Combine authelia client YAML's into one YAML file

- Fixes #126 - Generate a single oidc_clients.yaml to define all clients - `public` property of OIDC clients is now a bool (as it should be), not a string. - sed pattern changed to allow multiple replacements
2024-01-21 08:17:25 +01:00 · 2024-01-21 08:17:25 +01:00 · 8a5f4e3bf2
commit 8a5f4e3bf2
parent 05bec60392
3 changed files with 14 additions and 22 deletions
--- a/modules/blocks/authelia.nix
+++ b/modules/blocks/authelia.nix
@ -12,13 +12,12 @@ let
  template = file: newPath: replacements:
    let
      templatePath = newPath + ".template";
-
-      sedPatterns = lib.strings.concatStringsSep " " (lib.attrsets.mapAttrsToList (from: to: "\"s|${from}|${to}|\"") replacements);
+      sedPatterns = lib.strings.concatStringsSep ";" (lib.attrsets.mapAttrsToList (from: to: "s|${from}|${to}|") replacements);
    in
      ''
      ln -fs ${file} ${templatePath}
      rm ${newPath} || :
-      sed ${sedPatterns} ${templatePath} > ${newPath}
+      sed "${sedPatterns}" ${templatePath} > ${newPath}
      '';
 in
 {
@ -277,28 +276,21 @@ in
        };
      };

-      settingsFiles = map (client: "/var/lib/authelia-${fqdn}/oidc_client_${client.id}.yaml") cfg.oidcClients;
+      settingsFiles = [ "/var/lib/authelia-${fqdn}/oidc_clients.yaml" ];
    };

    systemd.services."authelia-${fqdn}".preStart =
      let
-        mkCfg = client:
-          let
-            secretFile = client.secretFile;
-            clientWithTmpl = {
-              identity_providers.oidc.clients = [
-                ((lib.attrsets.filterAttrs (name: v: name != "secretFile") client) // {
-                  secret = "%SECRET%";
-                })
-              ];
-            };
-            tmplFile = pkgs.writeText "oidc_client_${client.id}.yaml" (lib.generators.toYAML {} clientWithTmpl);
-          in
-            template tmplFile "/var/lib/authelia-${fqdn}/oidc_client_${client.id}.yaml" {
-              "%SECRET%" = "$(cat ${toString secretFile})";
-            };
+        mkCfg = clients:
+        let
+          addTemplate = client: (builtins.removeAttrs client ["secretFile"]) // {secret = "%SECRET_${client.id}%";};
+          tmplFile = pkgs.writeText "oidc_clients.yaml" (lib.generators.toYAML {} {identity_providers.oidc.clients = map addTemplate clients;});
+          replace = client: {"%SECRET_${client.id}%" = "$(cat ${toString client.secretFile})";};
+          replacements = lib.foldl (container: client: container // (replace client) ) {} clients;
+        in
+          template tmplFile "/var/lib/authelia-${fqdn}/oidc_clients.yaml" replacements;
      in
-        lib.mkBefore (lib.concatStringsSep "\n" (map mkCfg cfg.oidcClients));
+        lib.mkBefore (mkCfg cfg.oidcClients);

    services.nginx.virtualHosts.${fqdn} = {
      forceSSL = !(isNull cfg.ssl);
--- a/modules/services/jellyfin.nix
+++ b/modules/services/jellyfin.nix
@ -383,7 +383,7 @@ in
        id = cfg.oidcClientID;
        description = "Jellyfin";
        secretFile = config.sops.secrets."authelia/jellyfin_sso_secret".path;
-        public = "false";
+        public = false;
        authorization_policy = "one_factor";
        redirect_uris = [ "https://${cfg.subdomain}.${cfg.domain}/sso/OID/r/${cfg.oidcProvider}" ];
      }
--- a/test/vm/authelia.nix
+++ b/test/vm/authelia.nix
@ -51,7 +51,7 @@ in
            id = "myclient";
            description = "My Client";
            secretFile = pkgs.writeText "secret" "mysecuresecret";
-            public = "false";
+            public = false;
            authorization_policy = "one_factor";
            redirect_uris = [ "https://myclient.exapmle.com/redirect" ];
          }