karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix traefik/authelia bugs

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-03-12 20:12:45 +00:00
parent 6ed4c4917a
commit e55135163d
4 changed files with 32 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
View File

@@ -38,9 +38,6 @@ in
"authelia-configuration.yaml".content = builtins.readFile ( "authelia-configuration.yaml".content = builtins.readFile (
(pkgs.formats.yaml { }).generate "configuration.yaml" { (pkgs.formats.yaml { }).generate "configuration.yaml" {
theme = "auto";
telemetry.metrics.enabled = true;
authentication_backend = { authentication_backend = {
refresh_interval = "always"; refresh_interval = "always";
file = { file = {
@@ -52,6 +49,8 @@ in
password_policy.zxcvbn.enabled = true; password_policy.zxcvbn.enabled = true;
access_control.default_policy = "deny"; access_control.default_policy = "deny";
server.endpoints.authz.forward-auth.implementation = "ForwardAuth";
session = { session = {
secret = hmConfig.sops.placeholder."authelia/session"; secret = hmConfig.sops.placeholder."authelia/session";
@@ -98,6 +97,8 @@ in
password = hmConfig.sops.placeholder."authelia/smtp"; password = hmConfig.sops.placeholder."authelia/smtp";
sender = "jupiter@karaolidis.com"; sender = "jupiter@karaolidis.com";
}; };
theme = "auto";
} }
); );
@@ -162,7 +163,6 @@ in
labels = [ labels = [
"traefik.enable=true" "traefik.enable=true"
"traefik.http.routers.authelia.rule=Host(`id.karaolidis.com`)" "traefik.http.routers.authelia.rule=Host(`id.karaolidis.com`)"
"traefik.http.routers.authelia.tls.certresolver=letsencrypt"
"traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true" "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true"
"traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth" "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth"

4
hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix
View File

@@ -71,9 +71,6 @@ in
enable-signup = false; enable-signup = false;
enable-login = true; enable-login = true;
enable-reservations = false; enable-reservations = false;
enable-metrics = true;
metrics-listen-http = ":8080";
} }
); );
@@ -130,7 +127,6 @@ in
labels = [ labels = [
"traefik.enable=true" "traefik.enable=true"
"traefik.http.routers.ntfy.rule=Host(`ntfy.karaolidis.com`)" "traefik.http.routers.ntfy.rule=Host(`ntfy.karaolidis.com`)"
"traefik.http.routers.ntfy.tls.certresolver=letsencrypt"
]; ];
}; };

50
hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
View File

@@ -58,24 +58,25 @@ in
"--providers.docker=true" "--providers.docker=true"
"--providers.docker.exposedbydefault=false" "--providers.docker.exposedbydefault=false"
"--providers.docker.network=systemd-traefik"
"--entryPoints.web.address=:80" "--entryPoints.http.address=:80"
"--entrypoints.web.http.redirections.entryPoint.to=websecure" "--entrypoints.http.http.redirections.entryPoint.to=https"
"--entrypoints.web.http.redirections.entryPoint.scheme=https" "--entrypoints.http.http.redirections.entryPoint.scheme=https"
"--entryPoints.web.http3" "--entryPoints.http.http3"
"--entrypoints.web.forwardedHeaders.insecure=true" "--entrypoints.http.forwardedHeaders.insecure=true"
"--entryPoints.websecure.address=:443" "--entryPoints.https.address=:443"
"--entryPoints.websecure.asDefault=true" "--entryPoints.https.asDefault=true"
"--entrypoints.websecure.http.tls=true" "--entrypoints.https.http.tls=true"
"--entrypoints.websecure.http.tls.certResolver=letsencrypt" "--entrypoints.https.http.tls.certResolver=letsencrypt"
"--entrypoints.websecure.http.tls.domains[0].main=karaolidis.com" "--entrypoints.https.http.tls.domains[0].main=karaolidis.com"
"--entrypoints.websecure.http.tls.domains[0].sans=*.karaolidis.com" "--entrypoints.https.http.tls.domains[0].sans=*.karaolidis.com"
"--entrypoints.websecure.http.tls.domains[1].main=krlds.com" "--entrypoints.https.http.tls.domains[1].main=krlds.com"
"--entrypoints.websecure.http.tls.domains[1].sans=*.krlds.com" "--entrypoints.https.http.tls.domains[1].sans=*.krlds.com"
"--entrypoints.websecure.http.middlewares=compress@docker" "--entrypoints.https.http.middlewares=compress@docker"
"--entryPoints.websecure.http3" "--entryPoints.https.http3"
"--entrypoints.websecure.forwardedHeaders.insecure=true" "--entrypoints.https.forwardedHeaders.insecure=true"
"--certificatesresolvers.letsencrypt.acme.dnschallenge=true" "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
@@ -84,10 +85,14 @@ in
]; ];
labels = [ labels = [
"traefik.enable=true" "traefik.enable=true"
"traefik.http.routers.traefik.rule=Host(`proxy.karaolidis.com`)"
"traefik.http.routers.traefik.tls.certresolver=letsencrypt" "traefik.http.routers.traefik-dashboard.rule=Host(`proxy.karaolidis.com`)"
"traefik.http.routers.traefik.service: 'api@internal'" "traefik.http.routers.traefik-dashboard.service=dashboard@internal"
"traefik.http.routers.traefik.middlewares: 'authelia@docker'" "traefik.http.routers.traefik-dashboard.middlewares=authelia@docker"
"traefik.http.routers.traefik-api.rule='Host(`proxy.karaolidis.com`) && PathPrefix(`/api`)'"
"traefik.http.routers.traefik-api.service=api@internal"
"traefik.http.routers.traefik-api.middlewares=authelia@docker"
"traefik.http.middlewares.compress.compress=true" "traefik.http.middlewares.compress.compress=true"
# TODO: Middlewares: Headers # TODO: Middlewares: Headers
@@ -104,6 +109,7 @@ in
After = [ After = [
"traefik-http.socket" "traefik-http.socket"
"traefik-https.socket" "traefik-https.socket"
"${containers.authelia._serviceName}.service"
"sops-nix.service" "sops-nix.service"
]; ];
@@ -137,7 +143,7 @@ in
"traefik-http" = { "traefik-http" = {
Socket = { Socket = {
ListenStream = "0.0.0.0:80"; ListenStream = "0.0.0.0:80";
FileDescriptorName = "web"; FileDescriptorName = "http";
Service = "${containers.traefik._serviceName}.service"; Service = "${containers.traefik._serviceName}.service";
}; };
@@ -149,7 +155,7 @@ in
"traefik-https" = { "traefik-https" = {
Socket = { Socket = {
ListenStream = "0.0.0.0:443"; ListenStream = "0.0.0.0:443";
FileDescriptorName = "websecure"; FileDescriptorName = "https";
Service = "${containers.traefik._serviceName}.service"; Service = "${containers.traefik._serviceName}.service";
}; };

1
hosts/jupiter/users/storm/configs/console/podman/whoami/default.nix
View File

@@ -26,7 +26,6 @@ in
labels = [ labels = [
"traefik.enable=true" "traefik.enable=true"
"traefik.http.routers.whoami.rule=Host(`whoami.karaolidis.com`)" "traefik.http.routers.whoami.rule=Host(`whoami.karaolidis.com`)"
"traefik.http.routers.whoami.tls.certresolver=letsencrypt"
]; ];
}; };
}; };