flake.lock: Update (#244)
Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action. ``` Flake lock file updates: • Updated input 'nixpkgs': 'github:nixos/nixpkgs/9ca3f649614213b2aaf5f1e16ec06952fe4c2632?narHash=sha256-7EXDb5WBw%2Bd004Agt%2BJHC/Oyh/KTUglOaQ4MNjBbo5w%3D' (2024-05-27) → 'github:nixos/nixpkgs/71e91c409d1e654808b2621f28a327acfdad8dc2?narHash=sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w%3D' (2024-08-28) ``` ### Running GitHub Actions on this PR GitHub Actions will not run workflows on pull requests which are opened by a GitHub Action. To run GitHub Actions workflows on this PR, run: ```sh git branch -D update_flake_lock_action git fetch origin git checkout update_flake_lock_action git commit --amend --no-edit git push origin update_flake_lock_action --force ``` --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
This commit is contained in:
parent
1774b61cfe
commit
eb791b3019
14 changed files with 121 additions and 72 deletions
|
@ -9,6 +9,11 @@
|
||||||
- Bump Nextcloud default version from 27 to 28. Add support for version 29.
|
- Bump Nextcloud default version from 27 to 28. Add support for version 29.
|
||||||
- Deluge config breaks the authFile into an attrset of user to password file. Also deluge has tests now.
|
- Deluge config breaks the authFile into an attrset of user to password file. Also deluge has tests now.
|
||||||
- Nextcloud now configures the LDAP app to use the `user_id` from LLDAP as the user ID used in Nextcloud. This makes all source of user - internal, LDAP and SSO - agree on the user ID.
|
- Nextcloud now configures the LDAP app to use the `user_id` from LLDAP as the user ID used in Nextcloud. This makes all source of user - internal, LDAP and SSO - agree on the user ID.
|
||||||
|
- Authelia options changed:
|
||||||
|
- `shb.authelia.oidcClients.id` -> `shb.authelia.oidcClients.client_id`
|
||||||
|
- `shb.authelia.oidcClients.description` -> `shb.authelia.oidcClients.client_name`
|
||||||
|
- `shb.authelia.oidcClients.secret` -> `shb.authelia.oidcClients.client_secret`
|
||||||
|
- Vaultwarden data folder changed to `/var/lib/vaultwarden`.
|
||||||
|
|
||||||
## User Facing Backwards Compatible Changes
|
## User Facing Backwards Compatible Changes
|
||||||
|
|
||||||
|
|
|
@ -21,8 +21,6 @@ gets updated. I intend to upstream to nixpkgs as much of those as makes sense.
|
||||||
Run all tests:
|
Run all tests:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ nix build .#checks.${system}.all
|
|
||||||
# or
|
|
||||||
$ nix flake check
|
$ nix flake check
|
||||||
# or
|
# or
|
||||||
$ nix run github:Mic92/nix-fast-build -- --skip-cached --flake ".#checks.$(nix eval --raw --impure --expr builtins.currentSystem)"
|
$ nix run github:Mic92/nix-fast-build -- --skip-cached --flake ".#checks.$(nix eval --raw --impure --expr builtins.currentSystem)"
|
||||||
|
|
|
@ -35,11 +35,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1716769173,
|
"lastModified": 1724819573,
|
||||||
"narHash": "sha256-7EXDb5WBw+d004Agt+JHC/Oyh/KTUglOaQ4MNjBbo5w=",
|
"narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "9ca3f649614213b2aaf5f1e16ec06952fe4c2632",
|
"rev": "71e91c409d1e654808b2621f28a327acfdad8dc2",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
17
flake.nix
17
flake.nix
|
@ -15,14 +15,11 @@
|
||||||
let
|
let
|
||||||
originPkgs = nixpkgs.legacyPackages.${system};
|
originPkgs = nixpkgs.legacyPackages.${system};
