diff --git a/modules/blocks/nginx.nix b/modules/blocks/nginx.nix index 5d613e5..dea0e09 100644 --- a/modules/blocks/nginx.nix +++ b/modules/blocks/nginx.nix @@ -7,7 +7,7 @@ let fqdn = c: "${c.subdomain}.${c.domain}"; - autheliaConfig = lib.types.submodule { + vhostConfig = lib.types.submodule { options = { subdomain = lib.mkOption { type = lib.types.str; @@ -67,9 +67,9 @@ in example = true; }; - autheliaProtect = lib.mkOption { + vhosts = lib.mkOption { description = "Endpoints to be protected by authelia."; - type = lib.types.listOf autheliaConfig; + type = lib.types.listOf vhostConfig; default = []; }; }; @@ -135,7 +135,7 @@ in proxy_pass ${c.upstream}; '' - + lib.optionalString (!(isNull c.authEndpoint)) '' + + lib.optionalString (c.authEndpoint != null) '' auth_request /authelia; auth_request_set $user $upstream_http_remote_user; auth_request_set $groups $upstream_http_remote_groups; @@ -181,13 +181,13 @@ in }; }; in - lib.mkMerge (map vhostCfg cfg.autheliaProtect); + lib.mkMerge (map vhostCfg cfg.vhosts); shb.authelia.rules = let authConfig = c: map (r: r // { domain = fqdn c; }) c.autheliaRules; in - lib.flatten (map authConfig cfg.autheliaProtect); + lib.flatten (map authConfig cfg.vhosts); security.acme.defaults.reloadServices = [ "nginx.service" diff --git a/modules/services/arr.nix b/modules/services/arr.nix index 8b0db9d..95a0f41 100644 --- a/modules/services/arr.nix +++ b/modules/services/arr.nix @@ -257,7 +257,7 @@ let }; }; - autheliaProtect = { extraBypassResources ? [] }: c: { + vhosts = { extraBypassResources ? [] }: c: { inherit (c) subdomain domain authEndpoint ssl; upstream = "http://127.0.0.1:${toString c.settings.Port}"; @@ -369,7 +369,7 @@ in generator = shblib.replaceSecretsFormatAdapter apps.radarr.settingsFormat; }; - shb.nginx.autheliaProtect = [ (autheliaProtect {} cfg') ]; + shb.nginx.vhosts = [ (vhosts {} cfg') ]; shb.backup.instances.radarr = cfg'.backupCfg // { sourceDirectories = [ @@ -406,7 +406,7 @@ in generator = apps.sonarr.settingsFormat.generate; }; - shb.nginx.autheliaProtect = [ (autheliaProtect {} cfg') ]; + shb.nginx.vhosts = [ (vhosts {} cfg') ]; shb.backup.instances.sonarr = cfg'.backupCfg // { sourceDirectories = [ @@ -440,7 +440,7 @@ in generator = apps.bazarr.settingsFormat.generate; }; - shb.nginx.autheliaProtect = [ (autheliaProtect {} cfg') ]; + shb.nginx.vhosts = [ (vhosts {} cfg') ]; shb.backup.instances.bazarr = cfg'.backupCfg // { sourceDirectories = [ @@ -469,7 +469,7 @@ in generator = apps.readarr.settingsFormat.generate; }; - shb.nginx.autheliaProtect = [ (autheliaProtect {} cfg') ]; + shb.nginx.vhosts = [ (vhosts {} cfg') ]; shb.backup.instances.readarr = cfg'.backupCfg // { sourceDirectories = [ @@ -503,7 +503,7 @@ in generator = apps.lidarr.settingsFormat.generate; }; - shb.nginx.autheliaProtect = [ (autheliaProtect {} cfg') ]; + shb.nginx.vhosts = [ (vhosts {} cfg') ]; shb.backup.instances.lidarr = cfg'.backupCfg // { sourceDirectories = [ @@ -532,7 +532,7 @@ in generator = apps.jackett.settingsFormat.generate; }; - shb.nginx.autheliaProtect = [ (autheliaProtect { + shb.nginx.vhosts = [ (vhosts { extraBypassResources = [ "^/dl.*" ]; } cfg') ]; diff --git a/modules/services/deluge.nix b/modules/services/deluge.nix index e13b3c2..565c950 100644 --- a/modules/services/deluge.nix +++ b/modules/services/deluge.nix @@ -149,7 +149,7 @@ in }; authEndpoint = lib.mkOption { - type = lib.types.str; + type = lib.types.nullOr lib.types.str; description = "OIDC endpoint for SSO"; example = "https://authelia.example.com"; }; @@ -253,11 +253,11 @@ in "L+ ${config.services.deluge.dataDir}/.config/deluge/plugins - - - - ${plugins}" ]; - shb.nginx.autheliaProtect = lib.mkIf config.shb.authelia.enable [ + shb.nginx.vhosts = [ { inherit (cfg) subdomain domain authEndpoint ssl; upstream = "http://127.0.0.1:${toString config.services.deluge.web.port}"; - autheliaRules = [{ + autheliaRules = lib.mkIf (cfg.authEndpoint != null) [{ domain = fqdn; policy = "two_factor"; subject = ["group:deluge_user"]; diff --git a/modules/services/hledger.nix b/modules/services/hledger.nix index 5b63bc5..b4bb9da 100644 --- a/modules/services/hledger.nix +++ b/modules/services/hledger.nix @@ -78,7 +78,7 @@ in serviceConfig.StateDirectory = "hledger"; }; - shb.nginx.autheliaProtect = [ + shb.nginx.vhosts = [ { inherit (cfg) subdomain domain authEndpoint ssl; upstream = "http://${toString config.services.hledger-web.host}:${toString config.services.hledger-web.port}"; diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix index dde963a..8d0fab2 100644 --- a/modules/services/vaultwarden.nix +++ b/modules/services/vaultwarden.nix @@ -158,11 +158,11 @@ in generator = name: v: lib.generators.toINIWithGlobalSection {} { globalSection = v; }; }; - shb.nginx.autheliaProtect = [ + shb.nginx.vhosts = [ { inherit (cfg) subdomain domain authEndpoint ssl; upstream = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}"; - autheliaRules = [ + autheliaRules = lib.mkIf (cfg.authEndpoint != null) [ { domain = "${fqdn}"; policy = "two_factor"; diff --git a/test/modules/arr.nix b/test/modules/arr.nix index 2ca7d39..2de9ef0 100644 --- a/test/modules/arr.nix +++ b/test/modules/arr.nix @@ -150,7 +150,7 @@ in excludePatterns = [ ".db-shm" ".db-wal" ".mono" ]; }; }; - shb.nginx.autheliaProtect = [ + shb.nginx.vhosts = [ { autheliaRules = [ { diff --git a/test/modules/nginx.nix b/test/modules/nginx.nix index 242b13c..fab349f 100644 --- a/test/modules/nginx.nix +++ b/test/modules/nginx.nix @@ -38,7 +38,7 @@ in shb.backup = {}; shb.nginx = { accessLog = false; - autheliaProtect = []; + vhosts = []; debugLog = false; }; services.nginx.enable = true; @@ -66,7 +66,7 @@ in domain = "example.com"; }; - shb.nginx.autheliaProtect = [{ + shb.nginx.vhosts = [{ subdomain = "my"; domain = "example.com"; ssl = config.shb.certs.certs.selfsigned."example.com";