fix authelia module after update

CHANGELOG.md

@@ -9,6 +9,10 @@
 - Bump Nextcloud default version from 27 to 28. Add support for version 29.
 - Deluge config breaks the authFile into an attrset of user to password file. Also deluge has tests now.
 - Nextcloud now configures the LDAP app to use the `user_id` from LLDAP as the user ID used in Nextcloud. This makes all source of user - internal, LDAP and SSO - agree on the user ID.
+- Authelia options changed:
+  - `shb.authelia.oidcClients.id` -> `shb.authelia.oidcClients.client_id`
+  - `shb.authelia.oidcClients.description` -> `shb.authelia.oidcClients.client_name`
+  - `shb.authelia.oidcClients.secret` -> `shb.authelia.oidcClients.client_secret`
 
 ## User Facing Backwards Compatible Changes
 

modules/blocks/authelia.nix

@@ -41,8 +41,8 @@ in
 
     ldapEndpoint = lib.mkOption {
       type = lib.types.str;
-      description = "Endpoint for LDAP authentication backend.";
+      description = "Endpoint of the LDAP authentication backend.";
-      example = "ldap.example.com";
+      example = "ldap://ldap.example.com:389";
     };
 
     dcdomain = lib.mkOption {
@@ -97,9 +97,9 @@ in
       description = "OIDC clients";
       default = [
         {
-          id = "dummy_client";
+          client_id = "dummy_client";
-          description = "Dummy Client so Authelia can start";
+          client_name = "Dummy Client so Authelia can start";
-          secret.source = pkgs.writeText "dummy.secret" "dummy_client_secret";
+          client_secret.source = pkgs.writeText "dummy.secret" "dummy_client_secret";
           public = false;
           authorization_policy = "one_factor";
           redirect_uris = [];
@@ -109,20 +109,33 @@ in
         freeformType = lib.types.attrsOf lib.types.anything;
 
         options = {
-          id = lib.mkOption {
+          client_id = lib.mkOption {
             type = lib.types.str;
             description = "Unique identifier of the OIDC client.";
           };
 
-          description = lib.mkOption {
+          client_name = lib.mkOption {
             type = lib.types.nullOr lib.types.str;
             description = "Human readable description of the OIDC client.";
             default = null;
           };
 
-          secret = lib.mkOption {
+          client_secret = lib.mkOption {
             type = shblib.secretFileType;
-            description = "File containing the shared secret with the OIDC client.";
+            description = ''
+            File containing the shared secret with the OIDC client.
+
+            Generate with:
+
+            ```
+            nix run nixpkgs#authelia -- \
+                crypto hash generate pbkdf2 \
+                --variant sha512 \
+                --random \
+                --random.length 72 \
+                --random.charset rfc3986
+            ```
+            '';
           };
 
           public = lib.mkOption {
@@ -278,8 +291,7 @@ in
         AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = lib.mkIf (!(builtins.isString cfg.smtp)) (toString cfg.smtp.passwordFile);
       };
       settings = {
-        server.host = "127.0.0.1";
+        server.address = "tcp://127.0.0.1:9091";
-        server.port = 9091;
 
         # Inspired from https://github.com/lldap/lldap/blob/7d1f5abc137821c500de99c94f7579761fc949d8/example_configs/authelia_config.yml
         authentication_backend = {
@@ -289,20 +301,22 @@ in
           };
           ldap = {
             implementation = "custom";
-            url = cfg.ldapEndpoint;
+            address = cfg.ldapEndpoint;
             timeout = "5s";
             start_tls = "false";
             base_dn = cfg.dcdomain;
-            username_attribute = "uid";
             additional_users_dn = "ou=people";
             # Sign in with username or email.
             users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";
             additional_groups_dn = "ou=groups";
             groups_filter = "(member={dn})";
-            group_name_attribute = "cn";
-            mail_attribute = "mail";
-            display_name_attribute = "displayName";
             user = "uid=admin,ou=people,${cfg.dcdomain}";
+            attributes = {
+              username = "uid";
+              group_name = "cn";
+              mail = "mail";
+              display_name = "displayName";
+            };
           };
         };
         totp = {
@@ -317,11 +331,14 @@ in
         # Inspired from https://www.authelia.com/configuration/session/introduction/ and https://www.authelia.com/configuration/session/redis
         session = {
           name = "authelia_session";
-          domain = if isNull cfg.port then cfg.domain else "${cfg.domain}:${toString cfg.port}";
+          cookies = [{
+            domain = if isNull cfg.port then cfg.domain else "${cfg.domain}:${toString cfg.port}";
+            authelia_url = "https://${cfg.subdomain}.${cfg.domain}";
+          }];
           same_site = "lax";
           expiration = "1h";
           inactivity = "5m";
-          remember_me_duration = "1M";
+          remember_me = "1M";
           redis = {
             host = config.services.redis.servers.authelia.unixSocket;
             port = 0;
@@ -329,10 +346,9 @@ in
         };
         storage = {
           postgres = {
-            host = "/run/postgresql";
+            address = "unix:///run/postgresql";
             username = autheliaCfg.user;
             database = autheliaCfg.user;
-            port = config.services.postgresql.port;
             # Uses peer auth for local users, so we don't need a password.
             password = "test";
           };
@@ -416,7 +432,7 @@ in
         proxy_set_header Connection "upgrade";
         proxy_cache_bypass $http_upgrade;
 