|
||||||
patches = [
|
patches = [
|
||||||
(originPkgs.fetchpatch {
|
# Leaving commented out for an example.
|
||||||
url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/315018.patch";
|
# (originPkgs.fetchpatch {
|
||||||
hash = "sha256-8jcGyO/d+htfv/ZajxXh89S3OiDZAr7/fsWC1JpGczM=";
|
# url = "https://github.com/NixOS/nixpkgs/pull/317107.patch";
|
||||||
})
|
# hash = "sha256-hoLrqV7XtR1hP/m0rV9hjYUBtrSjay0qcPUYlKKuVWk=";
|
||||||
(originPkgs.fetchpatch {
|
# })
|
||||||
url = "https://github.com/NixOS/nixpkgs/pull/317107.patch";
|
|
||||||
hash = "sha256-hoLrqV7XtR1hP/m0rV9hjYUBtrSjay0qcPUYlKKuVWk=";
|
|
||||||
})
|
|
||||||
];
|
];
|
||||||
patchedNixpkgs = originPkgs.applyPatches {
|
patchedNixpkgs = originPkgs.applyPatches {
|
||||||
name = "nixpkgs-patched";
|
name = "nixpkgs-patched";
|
||||||
|
@ -99,10 +96,6 @@
|
||||||
|
|
||||||
shblib = pkgs.callPackage ./lib {};
|
shblib = pkgs.callPackage ./lib {};
|
||||||
in (rec {
|
in (rec {
|
||||||
all = mergeTests [
|
|
||||||
modules
|
|
||||||
];
|
|
||||||
|
|
||||||
modules = shblib.check {
|
modules = shblib.check {
|
||||||
inherit pkgs;
|
inherit pkgs;
|
||||||
tests =
|
tests =
|
||||||
|
|
|
@ -41,8 +41,8 @@ in
|
||||||
|
|
||||||
ldapEndpoint = lib.mkOption {
|
ldapEndpoint = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
description = "Endpoint for LDAP authentication backend.";
|
description = "Endpoint of the LDAP authentication backend.";
|
||||||
example = "ldap.example.com";
|
example = "ldap://ldap.example.com:389";
|
||||||
};
|
};
|
||||||
|
|
||||||
dcdomain = lib.mkOption {
|
dcdomain = lib.mkOption {
|
||||||
|
@ -97,9 +97,9 @@ in
|
||||||
description = "OIDC clients";
|
description = "OIDC clients";
|
||||||
default = [
|
default = [
|
||||||
{
|
{
|
||||||
id = "dummy_client";
|
client_id = "dummy_client";
|
||||||
description = "Dummy Client so Authelia can start";
|
client_name = "Dummy Client so Authelia can start";
|
||||||
secret.source = pkgs.writeText "dummy.secret" "dummy_client_secret";
|
client_secret.source = pkgs.writeText "dummy.secret" "dummy_client_secret";
|
||||||
public = false;
|
public = false;
|
||||||
authorization_policy = "one_factor";
|
authorization_policy = "one_factor";
|
||||||
redirect_uris = [];
|
redirect_uris = [];
|
||||||
|
@ -109,20 +109,33 @@ in
|
||||||
freeformType = lib.types.attrsOf lib.types.anything;
|
freeformType = lib.types.attrsOf lib.types.anything;
|
||||||
|
|
||||||
options = {
|
options = {
|
||||||
id = lib.mkOption {
|
client_id = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
description = "Unique identifier of the OIDC client.";
|
description = "Unique identifier of the OIDC client.";
|
||||||
};
|
};
|
||||||
|
|
||||||
description = lib.mkOption {
|
client_name = lib.mkOption {
|
||||||
type = lib.types.nullOr lib.types.str;
|
type = lib.types.nullOr lib.types.str;
|
||||||
description = "Human readable description of the OIDC client.";
|
description = "Human readable description of the OIDC client.";
|
||||||
default = null;
|
default = null;
|
||||||
};
|
};
|
||||||
|
|
||||||
secret = lib.mkOption {
|
client_secret = lib.mkOption {
|
||||||
type = shblib.secretFileType;
|
type = shblib.secretFileType;
|
||||||
description = "File containing the shared secret with the OIDC client.";
|
description = ''
|
||||||
|
File containing the shared secret with the OIDC client.
