Add open-webui and partially integrate OIDC into Authelia.

2025-03-11 11:18:13 -05:00 · 2025-03-11 11:18:13 -05:00 · 56ecff913a
commit 56ecff913a
parent f29bbe2415
5 changed files with 37 additions and 4 deletions
--- a/hosts/hub/apps/open-webui.nix
+++ b/hosts/hub/apps/open-webui.nix
@ -1,5 +1,7 @@
-{ config, ... }:
-
+let
+  clientId = "xqV9QLU4JAP7i47XEa9ABbjP8MKWK3VUt1vHaTAaZYTYFdFqGkrlGmTPTAnvDDsvAb
+w518mk";
+in
 {
  systemd.tmpfiles.rules = [
    "d /var/lib/open-webui 0755 root root"
@ -11,10 +13,18 @@
      "8090:8080"
    ];
    volumes = [ "/var/lib/open-webui:/app/backend/data" ];
+    environment = {
+      WEBUI_AUTH_TRUSTED_NAME_HEADER = "Remote-Name";
+      WEBUI_AUTH_TRUSTED_EMAIL_HEADER = "Remote-Email";
+    };
  };

  services.caddy.virtualHosts."https://open-webui.tailc50184.ts.net".extraConfig = ''
    bind tailscale/open-webui
+    forward_auth localhost:9091 {
+      uri /api/authz/forward-auth
+      copy_headers Remote-Email Remote-Name
+    }
    reverse_proxy http://localhost:8090
  '';

--- a/roles/authelia.nix
+++ b/roles/authelia.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ pkgs, config, ... }:

 {
  age.secrets = {
@ -24,6 +24,18 @@
      group = "authelia-main";
      mode = "440";
    };
+    autheliaOidcHmacSecret = {
+      file = ../secrets/authelia_oidc_hmac_secret.age;
+      owner = "authelia-main";
+      group = "authelia-main";
+      mode = "440";
+    };
+    autheliaOidcIssuerPrivateKey = {
+      file = ../secrets/authelia_oidc_issuer_private_key.age;
+      owner = "authelia-main";
+      group = "authelia-main";
+      mode = "440";
+    };
  };
  services = {
    postgresql = {
@ -41,6 +53,8 @@
        jwtSecretFile = config.age.secrets.jwt.path;
        sessionSecretFile = config.age.secrets.autheliaSession.path;
        storageEncryptionKeyFile = config.age.secrets.autheliaStorageEncryptionKey.path;
+        # oidcHmacSecretFile = config.age.secrets.autheliaOidcHmacSecret.path;
+        # oidcIssuerPrivateKeyFile = config.age.secrets.autheliaOidcIssuerPrivateKey.path;
      };
      environmentVariables = {
        AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.ldap.path;
@ -110,8 +124,10 @@
    };
    caddy.globalConfig = ''
      servers {
-        trusted_proxies static 192.168.0.1
+        trusted_proxies static private_ranges
      }
    '';
  };
+
+  environment.systemPackages = with pkgs; [ authelia ];
 }
--- a/secrets/authelia_oidc_hmac_secret.age
+++ b/secrets/authelia_oidc_hmac_secret.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 5X7MKw FvumZTxDU0bBRTRSy43HVox2qoigg4BK4h/SYhxd/3Y
+34GKCl2Wa235MioYWuaIOyV6RJpc8J4tAsEwyxE65w0
+--- cDUMLVhu3ja3C6eWkXYBp+uSfdT67s3QaqUJlwCR1WU
+oã±RuúÆ-“9,‹Æã …Ñ53^µ®ÔüjÄEZÏ§HMÊd¾^«ö›ó¬û^ìe!
Ùë/(/œòþ‚n=0QwM†ýA•!-\ž‚b½
--- a/secrets/authelia_oidc_issuer_private_key.age
+++ b/secrets/authelia_oidc_issuer_private_key.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -13,6 +13,8 @@ in
  "jwt.age".publicKeys = [ hub ];
  "authelia_session.age".publicKeys = [ hub ];
  "authelia_storage.age".publicKeys = [ hub ];
+  "authelia_oidc_hmac_secret.age".publicKeys = [ hub ];
+  "authelia_oidc_issuer_private_key.age".publicKeys = [ hub ];
  "cloudflare_api.age".publicKeys = [ hub ];
  "ts_auth_key.age".publicKeys = [
    hub