use header only authelia snippet

2026-01-26 16:46:43 +01:00
parent 7e3186e632
commit c3614c5397
5 changed files with 74 additions and 66 deletions
--- a/hosts/sin/jellyfin.nix
+++ b/hosts/sin/jellyfin.nix
@@ -82,6 +82,9 @@ in
      enable = true;
      openFirewall = true;
      group = "starr";
+      settings = {
+        authentication.AuthenticationMethod = "external";
+      };
    };
    radarr = {
      enable = true;
--- a/hosts/thea/authelia.nix
+++ b/hosts/thea/authelia.nix
@@ -106,7 +106,9 @@ in
        locations."/" = {
          proxyPass = upstream;
          extraConfig = ''
+            error_log /var/log/nginx/debug_authelia.log debug;
            include ${authelia-snippets.proxy};
+            set $upstream ${upstream};
          '';
        };
        locations."/api/verify" = {
--- a/hosts/thea/configuration.nix
+++ b/hosts/thea/configuration.nix
@@ -20,7 +20,7 @@ in
    ./ollama.nix
    ./minecraft.nix
    ./secrets
-    ./authelia.nix
+    # ./authelia.nix
  ];

  # Use the systemd-boot EFI boot loader.
--- a/hosts/thea/lib/autheliaSnippets.nix
+++ b/hosts/thea/lib/autheliaSnippets.nix
@@ -1,7 +1,17 @@
 { pkgs }:
 {
  proxy = pkgs.writeText "proxy.conf" ''
-    set $upstream_authelia http://thea:9091/api/authz/auth-request;
+    ## Headers
+    proxy_set_header Host $host;
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-URI $request_uri;
+    proxy_set_header X-Forwarded-Ssl on;
+    proxy_set_header X-Forwarded-For $remote_addr;
+  '';
+  authelia-location = pkgs.writeText "authelia-location.conf" ''
+    set $upstream_authelia http://192.168.1.12:9091/api/authz/auth-request;

    ## Virtual endpoint created by nginx to forward auth requests.
    location /internal/authelia/authz {
@@ -34,7 +44,7 @@
        proxy_connect_timeout 240;
    }
  '';
-  authelia-location = pkgs.writeText "authelia-location.conf" ''
+  authelia-authrequest = pkgs.writeText "authelia-authrequest.conf" ''
    ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
    auth_request /internal/authelia/authz;

@@ -68,40 +78,4 @@
    ## URL parameter set to $target_url. This requires users update 'auth.shobu.fr/' with their external authelia URL.
    # error_page 401 =302 https://auth.shobu.fr/?rd=$target_url;
  '';
-  authelia-authrequest = pkgs.writeText "authelia-authrequest.conf" ''
-    ## Headers
-    proxy_set_header Host $host;
-    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header X-Forwarded-Host $http_host;
-    proxy_set_header X-Forwarded-URI $request_uri;
-    proxy_set_header X-Forwarded-Ssl on;
-    proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_set_header X-Real-IP $remote_addr;
-
-    ## Basic Proxy Configuration
-    client_body_buffer_size 128k;
-    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
-    proxy_redirect  http://  $scheme://;
-    proxy_http_version 1.1;
-    proxy_cache_bypass $cookie_session;
-    proxy_no_cache $cookie_session;
-    proxy_buffers 64 256k;
-
-    ## Trusted Proxies Configuration
-    ## Please read the following documentation before configuring this:
-    ##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
-    # set_real_ip_from 10.0.0.0/8;
-    # set_real_ip_from 172.16.0.0/12;
-    # set_real_ip_from 192.168.0.0/16;
-    # set_real_ip_from fc00::/7;
-    real_ip_header X-Forwarded-For;
-    real_ip_recursive on;
-
-    ## Advanced Proxy Configuration
-    send_timeout 5m;
-    proxy_read_timeout 360;
-    proxy_send_timeout 360;
-    proxy_connect_timeout 360;
-  '';
 }
--- a/hosts/thea/nginx.nix
+++ b/hosts/thea/nginx.nix
@@ -1,8 +1,9 @@
-{ inputs, ... }:
+{ inputs, pkgs, ... }:
 let
  # striped-front = inputs.striped-front;

  sin-address = "192.168.1.14";
+  authelia-snippets = pkgs.callPackage ./lib/autheliaSnippets.nix { inherit pkgs; };
 in
 {

@@ -37,16 +38,44 @@ in
      in
      (
        mkStarr "jellyfin.shobu.fr" "8096"
-        // mkStarr "radarr.shobu.fr" "7878"
+        # // mkStarr "radarr.shobu.fr" "7878"
        // mkStarr "sonarr.shobu.fr" "8989"
        // mkStarr "prowlarr.shobu.fr" "9696"
        // mkStarr "bazarr.shobu.fr" "6767"
-        // mkStarr "jellyseerr.shobu.fr" "5055"
        // mkStarr "lidarr.shobu.fr" "8686"
        // mkStarr "whisparr.shobu.fr" "6969"
+        // mkStarr "jellyseerr.shobu.fr" "5055"
        // mkStarr "transmission.shobu.fr" "9091"
        // mkStarr "zimablade-admin.shobu.fr" "61208"
        // {
+          "radarr.shobu.fr" = {
+            enableACME = true;
+            forceSSL = true;
+
+            extraConfig = ''
+              include ${authelia-snippets.authelia-location};
+              error_log /var/log/nginx/debug_radarr.log debug;
+            '';
+
+            locations."/" = {
+              proxyPass = "http://${sin-address}:7878";
+              proxyWebsockets = true;
+              extraConfig = ''
+                include ${authelia-snippets.proxy};
+                include ${authelia-snippets.authelia-authrequest};
+                proxy_ssl_server_name on;
+              '';
+            };
+
+            locations."/api" = {
+              proxyPass = "http://${sin-address}:7878";
+              proxyWebsockets = true;
+              extraConfig = ''
+                proxy_ssl_server_name on;
+              '';
+            };
+
+          };
          "shobu.fr" = {
            enableACME = true;
            forceSSL = true;