|
||||||
|
|
||||||
|
Generate with:
|
||||||
|
|
||||||
|
```
|
||||||
|
nix run nixpkgs#authelia -- \
|
||||||
|
crypto hash generate pbkdf2 \
|
||||||
|
--variant sha512 \
|
||||||
|
--random \
|
||||||
|
--random.length 72 \
|
||||||
|
--random.charset rfc3986
|
||||||
|
```
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
public = lib.mkOption {
|
public = lib.mkOption {
|
||||||
|
@ -278,8 +291,7 @@ in
|
||||||
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = lib.mkIf (!(builtins.isString cfg.smtp)) (toString cfg.smtp.passwordFile);
|
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = lib.mkIf (!(builtins.isString cfg.smtp)) (toString cfg.smtp.passwordFile);
|
||||||
};
|
};
|
||||||
settings = {
|
settings = {
|
||||||
server.host = "127.0.0.1";
|
server.address = "tcp://127.0.0.1:9091";
|
||||||
server.port = 9091;
|
|
||||||
|
|
||||||
# Inspired from https://github.com/lldap/lldap/blob/7d1f5abc137821c500de99c94f7579761fc949d8/example_configs/authelia_config.yml
|
# Inspired from https://github.com/lldap/lldap/blob/7d1f5abc137821c500de99c94f7579761fc949d8/example_configs/authelia_config.yml
|
||||||
authentication_backend = {
|
authentication_backend = {
|
||||||
|
@ -289,20 +301,22 @@ in
|
||||||
};
|
};
|
||||||
ldap = {
|
ldap = {
|
||||||
implementation = "custom";
|
implementation = "custom";
|
||||||
url = cfg.ldapEndpoint;
|
address = cfg.ldapEndpoint;
|
||||||
timeout = "5s";
|
timeout = "5s";
|
||||||
start_tls = "false";
|
start_tls = "false";
|
||||||
base_dn = cfg.dcdomain;
|
base_dn = cfg.dcdomain;
|
||||||
username_attribute = "uid";
|
|
||||||
additional_users_dn = "ou=people";
|
additional_users_dn = "ou=people";
|
||||||
# Sign in with username or email.
|
# Sign in with username or email.
|
||||||
users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";
|
users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";
|
||||||
additional_groups_dn = "ou=groups";
|
additional_groups_dn = "ou=groups";
|
||||||
groups_filter = "(member={dn})";
|
groups_filter = "(member={dn})";
|
||||||
group_name_attribute = "cn";
|
|
||||||
mail_attribute = "mail";
|
|
||||||
display_name_attribute = "displayName";
|
|
||||||
user = "uid=admin,ou=people,${cfg.dcdomain}";
|
user = "uid=admin,ou=people,${cfg.dcdomain}";
|
||||||
|
attributes = {
|
||||||
|
username = "uid";
|
||||||
|
group_name = "cn";
|
||||||
|
mail = "mail";
|
||||||
|
display_name = "displayName";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
totp = {
|
totp = {
|
||||||
|
@ -317,11 +331,14 @@ in
|
||||||
# Inspired from https://www.authelia.com/configuration/session/introduction/ and https://www.authelia.com/configuration/session/redis
|
# Inspired from https://www.authelia.com/configuration/session/introduction/ and https://www.authelia.com/configuration/session/redis
|
||||||
session = {
|
session = {
|
||||||
name = "authelia_session";
|
name = "authelia_session";
|
||||||
|
cookies = [{
|
||||||
domain = if isNull cfg.port then cfg.domain else "${cfg.domain}:${toString cfg.port}";
|
domain = if isNull cfg.port then cfg.domain else "${cfg.domain}:${toString cfg.port}";
|
||||||
|
authelia_url = "https://${cfg.subdomain}.${cfg.domain}";
|
||||||
|
}];
|
||||||
same_site = "lax";
|
same_site = "lax";
|
||||||
expiration = "1h";
|
expiration = "1h";
|
||||||
inactivity = "5m";
|
inactivity = "5m";
|
||||||
remember_me_duration = "1M";
|
remember_me = "1M";
|
||||||
redis = {
|
redis = {
|
||||||
host = config.services.redis.servers.authelia.unixSocket;
|
host = config.services.redis.servers.authelia.unixSocket;
|
||||||
port = 0;
|
port = 0;
|
||||||
|
@ -329,10 +346,9 @@ in
|
||||||
};
|
};
|
||||||
storage = {
|
storage = {
|
||||||
postgres = {
|
postgres = {
|
||||||
host = "/run/postgresql";
|
address = "unix:///run/postgresql";
|
||||||
username = autheliaCfg.user;
|
username = autheliaCfg.user;
|
||||||
database = autheliaCfg.user;
|
database = autheliaCfg.user;
|
||||||
port = config.services.postgresql.port;
