rename autheliaProtect to vhosts
This commit is contained in:
parent
7020786c41
commit
8ebb3af1f0
7 changed files with 22 additions and 22 deletions
|
@ -7,7 +7,7 @@ let
|
||||||
|
|
||||||
fqdn = c: "${c.subdomain}.${c.domain}";
|
fqdn = c: "${c.subdomain}.${c.domain}";
|
||||||
|
|
||||||
autheliaConfig = lib.types.submodule {
|
vhostConfig = lib.types.submodule {
|
||||||
options = {
|
options = {
|
||||||
subdomain = lib.mkOption {
|
subdomain = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
|
@ -67,9 +67,9 @@ in
|
||||||
example = true;
|
example = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
autheliaProtect = lib.mkOption {
|
vhosts = lib.mkOption {
|
||||||
description = "Endpoints to be protected by authelia.";
|
description = "Endpoints to be protected by authelia.";
|
||||||
type = lib.types.listOf autheliaConfig;
|
type = lib.types.listOf vhostConfig;
|
||||||
default = [];
|
default = [];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -135,7 +135,7 @@ in
|
||||||
|
|
||||||
proxy_pass ${c.upstream};
|
proxy_pass ${c.upstream};
|
||||||
''
|
''
|
||||||
+ lib.optionalString (!(isNull c.authEndpoint)) ''
|
+ lib.optionalString (c.authEndpoint != null) ''
|
||||||
auth_request /authelia;
|
auth_request /authelia;
|
||||||
auth_request_set $user $upstream_http_remote_user;
|
auth_request_set $user $upstream_http_remote_user;
|
||||||
auth_request_set $groups $upstream_http_remote_groups;
|
auth_request_set $groups $upstream_http_remote_groups;
|
||||||
|
@ -181,13 +181,13 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
lib.mkMerge (map vhostCfg cfg.autheliaProtect);
|
lib.mkMerge (map vhostCfg cfg.vhosts);
|
||||||
|
|
||||||
shb.authelia.rules =
|
shb.authelia.rules =
|
||||||
let
|
let
|
||||||
authConfig = c: map (r: r // { domain = fqdn c; }) c.autheliaRules;
|
authConfig = c: map (r: r // { domain = fqdn c; }) c.autheliaRules;
|
||||||
in
|
in
|
||||||
lib.flatten (map authConfig cfg.autheliaProtect);
|
lib.flatten (map authConfig cfg.vhosts);
|
||||||
|
|
||||||
security.acme.defaults.reloadServices = [
|
security.acme.defaults.reloadServices = [
|
||||||
"nginx.service"
|
"nginx.service"
|
||||||
|
|
|
@ -257,7 +257,7 @@ let
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
autheliaProtect = { extraBypassResources ? [] }: c: {
|
vhosts = { extraBypassResources ? [] }: c: {
|
||||||
inherit (c) subdomain domain authEndpoint ssl;
|
inherit (c) subdomain domain authEndpoint ssl;
|
||||||
|
|
||||||
upstream = "http://127.0.0.1:${toString c.settings.Port}";
|
upstream = "http://127.0.0.1:${toString c.settings.Port}";
|
||||||
|
@ -369,7 +369,7 @@ in
|
||||||
generator = shblib.replaceSecretsFormatAdapter apps.radarr.settingsFormat;
|
generator = shblib.replaceSecretsFormatAdapter apps.radarr.settingsFormat;
|
||||||
};
|
};
|
||||||
|
|
||||||
shb.nginx.autheliaProtect = [ (autheliaProtect {} cfg') ];
|
shb.nginx.vhosts = [ (vhosts {} cfg') ];
|
||||||
|
|
||||||
shb.backup.instances.radarr = cfg'.backupCfg // {
|
shb.backup.instances.radarr = cfg'.backupCfg // {
