diff --git a/CHANGELOG.md b/CHANGELOG.md
index 81c7d4b..9e187a5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,10 @@
- Bump Nextcloud default version from 27 to 28. Add support for version 29.
- Deluge config breaks the authFile into an attrset of user to password file. Also deluge has tests now.
- Nextcloud now configures the LDAP app to use the `user_id` from LLDAP as the user ID used in Nextcloud. This makes all source of user - internal, LDAP and SSO - agree on the user ID.
+- Authelia options changed:
+ - `shb.authelia.oidcClients.id` -> `shb.authelia.oidcClients.client_id`
+ - `shb.authelia.oidcClients.description` -> `shb.authelia.oidcClients.client_name`
+ - `shb.authelia.oidcClients.secret` -> `shb.authelia.oidcClients.client_secret`
## User Facing Backwards Compatible Changes
diff --git a/modules/blocks/authelia.nix b/modules/blocks/authelia.nix
index 5669fa8..4f9acf5 100644
--- a/modules/blocks/authelia.nix
+++ b/modules/blocks/authelia.nix
@@ -41,8 +41,8 @@ in
ldapEndpoint = lib.mkOption {
type = lib.types.str;
- description = "Endpoint for LDAP authentication backend.";
- example = "ldap.example.com";
+ description = "Endpoint of the LDAP authentication backend.";
+ example = "ldap://ldap.example.com:389";
};
dcdomain = lib.mkOption {
@@ -97,9 +97,9 @@ in
description = "OIDC clients";
default = [
{
- id = "dummy_client";
- description = "Dummy Client so Authelia can start";
- secret.source = pkgs.writeText "dummy.secret" "dummy_client_secret";
+ client_id = "dummy_client";
+ client_name = "Dummy Client so Authelia can start";
+ client_secret.source = pkgs.writeText "dummy.secret" "dummy_client_secret";
public = false;
authorization_policy = "one_factor";
redirect_uris = [];
@@ -109,20 +109,33 @@ in
freeformType = lib.types.attrsOf lib.types.anything;
options = {
- id = lib.mkOption {
+ client_id = lib.mkOption {
type = lib.types.str;
description = "Unique identifier of the OIDC client.";
};
- description = lib.mkOption {
+ client_name = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Human readable description of the OIDC client.";
default = null;
};
- secret = lib.mkOption {
+ client_secret = lib.mkOption {
type = shblib.secretFileType;
- description = "File containing the shared secret with the OIDC client.";
+ description = ''
+ File containing the shared secret with the OIDC client.
+
+ Generate with:
+
+ ```
+ nix run nixpkgs#authelia -- \
+ crypto hash generate pbkdf2 \
+ --variant sha512 \
+ --random \
+ --random.length 72 \
+ --random.charset rfc3986
+ ```
+ '';
};
public = lib.mkOption {
@@ -278,8 +291,7 @@ in
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = lib.mkIf (!(builtins.isString cfg.smtp)) (toString cfg.smtp.passwordFile);
};
settings = {
- server.host = "127.0.0.1";
- server.port = 9091;
+ server.address = "tcp://127.0.0.1:9091";
# Inspired from https://github.com/lldap/lldap/blob/7d1f5abc137821c500de99c94f7579761fc949d8/example_configs/authelia_config.yml
authentication_backend = {
@@ -289,20 +301,22 @@ in
};
ldap = {
implementation = "custom";
- url = cfg.ldapEndpoint;
+ address = cfg.ldapEndpoint;
timeout = "5s";
start_tls = "false";
base_dn = cfg.dcdomain;
- username_attribute = "uid";
additional_users_dn = "ou=people";
# Sign in with username or email.
users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";
additional_groups_dn = "ou=groups";
groups_filter = "(member={dn})";
- group_name_attribute = "cn";
- mail_attribute = "mail";
- display_name_attribute = "displayName";
user = "uid=admin,ou=people,${cfg.dcdomain}";
+ attributes = {
+ username = "uid";
+ group_name = "cn";
+ mail = "mail";
+ display_name = "displayName";
+ };
};
};
totp = {
@@ -317,11 +331,14 @@ in
# Inspired from https://www.authelia.com/configuration/session/introduction/ and https://www.authelia.com/configuration/session/redis
session = {
name = "authelia_session";
- domain = if isNull cfg.port then cfg.domain else "${cfg.domain}:${toString cfg.port}";
+ cookies = [{
+ domain = if isNull cfg.port then cfg.domain else "${cfg.domain}:${toString cfg.port}";
+ authelia_url = "https://${cfg.subdomain}.${cfg.domain}";
+ }];
same_site = "lax";
expiration = "1h";
inactivity = "5m";
- remember_me_duration = "1M";
+ remember_me = "1M";
redis = {
host = config.services.redis.servers.authelia.unixSocket;
port = 0;
@@ -329,10 +346,9 @@ in
};
storage = {
postgres = {
- host = "/run/postgresql";
+ address = "unix:///run/postgresql";
username = autheliaCfg.user;
database = autheliaCfg.user;
- port = config.services.postgresql.port;
