paperless.darksailor.dev".extraConfig = ''
forward_auth localhost:5555 { import auth
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy localhost:28981 reverse_proxy localhost:28981
''; '';
}; };

6
nixos/mirai/services/seafile.nix
View File

@@ -37,11 +37,7 @@
}; };
caddy = { caddy = {
virtualHosts."cloud.darksailor.dev".extraConfig = '' virtualHosts."cloud.darksailor.dev".extraConfig = ''
forward_auth localhost:5555 { import auth
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy unix//run/seahub/gunicorn.sock reverse_proxy unix//run/seahub/gunicorn.sock
''; '';
}; };

5
nixos/mirai/services/vscode.nix
View File

@@ -9,10 +9,7 @@
}; };
caddy = { caddy = {
virtualHosts."code.darksailor.dev".extraConfig = '' virtualHosts."code.darksailor.dev".extraConfig = ''
forward_auth localhost:5555 { import auth
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy localhost:3000 reverse_proxy localhost:3000
''; '';
}; };

21
nixos/tsuba/services/caddy.nix
View File

@@ -12,6 +12,11 @@
}; };
}; };
services = { services = {
tailscaleAuth = {
enable = true;
user = config.services.caddy.user;
group = config.services.caddy.group;
};
caddy = { caddy = {
enable = true; enable = true;
extraConfig = '' extraConfig = ''
@@ -24,11 +29,21 @@
} }
} }
(auth) { (auth) {
forward_auth auth.darksailor.dev { forward_auth unix/${config.services.tailscaleAuth.socketPath} {
uri /api/authz/forward_auth?rd=https://auth.darksailor.dev uri /auth
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
} }
} }
}
''; '';
package = pkgs.caddy.withPlugins { package = pkgs.caddy.withPlugins {
plugins = ["github.com/caddy-dns/hetzner@v1.0.0"]; plugins = ["github.com/caddy-dns/hetzner@v1.0.0"];