-        proxy_pass http://127.0.0.1:${toString autheliaCfg.settings.server.port};
+        proxy_pass http://127.0.0.1:9091;
         proxy_intercept_errors on;
         if ($request_method !~ ^(POST)$){
             error_page 401 = /error/401;
@@ -435,7 +451,7 @@ in
         add_header X-Permitted-Cross-Domain-Policies none;
 
         proxy_set_header Host $http_x_forwarded_host;
-        proxy_pass http://127.0.0.1:${toString autheliaCfg.settings.server.port};
+        proxy_pass http://127.0.0.1:9091;
         '';
     };
 

modules/services/audiobookshelf.nix

@@ -152,9 +152,9 @@ in
 
     shb.authelia.oidcClients = [
       {
-        id = cfg.oidcClientID;
+        client_id = cfg.oidcClientID;
-        description = "Audiobookshelf";
+        client_name = "Audiobookshelf";
-        secret.source = cfg.ssoSecretFile;
+        client_secret.source = cfg.ssoSecretFile;
         public = false;
         authorization_policy = "one_factor";
         redirect_uris = [ 

modules/services/jellyfin.nix

@@ -415,9 +415,9 @@ in
 
     shb.authelia.oidcClients = lib.lists.optionals (!(isNull cfg.sso)) [
       {
-        id = cfg.sso.clientID;
+        client_id = cfg.sso.clientID;
-        description = "Jellyfin";
+        client_name = "Jellyfin";
-        secret.source = cfg.sso.secretFile;
+        client_secret.source = cfg.sso.secretFile;
         public = false;
         authorization_policy = "one_factor";
         redirect_uris = [ "https://${cfg.subdomain}.${cfg.domain}/sso/OID/r/${cfg.sso.provider}" ];

modules/services/nextcloud-server.nix

@@ -977,9 +977,9 @@ in
 
       shb.authelia.oidcClients = lib.mkIf (cfg.apps.sso.provider == "Authelia") [
         {
-          id = cfg.apps.sso.clientID;
+          client_id = cfg.apps.sso.clientID;
-          description = "Nextcloud";
+          client_name = "Nextcloud";
-          secret.source = cfg.apps.sso.secretFileForAuthelia;
+          client_secret.source = cfg.apps.sso.secretFileForAuthelia;
           public = false;
           authorization_policy = cfg.apps.sso.authorization_policy;
           redirect_uris = [ "${protocol}://${fqdnWithPort}/apps/oidc_login/oidc" ];

test/blocks/authelia.nix

@@ -17,11 +17,21 @@ in
         ../../modules/blocks/postgresql.nix
       ];
 
+      networking.hosts = {
+        "127.0.0.1" = [
+          "machine.com"
+          "client1.machine.com"
+          "client2.machine.com"
+          "ldap.machine.com"
+          "authelia.machine.com"
+        ];
+      };
+
       shb.ldap = {
         enable = true;
         dcdomain = "dc=example,dc=com";
         subdomain = "ldap";
-        domain = "machine";
+        domain = "machine.com";
         ldapUserPasswordFile = pkgs.writeText "user_password" ldapAdminPassword;
         jwtSecretFile = pkgs.writeText "jwt_secret" "securejwtsecret";
       };
@@ -29,8 +39,8 @@ in
       shb.authelia = {
         enable = true;
         subdomain = "authelia";
-        domain = "machine";
+        domain = "machine.com";
-        ldapEndpoint = "ldap://127.0.0.1:${builtins.toString config.shb.ldap.ldapPort}";
+        ldapEndpoint = "ldap://${config.shb.ldap.subdomain}.${config.shb.ldap.domain}:${toString config.shb.ldap.ldapPort}";
         dcdomain = config.shb.ldap.dcdomain;
         secrets = {
           jwtSecretFile = pkgs.writeText "jwtSecretFile" "jwtSecretFile";
@@ -45,20 +55,20 @@ in
 
