avoid some impossible states in authelia and nginx

2023-11-30 22:49:34 -08:00 · 2023-11-30 22:49:34 -08:00 · 0014e5c2f7
commit 0014e5c2f7
parent 76e27ae7eb
4 changed files with 87 additions and 13 deletions
--- a/flake.nix
+++ b/flake.nix
@ -108,6 +108,7 @@
                mergeTests (importFiles [
                  ./test/modules/arr.nix
                  ./test/modules/davfs.nix
+                  ./test/modules/nginx.nix
                  ./test/modules/postgresql.nix
                ]);
            };
--- a/modules/blocks/authelia.nix
+++ b/modules/blocks/authelia.nix
@ -36,17 +36,9 @@ in
    };

    autheliaUser = lib.mkOption {
-      type = lib.types.nullOr lib.types.str;
-      description = ''System user for this Authelia instance.
-
-If set to null, defaults to:
-<programlisting language="nix">
-"authelia_" +
-  (builtins.replaceStrings ["-" "."] ["_" "_"]
-    ''${shb.authelia.subdomain}.''${shb.authelia.domain}")
-</programlisting>
-'';
-      default = null;
+      type = lib.types.str;
+      description = "System user for this Authelia instance.";
+      default = "authelia";
    };

    secrets = lib.mkOption {
@ -120,7 +112,7 @@ If set to null, defaults to:

    services.authelia.instances.${fqdn} = {
      enable = true;
-      user = cfg.autheliaUser or "authelia_" + builtins.replaceStrings ["-" "."] ["_" "_"] fqdn;
+      user = cfg.autheliaUser;

      secrets = {
        inherit (cfg.secrets) jwtSecretFile storageEncryptionKeyFile;
--- a/modules/blocks/nginx.nix
+++ b/modules/blocks/nginx.nix
@ -20,7 +20,7 @@ let
      };

      authEndpoint = lib.mkOption {
-        type = lib.types.nullOr lib.types.str;
+        type = lib.types.str;
        description = "Auth endpoint for SSO.";
        default = null;
        example = "https://authelia.example.com";
--- a/test/modules/nginx.nix
+++ b/test/modules/nginx.nix
@ -0,0 +1,81 @@
+{ pkgs, lib, ... }:
+let
+  anyOpt = default: lib.mkOption {
+    type = lib.types.anything;
+    inherit default;
+  };
+
+  testConfig = m:
+    let
+      cfg = (lib.evalModules {
+        specialArgs = { inherit pkgs; };
+        modules = [
+          {
+            options = {
+              assertions = anyOpt [];
+              networking = anyOpt {};
+              security = anyOpt {};
+              services = anyOpt {};
+              shb.authelia = anyOpt {};
+              shb.backup = anyOpt {};
+              shb.ssl = anyOpt {};
+            };
+          }
+          ../../modules/blocks/nginx.nix
+          m
+        ];
+      }).config;
+    in lib.attrsets.filterAttrsRecursive (n: v: n != "extraConfig") {
+      inherit (cfg) services;
+      shb = { inherit (cfg.shb) backup nginx; };
+    };
+in
+{
+  testNoOptions = {
+    expected = {
+      shb.backup = {};
+      shb.nginx = {
+        accessLog = false;
+        autheliaProtect = [];
+        debugLog = false;
+      };
+      services.nginx.enable = true;
+    };
+    expr = testConfig {};
+  };
+
+  testAuth = {
+    expected = {
+      shb.backup = {};
+      shb.nginx = {
+        accessLog = false;
+        autheliaProtect = [{
+          authEndpoint = "hello";
+          autheliaRules = [{}];
+          subdomain = "my";
+          domain = "example.com";
+          upstream = "http://127.0.0.1:1234";
+        }];
+        debugLog = false;
+      };
+      services.nginx.enable = true;
+      services.nginx.virtualHosts."my.example.com" = {
+        forceSSL = true;
+        locations."/" = {};
+        locations."/authelia" = {};
+        sslCertificate = "/var/lib/acme/example.com/cert.pem";
+        sslCertificateKey = "/var/lib/acme/example.com/key.pem";
+      };
+    };
+    expr = testConfig {
+      shb.ssl.enable = true;
+      shb.nginx.autheliaProtect = [{
+        subdomain = "my";
+        domain = "example.com";
+        upstream = "http://127.0.0.1:1234";
+        authEndpoint = "hello";
+        autheliaRules = [{}];
+      }];
+    };
+  };
+}