WIP: authelia: Add SSO

modules/nginxExtensions.nix

@@ -11,12 +11,55 @@
     };
 
     services.nginx.virtualHosts = let
-      extraVirtualHostOptions = {
-        name,
-        config,
-        ...
-      }: {
+      extraLocationOptions = {config, ...}: {
         options = {
+          enableAuthorization = lib.mkEnableOption "Enable authorization via authelia";
+        };
+
+        config = {
+          recommendedProxySettings = lib.mkIf config.enableAuthorization false;
+
+          extraConfig = lib.concatStringsSep "\n" [
+            (lib.optionalString config.enableAuthorization ''
+              proxy_set_header Host $host;
+              proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+              proxy_set_header X-Forwarded-Proto $scheme;
+              proxy_set_header X-Forwarded-Host $http_host;
+              proxy_set_header X-Forwarded-URI $request_uri;
+              proxy_set_header X-Forwarded-Ssl on;
+              proxy_set_header X-Forwarded-For $remote_addr;
+              proxy_set_header X-Real-IP $remote_addr;
+
+              proxy_redirect http:// $scheme://;
+              proxy_cache_bypass $cookie_session;
+              proxy_no_cache $cookie_session;
+
+              real_ip_header X-Forwarded-For;
+              real_ip_recursive on;
+            '')
+            (lib.optionalString config.enableAuthorization ''
+              auth_request /internal/authelia/authz;
+
+              auth_request_set $user $upstream_http_remote_user;
+              auth_request_set $groups $upstream_http_remote_groups;
+              auth_request_set $name $upstream_http_remote_name;
+              auth_request_set $email $upstream_http_remote_email;
+
+              proxy_set_header Remote-User $user;
+              proxy_set_header Remote-Groups $groups;
+              proxy_set_header Remote-Email $email;
+              proxy_set_header Remote-Name $name;
+
+              auth_request_set $redirection_url $upstream_http_location;
+              error_page 401 =302 $redirection_url;
+            '')
+          ];
+        };
+      };
+
+      extraVirtualHostOptions = {name, config, ...}: {
+        options = {
+          enableAuthorization = lib.mkEnableOption "Enable authorization via authelia";
           enableHSTS = lib.mkEnableOption "Enable HSTS";
 
           addAccessLog = lib.mkOption {
@@ -26,6 +69,10 @@
               Add special logging to `/var/log/nginx/''${serverName}`
             '';
           };
+
+          locations = lib.mkOption {
+            type = lib.types.attrsOf (lib.types.submodule extraLocationOptions);
+          };
         };
 
         config = {
@@ -37,6 +84,32 @@
               access_log /var/log/nginx/${name}/access.log upstream_time;
             '')
           ];
+
+          locations = lib.mkIf config.enableAuthorization {
+            "/".enableAuthorization = true;
+            "/internal/authelia/authz" = {
+              proxyPass = "http://127.0.0.1:9091/api/authz/auth-request";
+              recommendedProxySettings = false;
+              extraConfig = ''
+                internal;
+
+                proxy_set_header X-Original-Method $request_method;
+                proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+                proxy_set_header X-Forwarded-For $remote_addr;
+                proxy_set_header Content-Length "";
+                proxy_set_header Connection "";
+
+                proxy_pass_request_body off;
+                proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+                proxy_redirect http:// $scheme://;
+                proxy_http_version 1.1;
+                proxy_cache_bypass $cookie_session;
+                proxy_no_cache $cookie_session;
+                proxy_buffers 4 32k;
+                client_body_buffer_size 128k;
+              '';
+            };
+          };
         };
       };
     in