|
|
||||||
# Uses peer auth for local users, so we don't need a password.
|
# Uses peer auth for local users, so we don't need a password.
|
||||||
password = "test";
|
password = "test";
|
||||||
};
|
};
|
||||||
|
@ -416,7 +432,7 @@ in
|
||||||
proxy_set_header Connection "upgrade";
|
proxy_set_header Connection "upgrade";
|
||||||
proxy_cache_bypass $http_upgrade;
|
proxy_cache_bypass $http_upgrade;
|
||||||
|
|
||||||
proxy_pass http://127.0.0.1:${toString autheliaCfg.settings.server.port};
|
proxy_pass http://127.0.0.1:9091;
|
||||||
proxy_intercept_errors on;
|
proxy_intercept_errors on;
|
||||||
if ($request_method !~ ^(POST)$){
|
if ($request_method !~ ^(POST)$){
|
||||||
error_page 401 = /error/401;
|
error_page 401 = /error/401;
|
||||||
|
@ -435,7 +451,7 @@ in
|
||||||
add_header X-Permitted-Cross-Domain-Policies none;
|
add_header X-Permitted-Cross-Domain-Policies none;
|
||||||
|
|
||||||
proxy_set_header Host $http_x_forwarded_host;
|
proxy_set_header Host $http_x_forwarded_host;
|
||||||
proxy_pass http://127.0.0.1:${toString autheliaCfg.settings.server.port};
|
proxy_pass http://127.0.0.1:9091;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -288,6 +288,14 @@ in
|
||||||
hash = "sha256-79hK7axHf6soku5DvdXkE/0K4WKc4pnS9VMbVc1FS2I=";
|
hash = "sha256-79hK7axHf6soku5DvdXkE/0K4WKc4pnS9VMbVc1FS2I=";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
subPackages = [
|
||||||
|
"cmd/loki"
|
||||||
|
"cmd/loki-canary"
|
||||||
|
"clients/cmd/promtail"
|
||||||
|
"cmd/logcli"
|
||||||
|
# Removes "cmd/lokitool"
|
||||||
|
];
|
||||||
|
|
||||||
ldflags = let t = "github.com/grafana/loki/pkg/util/build"; in [
|
ldflags = let t = "github.com/grafana/loki/pkg/util/build"; in [
|
||||||
"-s"
|
"-s"
|
||||||
"-w"
|
"-w"
|
||||||
|
|
|
@ -152,9 +152,9 @@ in
|
||||||
|
|
||||||
shb.authelia.oidcClients = [
|
shb.authelia.oidcClients = [
|
||||||
{
|
{
|
||||||
id = cfg.oidcClientID;
|
client_id = cfg.oidcClientID;
|
||||||
description = "Audiobookshelf";
|
client_name = "Audiobookshelf";
|
||||||
secret.source = cfg.ssoSecretFile;
|
client_secret.source = cfg.ssoSecretFile;
|
||||||
public = false;
|
public = false;
|
||||||
authorization_policy = "one_factor";
|
authorization_policy = "one_factor";
|
||||||
redirect_uris = [
|
redirect_uris = [
|
||||||
|
|
|
@ -415,9 +415,9 @@ in
|
||||||
|
|
||||||
shb.authelia.oidcClients = lib.lists.optionals (!(isNull cfg.sso)) [
|
shb.authelia.oidcClients = lib.lists.optionals (!(isNull cfg.sso)) [