         oidcClients = [
           {
-            id = "client1";
+            client_id = "client1";
-            description = "My Client 1";
+            client_name = "My Client 1";
-            secret.source = pkgs.writeText "secret" "mysecuresecret";
+            client_secret.source = pkgs.writeText "secret" "$pbkdf2-sha512$310000$LR2wY11djfLrVQixdlLJew$rPByqFt6JfbIIAITxzAXckwh51QgV8E5YZmA8rXOzkMfBUcMq7cnOKEXF6MAFbjZaGf3J/B1OzLWZTCuZtALVw";
             public = false;
             authorization_policy = "one_factor";
-            redirect_uris = [ "http://client1.machine/redirect" ];
+            redirect_uris = [ "http://client1.machine.com/redirect" ];
           }
           {
-            id = "client2";
+            client_id = "client2";
-            description = "My Client 2";
+            client_name = "My Client 2";
-            secret.source = pkgs.writeText "secret" "myothersecret";
+            client_secret.source = pkgs.writeText "secret" "$pbkdf2-sha512$310000$76EqVU1N9K.iTOvD4WJ6ww$hqNJU.UHphiCjMChSqk27lUTjDqreuMuyV/u39Esc6HyiRXp5Ecx89ypJ5M0xk3Na97vbgDpwz7il5uwzQ4bfw";
             public = false;
             authorization_policy = "one_factor";
-            redirect_uris = [ "http://client2.machine/redirect" ];
+            redirect_uris = [ "http://client2.machine.com/redirect" ];
           }
         ];
       };
@@ -69,17 +79,17 @@ in
 
     start_all()
     machine.wait_for_unit("lldap.service")
-    machine.wait_for_unit("authelia-authelia.machine.service")
+    machine.wait_for_unit("authelia-authelia.machine.com.service")
-    machine.wait_for_open_port(${toString nodes.machine.services.authelia.instances."authelia.machine".settings.server.port})
+    machine.wait_for_open_port(9091)
 
-    endpoints = json.loads(machine.succeed("curl -s http://machine/.well-known/openid-configuration"))
+    endpoints = json.loads(machine.succeed("curl -s http://machine.com/.well-known/openid-configuration"))
     auth_endpoint = endpoints['authorization_endpoint']
 
     machine.succeed(
         "curl -f -s '"
         + auth_endpoint
         + "?client_id=other"
-        + "&redirect_uri=http://client1.machine/redirect"
+        + "&redirect_uri=http://client1.machine.com/redirect"
         + "&scope=openid%20profile%20email"
         + "&response_type=code"
         + "&state=99999999'"
@@ -89,7 +99,7 @@ in
         "curl -f -s '"
         + auth_endpoint
         + "?client_id=client1"
-        + "&redirect_uri=http://client1.machine/redirect"
+        + "&redirect_uri=http://client1.machine.com/redirect"
         + "&scope=openid%20profile%20email"
         + "&response_type=code"
         + "&state=11111111'"
@@ -99,7 +109,7 @@ in
         "curl -f -s '"
         + auth_endpoint
         + "?client_id=client2"
-        + "&redirect_uri=http://client2.machine/redirect"
+        + "&redirect_uri=http://client2.machine.com/redirect"
         + "&scope=openid%20profile%20email"
         + "&response_type=code"
         + "&state=22222222'"

test/common.nix

@@ -41,7 +41,8 @@ in
     )
     + lib.strings.concatMapStrings (p: ''server.wait_for_open_port(${toString p})'' + "\n") (
       waitForPorts args
-      ++ (lib.optionals redirectSSO [ nodes.server.services.authelia.instances."auth.${domain}".settings.server.port ] )
+      # TODO: when the SSO block exists, replace this hardcoded port.
+      ++ (lib.optionals redirectSSO [ 9091 /* nodes.server.services.authelia.instances."auth.${domain}".settings.server.port */ ] )
     )
     + lib.strings.concatMapStrings (u: ''server.wait_for_open_unix_socket("${u}")'' + "\n") (waitForUnixSocket args)
     + ''