|
||||||
sourceDirectories = [
|
sourceDirectories = [
|
||||||
|
@ -406,7 +406,7 @@ in
|
||||||
generator = apps.sonarr.settingsFormat.generate;
|
generator = apps.sonarr.settingsFormat.generate;
|
||||||
};
|
};
|
||||||
|
|
||||||
shb.nginx.autheliaProtect = [ (autheliaProtect {} cfg') ];
|
shb.nginx.vhosts = [ (vhosts {} cfg') ];
|
||||||
|
|
||||||
shb.backup.instances.sonarr = cfg'.backupCfg // {
|
shb.backup.instances.sonarr = cfg'.backupCfg // {
|
||||||
sourceDirectories = [
|
sourceDirectories = [
|
||||||
|
@ -440,7 +440,7 @@ in
|
||||||
generator = apps.bazarr.settingsFormat.generate;
|
generator = apps.bazarr.settingsFormat.generate;
|
||||||
};
|
};
|
||||||
|
|
||||||
shb.nginx.autheliaProtect = [ (autheliaProtect {} cfg') ];
|
shb.nginx.vhosts = [ (vhosts {} cfg') ];
|
||||||
|
|
||||||
shb.backup.instances.bazarr = cfg'.backupCfg // {
|
shb.backup.instances.bazarr = cfg'.backupCfg // {
|
||||||
sourceDirectories = [
|
sourceDirectories = [
|
||||||
|
@ -469,7 +469,7 @@ in
|
||||||
generator = apps.readarr.settingsFormat.generate;
|
generator = apps.readarr.settingsFormat.generate;
|
||||||
};
|
};
|
||||||
|
|
||||||
shb.nginx.autheliaProtect = [ (autheliaProtect {} cfg') ];
|
shb.nginx.vhosts = [ (vhosts {} cfg') ];
|
||||||
|
|
||||||
shb.backup.instances.readarr = cfg'.backupCfg // {
|
shb.backup.instances.readarr = cfg'.backupCfg // {
|
||||||
sourceDirectories = [
|
sourceDirectories = [
|
||||||
|
@ -503,7 +503,7 @@ in
|
||||||
generator = apps.lidarr.settingsFormat.generate;
|
generator = apps.lidarr.settingsFormat.generate;
|
||||||
};
|
};
|
||||||
|
|
||||||
shb.nginx.autheliaProtect = [ (autheliaProtect {} cfg') ];
|
shb.nginx.vhosts = [ (vhosts {} cfg') ];
|
||||||
|
|
||||||
shb.backup.instances.lidarr = cfg'.backupCfg // {
|
shb.backup.instances.lidarr = cfg'.backupCfg // {
|
||||||
sourceDirectories = [
|
sourceDirectories = [
|
||||||
|
@ -532,7 +532,7 @@ in
|
||||||
generator = apps.jackett.settingsFormat.generate;
|
generator = apps.jackett.settingsFormat.generate;
|
||||||
};
|
};
|
||||||
|
|
||||||
shb.nginx.autheliaProtect = [ (autheliaProtect {
|
shb.nginx.vhosts = [ (vhosts {
|
||||||
extraBypassResources = [ "^/dl.*" ];
|
extraBypassResources = [ "^/dl.*" ];
|
||||||
} cfg') ];
|
} cfg') ];
|
||||||
|
|
||||||
|
|
|
@ -149,7 +149,7 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
authEndpoint = lib.mkOption {
|
authEndpoint = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.nullOr lib.types.str;
|
||||||
description = "OIDC endpoint for SSO";
|
description = "OIDC endpoint for SSO";
|
||||||
example = "https://authelia.example.com";
|
example = "https://authelia.example.com";
|
||||||
};
|
};
|
||||||
|
@ -253,11 +253,11 @@ in
|
||||||
"L+ ${config.services.deluge.dataDir}/.config/deluge/plugins - - - - ${plugins}"
|
"L+ ${config.services.deluge.dataDir}/.config/deluge/plugins - - - - ${plugins}"
|
||||||
];
|
];
|
||||||
|
|
||||||
shb.nginx.autheliaProtect = lib.mkIf config.shb.authelia.enable [
|
shb.nginx.vhosts = [
