From 56ecff913a5c7aa3610f2ef616115f9c8988d5d0 Mon Sep 17 00:00:00 2001 From: Nolan Darilek Date: Tue, 11 Mar 2025 11:18:13 -0500 Subject: [PATCH] Add open-webui and partially integrate OIDC into Authelia. --- hosts/hub/apps/open-webui.nix | 14 +++++++++++-- roles/authelia.nix | 20 +++++++++++++++++-- secrets/authelia_oidc_hmac_secret.age | 5 +++++ secrets/authelia_oidc_issuer_private_key.age | Bin 0 -> 1917 bytes secrets/secrets.nix | 2 ++ 5 files changed, 37 insertions(+), 4 deletions(-) create mode 100644 secrets/authelia_oidc_hmac_secret.age create mode 100644 secrets/authelia_oidc_issuer_private_key.age diff --git a/hosts/hub/apps/open-webui.nix b/hosts/hub/apps/open-webui.nix index 38b5fdc..e9662d0 100644 --- a/hosts/hub/apps/open-webui.nix +++ b/hosts/hub/apps/open-webui.nix @@ -1,5 +1,7 @@ -{ config, ... }: - +let + clientId = "xqV9QLU4JAP7i47XEa9ABbjP8MKWK3VUt1vHaTAaZYTYFdFqGkrlGmTPTAnvDDsvAb +w518mk"; +in { systemd.tmpfiles.rules = [ "d /var/lib/open-webui 0755 root root" @@ -11,10 +13,18 @@ "8090:8080" ]; volumes = [ "/var/lib/open-webui:/app/backend/data" ]; + environment = { + WEBUI_AUTH_TRUSTED_NAME_HEADER = "Remote-Name"; + WEBUI_AUTH_TRUSTED_EMAIL_HEADER = "Remote-Email"; + }; }; services.caddy.virtualHosts."https://open-webui.tailc50184.ts.net".extraConfig = '' bind tailscale/open-webui + forward_auth localhost:9091 { + uri /api/authz/forward-auth + copy_headers Remote-Email Remote-Name + } reverse_proxy http://localhost:8090 ''; diff --git a/roles/authelia.nix b/roles/authelia.nix index 3a5fce3..6971a5f 100644 --- a/roles/authelia.nix +++ b/roles/authelia.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ pkgs, config, ... }: { age.secrets = { @@ -24,6 +24,18 @@ group = "authelia-main"; mode = "440"; }; + autheliaOidcHmacSecret = { + file = ../secrets/authelia_oidc_hmac_secret.age; + owner = "authelia-main"; + group = "authelia-main"; + mode = "440"; + }; + autheliaOidcIssuerPrivateKey = { + file = ../secrets/authelia_oidc_issuer_private_key.age; + owner = "authelia-main"; + group = "authelia-main"; + mode = "440"; + }; }; services = { postgresql = { @@ -41,6 +53,8 @@ jwtSecretFile = config.age.secrets.jwt.path; sessionSecretFile = config.age.secrets.autheliaSession.path; storageEncryptionKeyFile = config.age.secrets.autheliaStorageEncryptionKey.path; + # oidcHmacSecretFile = config.age.secrets.autheliaOidcHmacSecret.path; + # oidcIssuerPrivateKeyFile = config.age.secrets.autheliaOidcIssuerPrivateKey.path; }; environmentVariables = { AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.ldap.path; @@ -110,8 +124,10 @@ }; caddy.globalConfig = '' servers { - trusted_proxies static 192.168.0.1 + trusted_proxies static private_ranges } ''; }; + + environment.systemPackages = with pkgs; [ authelia ]; } diff --git a/secrets/authelia_oidc_hmac_secret.age b/secrets/authelia_oidc_hmac_secret.age new file mode 100644 index 0000000..de93e84 --- /dev/null +++ b/secrets/authelia_oidc_hmac_secret.