|
||||||
{
|
{
|
||||||
id = cfg.sso.clientID;
|
client_id = cfg.sso.clientID;
|
||||||
description = "Jellyfin";
|
client_name = "Jellyfin";
|
||||||
secret.source = cfg.sso.secretFile;
|
client_secret.source = cfg.sso.secretFile;
|
||||||
public = false;
|
public = false;
|
||||||
authorization_policy = "one_factor";
|
authorization_policy = "one_factor";
|
||||||
redirect_uris = [ "https://${cfg.subdomain}.${cfg.domain}/sso/OID/r/${cfg.sso.provider}" ];
|
redirect_uris = [ "https://${cfg.subdomain}.${cfg.domain}/sso/OID/r/${cfg.sso.provider}" ];
|
||||||
|
|
|
@ -977,9 +977,9 @@ in
|
||||||
|
|
||||||
shb.authelia.oidcClients = lib.mkIf (cfg.apps.sso.provider == "Authelia") [
|
shb.authelia.oidcClients = lib.mkIf (cfg.apps.sso.provider == "Authelia") [
|
||||||
{
|
{
|
||||||
id = cfg.apps.sso.clientID;
|
client_id = cfg.apps.sso.clientID;
|
||||||
description = "Nextcloud";
|
client_name = "Nextcloud";
|
||||||
secret.source = cfg.apps.sso.secretFileForAuthelia;
|
client_secret.source = cfg.apps.sso.secretFileForAuthelia;
|
||||||
public = false;
|
public = false;
|
||||||
authorization_policy = cfg.apps.sso.authorization_policy;
|
authorization_policy = cfg.apps.sso.authorization_policy;
|
||||||
redirect_uris = [ "${protocol}://${fqdnWithPort}/apps/oidc_login/oidc" ];
|
redirect_uris = [ "${protocol}://${fqdnWithPort}/apps/oidc_login/oidc" ];
|
||||||
|
|
|
@ -8,7 +8,7 @@ let
|
||||||
|
|
||||||
fqdn = "${cfg.subdomain}.${cfg.domain}";
|
fqdn = "${cfg.subdomain}.${cfg.domain}";
|
||||||
|
|
||||||
dataFolder = "/var/lib/bitwarden_rs";
|
dataFolder = "/var/lib/vaultwarden";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.shb.vaultwarden = {
|
options.shb.vaultwarden = {
|
||||||
|
@ -152,7 +152,6 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
dbBackend = "postgresql";
|
dbBackend = "postgresql";
|
||||||
config = {
|
config = {
|
||||||
DATA_FOLDER = dataFolder;
|
|
||||||
IP_HEADER = "X-Real-IP";
|
IP_HEADER = "X-Real-IP";
|
||||||
SIGNUPS_ALLOWED = false;
|
SIGNUPS_ALLOWED = false;
|
||||||
# Disabled because the /admin path is protected by SSO
|
# Disabled because the /admin path is protected by SSO
|
||||||
|
@ -182,6 +181,8 @@ in
|
||||||
"d ${dataFolder} 0750 vaultwarden vaultwarden"
|
"d ${dataFolder} 0750 vaultwarden vaultwarden"
|
||||||
"f ${dataFolder}/vaultwarden.env 0640 vaultwarden vaultwarden"
|
"f ${dataFolder}/vaultwarden.env 0640 vaultwarden vaultwarden"
|
||||||
];
|
];
