diff --git a/hosts/hub/apps/open-webui.nix b/hosts/hub/apps/open-webui.nix index 38b5fdc..e9662d0 100644 --- a/hosts/hub/apps/open-webui.nix +++ b/hosts/hub/apps/open-webui.nix @@ -1,5 +1,7 @@ -{ config, ... }: - +let + clientId = "xqV9QLU4JAP7i47XEa9ABbjP8MKWK3VUt1vHaTAaZYTYFdFqGkrlGmTPTAnvDDsvAb +w518mk"; +in { systemd.tmpfiles.rules = [ "d /var/lib/open-webui 0755 root root" @@ -11,10 +13,18 @@ "8090:8080" ]; volumes = [ "/var/lib/open-webui:/app/backend/data" ]; + environment = { + WEBUI_AUTH_TRUSTED_NAME_HEADER = "Remote-Name"; + WEBUI_AUTH_TRUSTED_EMAIL_HEADER = "Remote-Email"; + }; }; services.caddy.virtualHosts."https://open-webui.tailc50184.ts.net".extraConfig = '' bind tailscale/open-webui + forward_auth localhost:9091 { + uri /api/authz/forward-auth + copy_headers Remote-Email Remote-Name + } reverse_proxy http://localhost:8090 ''; diff --git a/roles/authelia.nix b/roles/authelia.nix index 3a5fce3..6971a5f 100644 --- a/roles/authelia.nix +++ b/roles/authelia.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ pkgs, config, ... }: { age.secrets = { @@ -24,6 +24,18 @@ group = "authelia-main"; mode = "440"; }; + autheliaOidcHmacSecret = { + file = ../secrets/authelia_oidc_hmac_secret.age; + owner = "authelia-main"; + group = "authelia-main"; + mode = "440"; + }; + autheliaOidcIssuerPrivateKey = { + file = ../secrets/authelia_oidc_issuer_private_key.age; + owner = "authelia-main"; + group = "authelia-main"; + mode = "440"; + }; }; services = { postgresql = { @@ -41,6 +53,8 @@ jwtSecretFile = config.age.secrets.jwt.path; sessionSecretFile = config.age.secrets.autheliaSession.path; storageEncryptionKeyFile = config.age.secrets.autheliaStorageEncryptionKey.path; + # oidcHmacSecretFile = config.age.secrets.autheliaOidcHmacSecret.path; + # oidcIssuerPrivateKeyFile = config.age.secrets.autheliaOidcIssuerPrivateKey.path; }; environmentVariables = { AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.ldap.path; @@ -110,8 +124,10 @@ }; caddy.globalConfig = '' servers { - trusted_proxies static 192.168.0.1 + trusted_proxies static private_ranges } ''; }; + + environment.systemPackages = with pkgs; [ authelia ]; } diff --git a/secrets/authelia_oidc_hmac_secret.age b/secrets/authelia_oidc_hmac_secret.age new file mode 100644 index 0000000..de93e84 --- /dev/null +++ b/secrets/authelia_oidc_hmac_secret.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 5X7MKw FvumZTxDU0bBRTRSy43HVox2qoigg4BK4h/SYhxd/3Y +34GKCl2Wa235MioYWuaIOyV6RJpc8J4tAsEwyxE65w0 +--- cDUMLVhu3ja3C6eWkXYBp+uSfdT67s3QaqUJlwCR1WU +oã±RuúÆ-“9,‹Æã …Ñ53^µ®ÔüjÄEZϧHMÊd¾^«ö›ó¬û^ìe! Ùë/(/œòþ‚­n=0QwM†ýA•!-\ž‚b½ \ No newline at end of file diff --git a/secrets/authelia_oidc_issuer_private_key.age b/secrets/authelia_oidc_issuer_private_key.age new file mode 100644 index 0000000..1d5b9af Binary files /dev/null and b/secrets/authelia_oidc_issuer_private_key.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 12474e2..b034539 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -13,6 +13,8 @@ in "jwt.age".publicKeys = [ hub ]; "authelia_session.age".publicKeys = [ hub ]; "authelia_storage.age".publicKeys = [ hub ]; + "authelia_oidc_hmac_secret.age".publicKeys = [ hub ]; + "authelia_oidc_issuer_private_key.age".publicKeys = [ hub ]; "cloudflare_api.age".publicKeys = [ hub ]; "ts_auth_key.age".publicKeys = [ hub