# Uses peer auth for local users, so we don't need a password.
password = "test";
};
@@ -416,7 +432,7 @@ in
proxy_set_header Connection "upgrade";
proxy_cache_bypass $http_upgrade;
- proxy_pass http://127.0.0.1:${toString autheliaCfg.settings.server.port};
+ proxy_pass http://127.0.0.1:9091;
proxy_intercept_errors on;
if ($request_method !~ ^(POST)$){
error_page 401 = /error/401;
@@ -435,7 +451,7 @@ in
add_header X-Permitted-Cross-Domain-Policies none;
proxy_set_header Host $http_x_forwarded_host;
- proxy_pass http://127.0.0.1:${toString autheliaCfg.settings.server.port};
+ proxy_pass http://127.0.0.1:9091;
'';
};
diff --git a/modules/services/audiobookshelf.nix b/modules/services/audiobookshelf.nix
index 969a87b..ffa06f5 100644
--- a/modules/services/audiobookshelf.nix
+++ b/modules/services/audiobookshelf.nix
@@ -152,9 +152,9 @@ in
shb.authelia.oidcClients = [
{
- id = cfg.oidcClientID;
- description = "Audiobookshelf";
- secret.source = cfg.ssoSecretFile;
+ client_id = cfg.oidcClientID;
+ client_name = "Audiobookshelf";
+ client_secret.source = cfg.ssoSecretFile;
public = false;
authorization_policy = "one_factor";
redirect_uris = [
diff --git a/modules/services/jellyfin.nix b/modules/services/jellyfin.nix
index 3a9511c..c5cda7a 100644
--- a/modules/services/jellyfin.nix
+++ b/modules/services/jellyfin.nix
@@ -415,9 +415,9 @@ in
shb.authelia.oidcClients = lib.lists.optionals (!(isNull cfg.sso)) [
{
- id = cfg.sso.clientID;
- description = "Jellyfin";
- secret.source = cfg.sso.secretFile;
+ client_id = cfg.sso.clientID;
+ client_name = "Jellyfin";
+ client_secret.source = cfg.sso.secretFile;
public = false;
authorization_policy = "one_factor";
redirect_uris = [ "https://${cfg.subdomain}.${cfg.domain}/sso/OID/r/${cfg.sso.provider}" ];
diff --git a/modules/services/nextcloud-server.nix b/modules/services/nextcloud-server.nix
index e7b6917..ee0208b 100644
--- a/modules/services/nextcloud-server.nix
+++ b/modules/services/nextcloud-server.nix
@@ -977,9 +977,9 @@ in
shb.authelia.oidcClients = lib.mkIf (cfg.apps.sso.provider == "Authelia") [
{
- id = cfg.apps.sso.clientID;
- description = "Nextcloud";
- secret.source = cfg.apps.sso.secretFileForAuthelia;
+ client_id = cfg.apps.sso.clientID;
+ client_name = "Nextcloud";
+ client_secret.source = cfg.apps.sso.secretFileForAuthelia;
public = false;
authorization_policy = cfg.apps.sso.authorization_policy;
redirect_uris = [ "${protocol}://${fqdnWithPort}/apps/oidc_login/oidc" ];
diff --git a/test/blocks/authelia.nix b/test/blocks/authelia.nix
index d1c9df0..07b6928 100644
--- a/test/blocks/authelia.nix
+++ b/test/blocks/authelia.nix
@@ -17,11 +17,21 @@ in
../../modules/blocks/postgresql.nix
];
+ networking.hosts = {
+ "127.0.0.1" = [
+ "machine.com"
+ "client1.machine.com"
+ "client2.machine.com"
+ "ldap.machine.com"
+ "authelia.machine.com"
+ ];
+ };
+
shb.ldap = {
enable = true;
dcdomain = "dc=example,dc=com";
subdomain = "ldap";
- domain = "machine";
+ domain = "machine.com";
ldapUserPasswordFile = pkgs.writeText "user_password" ldapAdminPassword;
jwtSecretFile = pkgs.writeText "jwt_secret" "securejwtsecret";
};
@@ -29,8 +39,8 @@ in
shb.authelia = {
enable = true;
subdomain = "authelia";
- domain = "machine";
- ldapEndpoint = "ldap://127.0.0.1:${builtins.toString config.shb.ldap.ldapPort}";
+ domain = "machine.com";