|
||||||
|
# Needed to be able to write template config.
|
||||||
|
systemd.services.vaultwarden.serviceConfig.ProtectHome = lib.mkForce false;
|
||||||
systemd.services.vaultwarden.preStart =
|
systemd.services.vaultwarden.preStart =
|
||||||
shblib.replaceSecrets {
|
shblib.replaceSecrets {
|
||||||
userConfig = {
|
userConfig = {
|
||||||
|
|
|
@ -17,11 +17,21 @@ in
|
||||||
../../modules/blocks/postgresql.nix
|
../../modules/blocks/postgresql.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
networking.hosts = {
|
||||||
|
"127.0.0.1" = [
|
||||||
|
"machine.com"
|
||||||
|
"client1.machine.com"
|
||||||
|
"client2.machine.com"
|
||||||
|
"ldap.machine.com"
|
||||||
|
"authelia.machine.com"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
shb.ldap = {
|
shb.ldap = {
|
||||||
enable = true;
|
enable = true;
|
||||||
dcdomain = "dc=example,dc=com";
|
dcdomain = "dc=example,dc=com";
|
||||||
subdomain = "ldap";
|
subdomain = "ldap";
|
||||||
domain = "machine";
|
domain = "machine.com";
|
||||||
ldapUserPasswordFile = pkgs.writeText "user_password" ldapAdminPassword;
|
ldapUserPasswordFile = pkgs.writeText "user_password" ldapAdminPassword;
|
||||||
jwtSecretFile = pkgs.writeText "jwt_secret" "securejwtsecret";
|
jwtSecretFile = pkgs.writeText "jwt_secret" "securejwtsecret";
|
||||||
};
|
};
|
||||||
|
@ -29,8 +39,8 @@ in
|
||||||
shb.authelia = {
|
shb.authelia = {
|
||||||
enable = true;
|
enable = true;
|
||||||
subdomain = "authelia";
|
subdomain = "authelia";
|
||||||
domain = "machine";
|
domain = "machine.com";
|
||||||
ldapEndpoint = "ldap://127.0.0.1:${builtins.toString config.shb.ldap.ldapPort}";
|
ldapEndpoint = "ldap://${config.shb.ldap.subdomain}.${config.shb.ldap.domain}:${toString config.shb.ldap.ldapPort}";
|
||||||
dcdomain = config.shb.ldap.dcdomain;
|
dcdomain = config.shb.ldap.dcdomain;
|
||||||
secrets = {
|
secrets = {
|
||||||
jwtSecretFile = pkgs.writeText "jwtSecretFile" "jwtSecretFile";
|
jwtSecretFile = pkgs.writeText "jwtSecretFile" "jwtSecretFile";
|
||||||
|
@ -45,20 +55,20 @@ in
|
||||||
|
|
||||||
oidcClients = [
|
oidcClients = [
|
||||||
{
|
{
|
||||||
id = "client1";
|
client_id = "client1";
|
||||||
description = "My Client 1";
|
client_name = "My Client 1";
|
||||||
secret.source = pkgs.writeText "secret" "mysecuresecret";
|
client_secret.source = pkgs.writeText "secret" "$pbkdf2-sha512$310000$LR2wY11djfLrVQixdlLJew$rPByqFt6JfbIIAITxzAXckwh51QgV8E5YZmA8rXOzkMfBUcMq7cnOKEXF6MAFbjZaGf3J/B1OzLWZTCuZtALVw";
|
||||||
public = false;
|
public = false;
|
||||||
authorization_policy = "one_factor";
|
authorization_policy = "one_factor";
|
||||||
redirect_uris = [ "http://client1.machine/redirect" ];
|
redirect_uris = [ "http://client1.machine.com/redirect" ];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
id = "client2";
|
client_id = "client2";
|
||||||
description = "My Client 2";
|
client_name = "My Client 2";
|
||||||
secret.source = pkgs.writeText "secret" "myothersecret";
|
client_secret.source = pkgs.writeText "secret" "$pbkdf2-sha512$310000$76EqVU1N9K.iTOvD4WJ6ww$hqNJU.UHphiCjMChSqk27lUTjDqreuMuyV/u39Esc6HyiRXp5Ecx89ypJ5M0xk3Na97vbgDpwz7il5uwzQ4bfw";
|
||||||
public = false;
|
public = false;
|
||||||
authorization_policy = "one_factor";