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 5X7MKw FvumZTxDU0bBRTRSy43HVox2qoigg4BK4h/SYhxd/3Y +34GKCl2Wa235MioYWuaIOyV6RJpc8J4tAsEwyxE65w0 +--- cDUMLVhu3ja3C6eWkXYBp+uSfdT67s3QaqUJlwCR1WU +oã±RuúÆ-“9,‹Æã …Ñ53^µ®ÔüjÄEZϧHMÊd¾^«ö›ó¬û^ìe! Ùë/(/œòþ‚­n=0QwM†ýA•!-\ž‚b½ \ No newline at end of file diff --git a/secrets/authelia_oidc_issuer_private_key.age b/secrets/authelia_oidc_issuer_private_key.age new file mode 100644 index 0000000000000000000000000000000000000000..1d5b9af70c191aace4e55bfcef1339aa85d50959 GIT binary patch literal 1917 zcmV-@2ZH!vXJsvAZewzJaCB*JZZ2WwdX?ZbKOLA^TIdMoiT1aYFab;_HGILQ=c~3HKZB+_6dUH89FIag& zSx`weXhcqNOLZ$sF*7q|R5oHXNl9TaP*6>6Zg6RDSZfL`EiE8bSTIdkb6HbjM|V<9 zLQywFP-H?{W=k+{G*v`FXe&WCR(M5FNo-SAL`e!jv*7NtJ$fXy%n<4C2OUVEk5?BX zwj70Tutgo*`GjrY!rDp%EU6l*gS_o&ZMkAz+|PYqHT3OPp-~{5AEUkIrranW(K1zr z=}DS^bwJqP0k6ZDlDewVG1$Er>_VKP27Hv&hAm`(pI>c2YFUj zz+uY4+LG5HgNRez3+?!a3TK4l20K#dKul}S1X^c|D5*ht(Lr6Lp|o|5m9h&}k{Io3 z2bX&Iw=7I8MSk)j6<}yM$E~+D33jeghd*d~OR1{2yHSKTSJ5Ddbr8*x1tuVwWqO zm(STUm9!VF_D1eD-|1u*^DfD3`YD!N5Ma0{9{#-?EE)v3IEu}d8gDwS-ER+E8rZgE zf0Z22t8$i)st=Ui+u0|z0^$+Kv!JzrQfaNMt`89@{?0_a^=%RbGYwET1(%D*? z3D_p~fkbVHDnd&*P49jP$yVe6Mc%BcILhs2WO>1apqC{uy3k%9pfz>|PYKMFUlB=S z91O09Iq0c2c3hgXuA`ba@S{{LkZUn}K`tYETbL5n*@#?U`LzW-+qR&DtFDHQ^Jo=` z8e20zVa}plSnasdPKuf>(+3h?EfO?rHq|I+A$ovngS98xAXfJ^NJ@<_c~5VJsW9BD z9rClQia4c^ZZbp#VY~VG4e1mZQCiOT-)C~0oS%1tw+O-o{&n`%lm@H&to9kRB0}kodpXchA!8jJ z(#g1{B7=R!f2z$p6n8oIr;!ZvDgnf1nKpqV?7*p4%n| z<4of}Bh~{*S=4u~MBC1-_#^BQrzIYpE4LM8URRP6xQs|q>x)4bBvelMz{!Jm)Ub=H zsRRWXJ(b@1LEx!WirzKL=Zth?Rlrqn8_1zwT>7GiOY&~#i1=N1_-|ij=8Zz>HQUfF1 za1zKxde!w>PQWsJ0t9=~@a(i$>bixUcBVoJ$P+0BQ%MvZ(bt=(Y`SUHkLW#vYP9uW z9Y3$%#349<^e-F~hQ8yxE>Q5fGkp>=#f%SAo#E(ctr2P(ij{#!(%ojYx)ReM zCVG}|if(EAsb7e{RLYi3CH#X(pP-4>S7+AJL^UpI!R$ucNB~80-Y)p&Q#)S?yd4S? zh`#2tu1rIp33a%38#g|9@T!iJDv$BJ9meZn9hX|Wc4WXTPsL`;>;#uQuVGtd|XTUCOLtf{rf zc+cO4k4}9O>17(BYS-0V1n@a-eCh!PNW@&TXm=)(Cwhb&NohRyN_jjwe7=#eic&Qg#kxWFz1{EuhyrSG2ZH&#yKR DM#`F` literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 12474e2..b034539 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -13,6 +13,8 @@ in "jwt.age".publicKeys = [ hub ]; "authelia_session.age".publicKeys = [ hub ]; "authelia_storage.age".publicKeys = [ hub ]; + "authelia_oidc_hmac_secret.age".publicKeys = [ hub ]; + "authelia_oidc_issuer_private_key.age".publicKeys = [ hub ]; "cloudflare_api.age".publicKeys = [ hub ]; "ts_auth_key.age".publicKeys = [ hub