Combine authelia client YAML's into one YAML file
- Fixes #126 - Generate a single oidc_clients.yaml to define all clients - `public` property of OIDC clients is now a bool (as it should be), not a string. - sed pattern changed to allow multiple replacements
This commit is contained in:
parent
05bec60392
commit
8a5f4e3bf2
3 changed files with 14 additions and 22 deletions
|
@ -12,13 +12,12 @@ let
|
||||||
template = file: newPath: replacements:
|
template = file: newPath: replacements:
|
||||||
let
|
let
|
||||||
templatePath = newPath + ".template";
|
templatePath = newPath + ".template";
|
||||||
|
sedPatterns = lib.strings.concatStringsSep ";" (lib.attrsets.mapAttrsToList (from: to: "s|${from}|${to}|") replacements);
|
||||||
sedPatterns = lib.strings.concatStringsSep " " (lib.attrsets.mapAttrsToList (from: to: "\"s|${from}|${to}|\"") replacements);
|
|
||||||
in
|
in
|
||||||
''
|
''
|
||||||
ln -fs ${file} ${templatePath}
|
ln -fs ${file} ${templatePath}
|
||||||
rm ${newPath} || :
|
rm ${newPath} || :
|
||||||
sed ${sedPatterns} ${templatePath} > ${newPath}
|
sed "${sedPatterns}" ${templatePath} > ${newPath}
|
||||||
'';
|
'';
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
@ -277,28 +276,21 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
settingsFiles = map (client: "/var/lib/authelia-${fqdn}/oidc_client_${client.id}.yaml") cfg.oidcClients;
|
settingsFiles = [ "/var/lib/authelia-${fqdn}/oidc_clients.yaml" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services."authelia-${fqdn}".preStart =
|
systemd.services."authelia-${fqdn}".preStart =
|
||||||
let
|
let
|
||||||
mkCfg = client:
|
mkCfg = clients:
|
||||||
let
|
let
|
||||||
secretFile = client.secretFile;
|
addTemplate = client: (builtins.removeAttrs client ["secretFile"]) // {secret = "%SECRET_${client.id}%";};
|
||||||
clientWithTmpl = {
|
tmplFile = pkgs.writeText "oidc_clients.yaml" (lib.generators.toYAML {} {identity_providers.oidc.clients = map addTemplate clients;});
|
||||||
identity_providers.oidc.clients = [
|
replace = client: {"%SECRET_${client.id}%" = "$(cat ${toString client.secretFile})";};
|
||||||
((lib.attrsets.filterAttrs (name: v: name != "secretFile") client) // {
|
replacements = lib.foldl (container: client: container // (replace client) ) {} clients;
|
||||||
secret = "%SECRET%";
|
in
|
||||||
})
|
template tmplFile "/var/lib/authelia-${fqdn}/oidc_clients.yaml" replacements;
|
||||||
];
|
|
||||||
};
|
|
||||||
tmplFile = pkgs.writeText "oidc_client_${client.id}.yaml" (lib.generators.toYAML {} clientWithTmpl);
|
|
||||||
in
|
|
||||||
template tmplFile "/var/lib/authelia-${fqdn}/oidc_client_${client.id}.yaml" {
|
|
||||||
"%SECRET%" = "$(cat ${toString secretFile})";
|
|
||||||
};
|
|
||||||
in
|
in
|
||||||
lib.mkBefore (lib.concatStringsSep "\n" (map mkCfg cfg.oidcClients));
|
lib.mkBefore (mkCfg cfg.oidcClients);
|
||||||
|
|
||||||
services.nginx.virtualHosts.${fqdn} = {
|
services.nginx.virtualHosts.${fqdn} = {
|
||||||
forceSSL = !(isNull cfg.ssl);
|
forceSSL = !(isNull cfg.ssl);
|
||||||
|
|
|
@ -383,7 +383,7 @@ in
|
||||||
id = cfg.oidcClientID;
|
id = cfg.oidcClientID;
|
||||||
description = "Jellyfin";
|
description = "Jellyfin";
|
||||||
secretFile = config.sops.secrets."authelia/jellyfin_sso_secret".path;
|
secretFile = config.sops.secrets."authelia/jellyfin_sso_secret".path;
|
||||||
public = "false";
|
public = false;
|
||||||
authorization_policy = "one_factor";
|
authorization_policy = "one_factor";
|
||||||
redirect_uris = [ "https://${cfg.subdomain}.${cfg.domain}/sso/OID/r/${cfg.oidcProvider}" ];
|
redirect_uris = [ "https://${cfg.subdomain}.${cfg.domain}/sso/OID/r/${cfg.oidcProvider}" ];
|
||||||
}
|
}
|
||||||
|
|
|
@ -51,7 +51,7 @@ in
|
||||||
id = "myclient";
|
id = "myclient";
|
||||||
description = "My Client";
|
description = "My Client";
|
||||||
secretFile = pkgs.writeText "secret" "mysecuresecret";
|
secretFile = pkgs.writeText "secret" "mysecuresecret";
|
||||||
public = "false";
|
public = false;
|
||||||
authorization_policy = "one_factor";
|
authorization_policy = "one_factor";
|
||||||
redirect_uris = [ "https://myclient.exapmle.com/redirect" ];
|
redirect_uris = [ "https://myclient.exapmle.com/redirect" ];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue