From 8a5f4e3bf2c220cbf273bff4e4dc39cff99bca07 Mon Sep 17 00:00:00 2001 From: sivert Date: Sun, 21 Jan 2024 08:17:25 +0100 Subject: [PATCH] Combine authelia client YAML's into one YAML file - Fixes #126 - Generate a single oidc_clients.yaml to define all clients - `public` property of OIDC clients is now a bool (as it should be), not a string. - sed pattern changed to allow multiple replacements --- modules/blocks/authelia.nix | 32 ++++++++++++-------------------- modules/services/jellyfin.nix | 2 +- test/vm/authelia.nix | 2 +- 3 files changed, 14 insertions(+), 22 deletions(-) diff --git a/modules/blocks/authelia.nix b/modules/blocks/authelia.nix index fca1d47..5375aa4 100644 --- a/modules/blocks/authelia.nix +++ b/modules/blocks/authelia.nix @@ -12,13 +12,12 @@ let template = file: newPath: replacements: let templatePath = newPath + ".template"; - - sedPatterns = lib.strings.concatStringsSep " " (lib.attrsets.mapAttrsToList (from: to: "\"s|${from}|${to}|\"") replacements); + sedPatterns = lib.strings.concatStringsSep ";" (lib.attrsets.mapAttrsToList (from: to: "s|${from}|${to}|") replacements); in '' ln -fs ${file} ${templatePath} rm ${newPath} || : - sed ${sedPatterns} ${templatePath} > ${newPath} + sed "${sedPatterns}" ${templatePath} > ${newPath} ''; in { @@ -277,28 +276,21 @@ in }; }; - settingsFiles = map (client: "/var/lib/authelia-${fqdn}/oidc_client_${client.id}.yaml") cfg.oidcClients; + settingsFiles = [ "/var/lib/authelia-${fqdn}/oidc_clients.yaml" ]; }; systemd.services."authelia-${fqdn}".preStart = let - mkCfg = client: - let - secretFile = client.secretFile; - clientWithTmpl = { - identity_providers.oidc.clients = [ - ((lib.attrsets.filterAttrs (name: v: name != "secretFile") client) // { - secret = "%SECRET%"; - }) - ]; - }; - tmplFile = pkgs.writeText "oidc_client_${client.id}.yaml" (lib.generators.toYAML {} clientWithTmpl); - in - template tmplFile "/var/lib/authelia-${fqdn}/oidc_client_${client.id}.yaml" { - "%SECRET%" = "$(cat ${toString secretFile})"; - }; + mkCfg = clients: + let + addTemplate = client: (builtins.removeAttrs client ["secretFile"]) // {secret = "%SECRET_${client.id}%";}; + tmplFile = pkgs.writeText "oidc_clients.yaml" (lib.generators.toYAML {} {identity_providers.oidc.clients = map addTemplate clients;}); + replace = client: {"%SECRET_${client.id}%" = "$(cat ${toString client.secretFile})";}; + replacements = lib.foldl (container: client: container // (replace client) ) {} clients; + in + template tmplFile "/var/lib/authelia-${fqdn}/oidc_clients.yaml" replacements; in - lib.mkBefore (lib.concatStringsSep "\n" (map mkCfg cfg.oidcClients)); + lib.mkBefore (mkCfg cfg.oidcClients); services.nginx.virtualHosts.${fqdn} = { forceSSL = !(isNull cfg.ssl); diff --git a/modules/services/jellyfin.nix b/modules/services/jellyfin.nix index 78bde7d..c9d3b84 100644 --- a/modules/services/jellyfin.nix +++ b/modules/services/jellyfin.nix @@ -383,7 +383,7 @@ in id = cfg.oidcClientID; description = "Jellyfin"; secretFile = config.sops.secrets."authelia/jellyfin_sso_secret".path; - public = "false"; + public = false; authorization_policy = "one_factor"; redirect_uris = [ "https://${cfg.subdomain}.${cfg.domain}/sso/OID/r/${cfg.oidcProvider}" ]; } diff --git a/test/vm/authelia.nix b/test/vm/authelia.nix index 28257ee..37c4bea 100644 --- a/test/vm/authelia.nix +++ b/test/vm/authelia.nix @@ -51,7 +51,7 @@ in id = "myclient"; description = "My Client"; secretFile = pkgs.writeText "secret" "mysecuresecret"; - public = "false"; + public = false; authorization_policy = "one_factor"; redirect_uris = [ "https://myclient.exapmle.com/redirect" ]; }