|
authorization_policy = "one_factor";
|
||||||
redirect_uris = [ "http://client2.machine/redirect" ];
|
redirect_uris = [ "http://client2.machine.com/redirect" ];
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
@ -69,17 +79,17 @@ in
|
||||||
|
|
||||||
start_all()
|
start_all()
|
||||||
machine.wait_for_unit("lldap.service")
|
machine.wait_for_unit("lldap.service")
|
||||||
machine.wait_for_unit("authelia-authelia.machine.service")
|
machine.wait_for_unit("authelia-authelia.machine.com.service")
|
||||||
machine.wait_for_open_port(${toString nodes.machine.services.authelia.instances."authelia.machine".settings.server.port})
|
machine.wait_for_open_port(9091)
|
||||||
|
|
||||||
endpoints = json.loads(machine.succeed("curl -s http://machine/.well-known/openid-configuration"))
|
endpoints = json.loads(machine.succeed("curl -s http://machine.com/.well-known/openid-configuration"))
|
||||||
auth_endpoint = endpoints['authorization_endpoint']
|
auth_endpoint = endpoints['authorization_endpoint']
|
||||||
|
|
||||||
machine.succeed(
|
machine.succeed(
|
||||||
"curl -f -s '"
|
"curl -f -s '"
|
||||||
+ auth_endpoint
|
+ auth_endpoint
|
||||||
+ "?client_id=other"
|
+ "?client_id=other"
|
||||||
+ "&redirect_uri=http://client1.machine/redirect"
|
+ "&redirect_uri=http://client1.machine.com/redirect"
|
||||||
+ "&scope=openid%20profile%20email"
|
+ "&scope=openid%20profile%20email"
|
||||||
+ "&response_type=code"
|
+ "&response_type=code"
|
||||||
+ "&state=99999999'"
|
+ "&state=99999999'"
|
||||||
|
@ -89,7 +99,7 @@ in
|
||||||
"curl -f -s '"
|
"curl -f -s '"
|
||||||
+ auth_endpoint
|
+ auth_endpoint
|
||||||
+ "?client_id=client1"
|
+ "?client_id=client1"
|
||||||
+ "&redirect_uri=http://client1.machine/redirect"
|
+ "&redirect_uri=http://client1.machine.com/redirect"
|
||||||
+ "&scope=openid%20profile%20email"
|
+ "&scope=openid%20profile%20email"
|
||||||
+ "&response_type=code"
|
+ "&response_type=code"
|
||||||
+ "&state=11111111'"
|
+ "&state=11111111'"
|
||||||
|
@ -99,7 +109,7 @@ in
|
||||||
"curl -f -s '"
|
"curl -f -s '"
|
||||||
+ auth_endpoint
|
+ auth_endpoint
|
||||||
+ "?client_id=client2"
|
+ "?client_id=client2"
|
||||||
+ "&redirect_uri=http://client2.machine/redirect"
|
+ "&redirect_uri=http://client2.machine.com/redirect"
|
||||||
+ "&scope=openid%20profile%20email"
|
+ "&scope=openid%20profile%20email"
|
||||||
+ "&response_type=code"
|
+ "&response_type=code"
|
||||||
+ "&state=22222222'"
|
+ "&state=22222222'"
|
||||||
|
|
|
@ -103,8 +103,20 @@ in
|
||||||
"multi3.example.com" = mkVirtualHost "multi3" config.shb.certs.certs.selfsigned.multi;
|
"multi3.example.com" = mkVirtualHost "multi3" config.shb.certs.certs.selfsigned.multi;
|
||||||
};
|
};
|
||||||
systemd.services.nginx = {
|
systemd.services.nginx = {
|
||||||
after = [ config.shb.certs.certs.selfsigned.top.systemdService config.shb.certs.certs.selfsigned.subdomain.systemdService ];
|
after = [
|
||||||
requires = [ config.shb.certs.certs.selfsigned.top.systemdService config.shb.certs.certs.selfsigned.subdomain.systemdService ];
|
config.shb.certs.certs.selfsigned.top.systemdService
|
||||||
|
config.shb.certs.certs.selfsigned.subdomain.systemdService
|
||||||
|
config.shb.certs.certs.selfsigned.multi.systemdService
