blob: 1854f0e254daeb14cd8de3b0438b39c9752e69b2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
{ pkgs, ... }:
{
services.nginx.virtualHosts."sb.emile.space" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://${config.services.silverbullet.listenSddress}:${toString config.services.silverbullet.listenPort}";
extraConfig = ''
## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /internal/authelia/authz;
## Save the upstream metadata response headers from Authelia to variables.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
## Inject the metadata response headers from the variables into the request made to the backend.
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Name $name;
## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.
## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint.
auth_request_set $redirection_url $upstream_http_location;
## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url.
error_page 401 =302 $redirection_url;
## Legacy Method: Set $target_url to the original requested URL.
## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module.
# set $target_url $scheme://$http_host$request_uri;
## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd'
## URL parameter set to $target_url. This requires users update 'auth.example.com/' with their external authelia URL.
# error_page 401 =302 https://sso.emile.space/?rd=$target_url;
'';
};
"/internal/authelia/authz" = {
extraConfig = ''
## Essential Proxy Configuration
internal;
proxy_pass https://sso.emile.space/api/authz/auth-request;
## Headers
## The headers starting with X-* are required.
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Content-Length "";
proxy_set_header Connection "";
## Basic Proxy Configuration
proxy_pass_request_body off;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
client_body_buffer_size 128k;
## Advanced Proxy Configuration
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
'';
};
};
# auth via authelia
# services.authelia.instances.main.settings.identity_providers.oidc.clients = [
# {
# id = "silverbullet";
# # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
# secret = "$pbkdf2-sha512$310000$mxk7uITQOZNYEqeinigQnw$wsF2S6RPL2zVRg1X0bAuINh8Lu5PuA/2/FYJSy3i/Ig5vtCzaIFb0xYEcus4jkqTIgyp3aBxtgSzAKjQKC.QKg";
# public = false;
# authorization_policy = "two_factor";
# redirect_uris = [ "https://md.emile.space/auth/oauth2/callback" ];
# scopes = [
# "openid"
# "email"
# "profile"
# ];
# grant_types = [
# "refresh_token"
# "authorization_code"
# ];
# response_types = [ "code" ];
# response_modes = [
# "form_post"
# "query"
# "fragment"
# ];
# token_endpoint_auth_method = "client_secret_post";
# }
# ];
services.silverbullet = {
enable = true;
spaceDir = "/var/lib/silverbullet";
listenPort = 3000;
listenAddress = "[::1]";
};
}
|