|
||||||
{
|
{
|
||||||
inherit (cfg) subdomain domain authEndpoint ssl;
|
inherit (cfg) subdomain domain authEndpoint ssl;
|
||||||
upstream = "http://127.0.0.1:${toString config.services.deluge.web.port}";
|
upstream = "http://127.0.0.1:${toString config.services.deluge.web.port}";
|
||||||
autheliaRules = [{
|
autheliaRules = lib.mkIf (cfg.authEndpoint != null) [{
|
||||||
domain = fqdn;
|
domain = fqdn;
|
||||||
policy = "two_factor";
|
policy = "two_factor";
|
||||||
subject = ["group:deluge_user"];
|
subject = ["group:deluge_user"];
|
||||||
|
|
|
@ -78,7 +78,7 @@ in
|
||||||
serviceConfig.StateDirectory = "hledger";
|
serviceConfig.StateDirectory = "hledger";
|
||||||
};
|
};
|
||||||
|
|
||||||
shb.nginx.autheliaProtect = [
|
shb.nginx.vhosts = [
|
||||||
{
|
{
|
||||||
inherit (cfg) subdomain domain authEndpoint ssl;
|
inherit (cfg) subdomain domain authEndpoint ssl;
|
||||||
upstream = "http://${toString config.services.hledger-web.host}:${toString config.services.hledger-web.port}";
|
upstream = "http://${toString config.services.hledger-web.host}:${toString config.services.hledger-web.port}";
|
||||||
|
|
|
@ -158,11 +158,11 @@ in
|
||||||
generator = name: v: lib.generators.toINIWithGlobalSection {} { globalSection = v; };
|
generator = name: v: lib.generators.toINIWithGlobalSection {} { globalSection = v; };
|
||||||
};
|
};
|
||||||
|
|
||||||
shb.nginx.autheliaProtect = [
|
shb.nginx.vhosts = [
|
||||||
{
|
{
|
||||||
inherit (cfg) subdomain domain authEndpoint ssl;
|
inherit (cfg) subdomain domain authEndpoint ssl;
|
||||||
upstream = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
|
upstream = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
|
||||||
autheliaRules = [
|
autheliaRules = lib.mkIf (cfg.authEndpoint != null) [
|
||||||
{
|
{
|
||||||
domain = "${fqdn}";
|
domain = "${fqdn}";
|
||||||
policy = "two_factor";
|
policy = "two_factor";
|
||||||
|
|
|
@ -150,7 +150,7 @@ in
|
||||||
excludePatterns = [ ".db-shm" ".db-wal" ".mono" ];
|
excludePatterns = [ ".db-shm" ".db-wal" ".mono" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
shb.nginx.autheliaProtect = [
|
shb.nginx.vhosts = [
|
||||||
{
|
{
|
||||||
autheliaRules = [
|
autheliaRules = [
|
||||||
{
|
{
|
||||||
|
|
|
@ -38,7 +38,7 @@ in
|
||||||
shb.backup = {};
|
shb.backup = {};
|
||||||
shb.nginx = {
|
shb.nginx = {
|
||||||
accessLog = false;
|
accessLog = false;
|
||||||
autheliaProtect = [];
|
vhosts = [];
|
||||||
debugLog = false;
|
debugLog = false;
|
||||||
};
|
};
|
||||||
services.nginx.enable = true;
|
services.nginx.enable = true;
|
||||||
|
@ -66,7 +66,7 @@ in
|
||||||
domain = "example.com";
|
domain = "example.com";
|
||||||
};
|
};
|
||||||
|
|
||||||
shb.nginx.autheliaProtect = [{
|
shb.nginx.vhosts = [{
|
||||||
subdomain = "my";
|
subdomain = "my";
|
||||||
domain = "example.com";
|
domain = "example.com";
|
||||||
ssl = config.shb.certs.certs.selfsigned."example.com";
|
ssl = config.shb.certs.certs.selfsigned."example.com";
|
||||||
|
|
Loading…
Reference in a new issue