1
0
Fork 0

Combine authelia client YAML's into one YAML file

- Fixes #126
  - Generate a single oidc_clients.yaml to define all clients
  - `public` property of OIDC clients is now a bool (as it should be), not a string.
  - sed pattern changed to allow multiple replacements
This commit is contained in:
sivert 2024-01-21 08:17:25 +01:00 committed by Pierre Penninckx
parent 05bec60392
commit 8a5f4e3bf2
3 changed files with 14 additions and 22 deletions

View file

@ -12,13 +12,12 @@ let
template = file: newPath: replacements: template = file: newPath: replacements:
let let
templatePath = newPath + ".template"; templatePath = newPath + ".template";
sedPatterns = lib.strings.concatStringsSep ";" (lib.attrsets.mapAttrsToList (from: to: "s|${from}|${to}|") replacements);
sedPatterns = lib.strings.concatStringsSep " " (lib.attrsets.mapAttrsToList (from: to: "\"s|${from}|${to}|\"") replacements);
in in
'' ''
ln -fs ${file} ${templatePath} ln -fs ${file} ${templatePath}
rm ${newPath} || : rm ${newPath} || :
sed ${sedPatterns} ${templatePath} > ${newPath} sed "${sedPatterns}" ${templatePath} > ${newPath}
''; '';
in in
{ {
@ -277,28 +276,21 @@ in
}; };
}; };
settingsFiles = map (client: "/var/lib/authelia-${fqdn}/oidc_client_${client.id}.yaml") cfg.oidcClients; settingsFiles = [ "/var/lib/authelia-${fqdn}/oidc_clients.yaml" ];
}; };
systemd.services."authelia-${fqdn}".preStart = systemd.services."authelia-${fqdn}".preStart =
let let
mkCfg = client: mkCfg = clients:
let let
secretFile = client.secretFile; addTemplate = client: (builtins.removeAttrs client ["secretFile"]) // {secret = "%SECRET_${client.id}%";};
clientWithTmpl = { tmplFile = pkgs.writeText "oidc_clients.yaml" (lib.generators.toYAML {} {identity_providers.oidc.clients = map addTemplate clients;});
identity_providers.oidc.clients = [ replace = client: {"%SECRET_${client.id}%" = "$(cat ${toString client.secretFile})";};
((lib.attrsets.filterAttrs (name: v: name != "secretFile") client) // { replacements = lib.foldl (container: client: container // (replace client) ) {} clients;
secret = "%SECRET%"; in
}) template tmplFile "/var/lib/authelia-${fqdn}/oidc_clients.yaml" replacements;
];
};
tmplFile = pkgs.writeText "oidc_client_${client.id}.yaml" (lib.generators.toYAML {} clientWithTmpl);
in
template tmplFile "/var/lib/authelia-${fqdn}/oidc_client_${client.id}.yaml" {
"%SECRET%" = "$(cat ${toString secretFile})";
};
in in
lib.mkBefore (lib.concatStringsSep "\n" (map mkCfg cfg.oidcClients)); lib.mkBefore (mkCfg cfg.oidcClients);
services.nginx.virtualHosts.${fqdn} = { services.nginx.virtualHosts.${fqdn} = {
forceSSL = !(isNull cfg.ssl); forceSSL = !(isNull cfg.ssl);

View file

@ -383,7 +383,7 @@ in
id = cfg.oidcClientID; id = cfg.oidcClientID;
description = "Jellyfin"; description = "Jellyfin";
secretFile = config.sops.secrets."authelia/jellyfin_sso_secret".path; secretFile = config.sops.secrets."authelia/jellyfin_sso_secret".path;
public = "false"; public = false;
authorization_policy = "one_factor"; authorization_policy = "one_factor";
redirect_uris = [ "https://${cfg.subdomain}.${cfg.domain}/sso/OID/r/${cfg.oidcProvider}" ]; redirect_uris = [ "https://${cfg.subdomain}.${cfg.domain}/sso/OID/r/${cfg.oidcProvider}" ];
} }

View file

@ -51,7 +51,7 @@ in
id = "myclient"; id = "myclient";
description = "My Client"; description = "My Client";
secretFile = pkgs.writeText "secret" "mysecuresecret"; secretFile = pkgs.writeText "secret" "mysecuresecret";
public = "false"; public = false;
authorization_policy = "one_factor"; authorization_policy = "one_factor";
redirect_uris = [ "https://myclient.exapmle.com/redirect" ]; redirect_uris = [ "https://myclient.exapmle.com/redirect" ];
} }