+ ldapEndpoint = "ldap://${config.shb.ldap.subdomain}.${config.shb.ldap.domain}:${toString config.shb.ldap.ldapPort}";
dcdomain = config.shb.ldap.dcdomain;
secrets = {
jwtSecretFile = pkgs.writeText "jwtSecretFile" "jwtSecretFile";
@@ -45,20 +55,20 @@ in
oidcClients = [
{
- id = "client1";
- description = "My Client 1";
- secret.source = pkgs.writeText "secret" "mysecuresecret";
+ client_id = "client1";
+ client_name = "My Client 1";
+ client_secret.source = pkgs.writeText "secret" "$pbkdf2-sha512$310000$LR2wY11djfLrVQixdlLJew$rPByqFt6JfbIIAITxzAXckwh51QgV8E5YZmA8rXOzkMfBUcMq7cnOKEXF6MAFbjZaGf3J/B1OzLWZTCuZtALVw";
public = false;
authorization_policy = "one_factor";
- redirect_uris = [ "http://client1.machine/redirect" ];
+ redirect_uris = [ "http://client1.machine.com/redirect" ];
}
{
- id = "client2";
- description = "My Client 2";
- secret.source = pkgs.writeText "secret" "myothersecret";
+ client_id = "client2";
+ client_name = "My Client 2";
+ client_secret.source = pkgs.writeText "secret" "$pbkdf2-sha512$310000$76EqVU1N9K.iTOvD4WJ6ww$hqNJU.UHphiCjMChSqk27lUTjDqreuMuyV/u39Esc6HyiRXp5Ecx89ypJ5M0xk3Na97vbgDpwz7il5uwzQ4bfw";
public = false;
authorization_policy = "one_factor";
- redirect_uris = [ "http://client2.machine/redirect" ];
+ redirect_uris = [ "http://client2.machine.com/redirect" ];
}
];
};
@@ -69,17 +79,17 @@ in
start_all()
machine.wait_for_unit("lldap.service")
- machine.wait_for_unit("authelia-authelia.machine.service")
- machine.wait_for_open_port(${toString nodes.machine.services.authelia.instances."authelia.machine".settings.server.port})
+ machine.wait_for_unit("authelia-authelia.machine.com.service")
+ machine.wait_for_open_port(9091)
- endpoints = json.loads(machine.succeed("curl -s http://machine/.well-known/openid-configuration"))
+ endpoints = json.loads(machine.succeed("curl -s http://machine.com/.well-known/openid-configuration"))
auth_endpoint = endpoints['authorization_endpoint']
machine.succeed(
"curl -f -s '"
+ auth_endpoint
+ "?client_id=other"
- + "&redirect_uri=http://client1.machine/redirect"
+ + "&redirect_uri=http://client1.machine.com/redirect"
+ "&scope=openid%20profile%20email"
+ "&response_type=code"
+ "&state=99999999'"
@@ -89,7 +99,7 @@ in
"curl -f -s '"
+ auth_endpoint
+ "?client_id=client1"
- + "&redirect_uri=http://client1.machine/redirect"
+ + "&redirect_uri=http://client1.machine.com/redirect"
+ "&scope=openid%20profile%20email"
+ "&response_type=code"
+ "&state=11111111'"
@@ -99,7 +109,7 @@ in
"curl -f -s '"
+ auth_endpoint
+ "?client_id=client2"
- + "&redirect_uri=http://client2.machine/redirect"
+ + "&redirect_uri=http://client2.machine.com/redirect"
+ "&scope=openid%20profile%20email"
+ "&response_type=code"
+ "&state=22222222'"
diff --git a/test/common.nix b/test/common.nix
index d1ed745..3533b26 100644
--- a/test/common.nix
+++ b/test/common.nix
@@ -41,7 +41,8 @@ in
)
+ lib.strings.concatMapStrings (p: ''server.wait_for_open_port(${toString p})'' + "\n") (
waitForPorts args
- ++ (lib.optionals redirectSSO [ nodes.server.services.authelia.instances."auth.${domain}".settings.server.port ] )
+ # TODO: when the SSO block exists, replace this hardcoded port.
+ ++ (lib.optionals redirectSSO [ 9091 /* nodes.server.services.authelia.instances."auth.${domain}".settings.server.port */ ] )
)
+ lib.strings.concatMapStrings (u: ''server.wait_for_open_unix_socket("${u}")'' + "\n") (waitForUnixSocket args)
+ ''