sin_serhao/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

use header only authelia snippet
Some checks failed
/ build hive configuration (push) Has been cancelled
Details
/ perform flake analysis (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Sin Ser'hao
2026-01-26 16:46:43 +01:00
parent 7e3186e632
commit c3614c5397
5 changed files with 74 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
hosts/sin/jellyfin.nix
View File

@@ -82,6 +82,9 @@ in
enable = true; enable = true;
openFirewall = true; openFirewall = true;
group = "starr"; group = "starr";
settings = {
authentication.AuthenticationMethod = "external";
};
}; };
radarr = { radarr = {
enable = true; enable = true;

2
hosts/thea/authelia.nix
View File

@@ -106,7 +106,9 @@ in
locations."/" = { locations."/" = {
proxyPass = upstream; proxyPass = upstream;
extraConfig = '' extraConfig = ''
error_log /var/log/nginx/debug_authelia.log debug;
include ${authelia-snippets.proxy}; include ${authelia-snippets.proxy};
set $upstream ${upstream};
''; '';
}; };
locations."/api/verify" = { locations."/api/verify" = {

2
hosts/thea/configuration.nix
View File

@@ -20,7 +20,7 @@ in
./ollama.nix ./ollama.nix
./minecraft.nix ./minecraft.nix
./secrets ./secrets
./authelia.nix # ./authelia.nix
]; ];
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.

98
hosts/thea/lib/autheliaSnippets.nix
View File

@@ -1,40 +1,50 @@
{ pkgs }: { pkgs }:
{ {
proxy = pkgs.writeText "proxy.conf" '' proxy = pkgs.writeText "proxy.conf" ''
set $upstream_authelia http://thea:9091/api/authz/auth-request; ## Headers
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $remote_addr;
'';
authelia-location = pkgs.writeText "authelia-location.conf" ''
set $upstream_authelia http://192.168.1.12:9091/api/authz/auth-request;
## Virtual endpoint created by nginx to forward auth requests. ## Virtual endpoint created by nginx to forward auth requests.
location /internal/authelia/authz { location /internal/authelia/authz {
## Essential Proxy Configuration ## Essential Proxy Configuration
internal; internal;
proxy_pass $upstream_authelia; proxy_pass $upstream_authelia;
## Headers ## Headers
## The headers starting with X-* are required. ## The headers starting with X-* are required.
proxy_set_header X-Original-Method $request_method; proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
proxy_set_header Connection ""; proxy_set_header Connection "";
## Basic Proxy Configuration ## Basic Proxy Configuration
proxy_pass_request_body off; proxy_pass_request_body off;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
proxy_redirect http:// $scheme://; proxy_redirect http:// $scheme://;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_cache_bypass $cookie_session; proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session; proxy_no_cache $cookie_session;
proxy_buffers 4 32k; proxy_buffers 4 32k;
client_body_buffer_size 128k; client_body_buffer_size 128k;
## Advanced Proxy Configuration ## Advanced Proxy Configuration
send_timeout 5m; send_timeout 5m;
proxy_read_timeout 240; proxy_read_timeout 240;
proxy_send_timeout 240; proxy_send_timeout 240;
proxy_connect_timeout 240; proxy_connect_timeout 240;
} }
''; '';
authelia-location = pkgs.writeText "authelia-location.conf" '' authelia-authrequest = pkgs.writeText "authelia-authrequest.conf" ''
## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /internal/authelia/authz; auth_request /internal/authelia/authz;
@@ -68,40 +78,4 @@
## URL parameter set to $target_url. This requires users update 'auth.shobu.fr/' with their external authelia URL. ## URL parameter set to $target_url. This requires users update 'auth.shobu.fr/' with their external authelia URL.
# error_page 401 =302 https://auth.shobu.fr/?rd=$target_url; # error_page 401 =302 https://auth.shobu.fr/?rd=$target_url;
''; '';
authelia-authrequest = pkgs.writeText "authelia-authrequest.conf" ''
## Headers
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
## Basic Proxy Configuration
client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
## Trusted Proxies Configuration
## Please read the following documentation before configuring this:
## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
# set_real_ip_from 10.0.0.0/8;
# set_real_ip_from 172.16.0.0/12;
# set_real_ip_from 192.168.0.0/16;
# set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
## Advanced Proxy Configuration
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
'';
} }

35
hosts/thea/nginx.nix
View File

@@ -1,8 +1,9 @@
{ inputs, ... }: { inputs, pkgs, ... }:
let let
# striped-front = inputs.striped-front; # striped-front = inputs.striped-front;
sin-address = "192.168.1.14"; sin-address = "192.168.1.14";
authelia-snippets = pkgs.callPackage ./lib/autheliaSnippets.nix { inherit pkgs; };
in in
{ {
@@ -37,16 +38,44 @@ in
in in
( (
mkStarr "jellyfin.shobu.fr" "8096" mkStarr "jellyfin.shobu.fr" "8096"
// mkStarr "radarr.shobu.fr" "7878" # // mkStarr "radarr.shobu.fr" "7878"
// mkStarr "sonarr.shobu.fr" "8989" // mkStarr "sonarr.shobu.fr" "8989"
// mkStarr "prowlarr.shobu.fr" "9696" // mkStarr "prowlarr.shobu.fr" "9696"
// mkStarr "bazarr.shobu.fr" "6767" // mkStarr "bazarr.shobu.fr" "6767"
// mkStarr "jellyseerr.shobu.fr" "5055"
// mkStarr "lidarr.shobu.fr" "8686" // mkStarr "lidarr.shobu.fr" "8686"
// mkStarr "whisparr.shobu.fr" "6969" // mkStarr "whisparr.shobu.fr" "6969"
// mkStarr "jellyseerr.shobu.fr" "5055"
// mkStarr "transmission.shobu.fr" "9091" // mkStarr "transmission.shobu.fr" "9091"
// mkStarr "zimablade-admin.shobu.fr" "61208" // mkStarr "zimablade-admin.shobu.fr" "61208"
// { // {
"radarr.shobu.fr" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
include ${authelia-snippets.authelia-location};
error_log /var/log/nginx/debug_radarr.log debug;
'';
locations."/" = {
proxyPass = "http://${sin-address}:7878";
proxyWebsockets = true;
extraConfig = ''
include ${authelia-snippets.proxy};
include ${authelia-snippets.authelia-authrequest};
proxy_ssl_server_name on;
'';
};
locations."/api" = {
proxyPass = "http://${sin-address}:7878";
proxyWebsockets = true;
extraConfig = ''
proxy_ssl_server_name on;
'';
};
};
"shobu.fr" = { "shobu.fr" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;