Format container configs

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-25 11:07:30 +00:00
parent e55135163d
commit b3dd72de22
3 changed files with 24 additions and 15 deletions
--- a/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
@@ -73,11 +73,19 @@ in
            identity_providers.oidc = {
              hmac_secret = hmConfig.sops.placeholder."authelia/oidcHmac";

-              jwks = [
-                {
-                  key = hmConfig.sops.placeholder."authelia/oidcKey";
-                }
-              ];
+              jwks = [ { key = hmConfig.sops.placeholder."authelia/oidcKey"; } ];
+
+              authorization_policies = {
+                admin = {
+                  default_policy = "deny";
+                  rules = [
+                    {
+                      policy = "two_factor";
+                      subject = [ "group:admins" ];
+                    }
+                  ];
+                };
+              };
            };

            storage = {
@@ -126,14 +134,14 @@ in
            image = "docker-archive:${selfPkgs.docker-yq}";
            networks = [ networks.authelia.ref ];
            volumes = [
-              "${home}/.local/share/authelia/config:/workdir/config"
-              "${hmConfig.sops.templates."authelia-users.yaml".path}:/workdir/users.yaml:ro"
+              "${home}/.local/share/authelia/config:/etc/authelia"
+              "${hmConfig.sops.templates."authelia-users.yaml".path}:/etc/authelia/users.yaml.default:ro"
            ];
            exec = [
              "eval-all"
              ". as $item ireduce ({}; . * $item)"
-              "/workdir/config/users.yaml"
-              "/workdir/users.yaml"
+              "/etc/authelia/users.yaml"
+              "/etc/authelia/users.yaml.default"
              "-i"
            ];
          };
--- a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
@@ -132,9 +132,7 @@ in
              ];
            };
          in
-          [
-            "${config}:/etc/authelia/conf.d/traefik.yaml:ro"
-          ];
+          [ "${config}:/etc/authelia/conf.d/traefik.yaml:ro" ];
      };
    };

--- a/packages/docker/postgresql/entrypoint.sh
+++ b/packages/docker/postgresql/entrypoint.sh
@@ -24,11 +24,14 @@ mkfifo "$LOG_PIPE"
 LOG_PID=$!

 if [ ! -s "$PGDATA/PG_VERSION" ]; then
-  initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD")
+  tmpfile=$(mktemp)
+  printf "%s\n" "$POSTGRES_PASSWORD" > "$tmpfile"
+  initdb --username="$POSTGRES_USER" --pwfile="$tmpfile"
+  rm -f "$tmpfile"

  auth_method=$(postgres -c config_file="/etc/postgresql/postgresql.conf" -C password_encryption)
  POSTGRES_HOST_AUTH_METHOD="${POSTGRES_HOST_AUTH_METHOD:=$auth_method}"
-  echo -e "\nhost all all all $POSTGRES_HOST_AUTH_METHOD" >> "$PGDATA/pg_hba.conf"
+  printf "\nhost all all all %s\n" "$POSTGRES_HOST_AUTH_METHOD" >> "$PGDATA/pg_hba.conf"

  pg_ctl -w start

@@ -39,5 +42,5 @@ if [ ! -s "$PGDATA/PG_VERSION" ]; then
  pg_ctl -m fast -w stop
 fi

-trap "kill $LOG_PID" EXIT
+trap 'kill $LOG_PID' EXIT
 exec postgres -c config_file="/etc/postgresql/postgresql.conf" "$@" > "$LOG_PIPE" 2>&1