|
||||||
|
config.shb.certs.certs.selfsigned.cert1.systemdService
|
||||||
|
config.shb.certs.certs.selfsigned.cert2.systemdService
|
||||||
|
];
|
||||||
|
requires = [
|
||||||
|
config.shb.certs.certs.selfsigned.top.systemdService
|
||||||
|
config.shb.certs.certs.selfsigned.subdomain.systemdService
|
||||||
|
config.shb.certs.certs.selfsigned.multi.systemdService
|
||||||
|
config.shb.certs.certs.selfsigned.cert1.systemdService
|
||||||
|
config.shb.certs.certs.selfsigned.cert2.systemdService
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -41,7 +41,8 @@ in
|
||||||
)
|
)
|
||||||
+ lib.strings.concatMapStrings (p: ''server.wait_for_open_port(${toString p})'' + "\n") (
|
+ lib.strings.concatMapStrings (p: ''server.wait_for_open_port(${toString p})'' + "\n") (
|
||||||
waitForPorts args
|
waitForPorts args
|
||||||
++ (lib.optionals redirectSSO [ nodes.server.services.authelia.instances."auth.${domain}".settings.server.port ] )
|
# TODO: when the SSO block exists, replace this hardcoded port.
|
||||||
|
++ (lib.optionals redirectSSO [ 9091 /* nodes.server.services.authelia.instances."auth.${domain}".settings.server.port */ ] )
|
||||||
)
|
)
|
||||||
+ lib.strings.concatMapStrings (u: ''server.wait_for_open_unix_socket("${u}")'' + "\n") (waitForUnixSocket args)
|
+ lib.strings.concatMapStrings (u: ''server.wait_for_open_unix_socket("${u}")'' + "\n") (waitForUnixSocket args)
|
||||||
+ ''
|
+ ''
|
||||||
|
|
|
@ -31,7 +31,7 @@ let
|
||||||
{"email": "me@example.com"}
|
{"email": "me@example.com"}
|
||||||
"""))
|
"""))
|
||||||
print(response)
|
print(response)
|
||||||
if 'Kdf' not in response:
|
if 'kdf' not in response:
|
||||||
raise Exception("Unrecognized response: {}".format(response))
|
raise Exception("Unrecognized response: {}".format(response))
|
||||||
|
|
||||||
with subtest("get token"):
|
with subtest("get token"):
|
||||||
|
@ -45,7 +45,7 @@ let
|
||||||
&password=mypassword
|
&password=mypassword
|
||||||
"""))
|
"""))
|
||||||
print(response)
|
print(response)
|
||||||
if response["Message"] != "Username or password is incorrect. Try again":
|
if response["message"] != "Username or password is incorrect. Try again":
|
||||||
raise Exception("Unrecognized response: {}".format(response))
|
raise Exception("Unrecognized response: {}".format(response))
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
@ -174,6 +174,11 @@ in
|
||||||
nodes.client = {};
|
nodes.client = {};
|
||||||
|
|
||||||
testScript = commonTestScript.override {
|
testScript = commonTestScript.override {
|
||||||
|
waitForPorts = { node, ... }: [
|
||||||
|
8222
|
||||||
|
5432
|
||||||
|
9091
|
||||||
|
];
|
||||||
extraScript = { proto_fqdn, ... }: ''
|
extraScript = { proto_fqdn, ... }: ''
|
||||||
with subtest("unauthenticated access is not granted to /admin"):
|
with subtest("unauthenticated access is not granted to /admin"):
|
||||||
response = curl(client, """{"code":%{response_code},"auth_host":"%{urle.host}","auth_query":"%{urle.query}","all":%{json}}""", "${proto_fqdn}/admin")
|
response = curl(client, """{"code":%{response_code},"auth_host":"%{urle.host}","auth_query":"%{urle.query}","all":%{json}}""", "${proto_fqdn}/admin")
|
||||||
|
|
Loading…
Reference in a new issue