nixos/authelia: Remove options incompatible with new settings

- Remove settings.server.{host,port} options
  - Replaced by settings.server.address

- Remove secrets.oidcIssuerPrivateKeyFile
  - Not mappable securely to newer config keys

- Change secrets.jwtSecretFile env variable mapping
  - Previously: AUTHELIA_JWT_SECRET_FILE
  - Now: AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE

nixos/doc/manual/release-notes/rl-2405.section.md

@@ -36,6 +36,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
  This release also depreciates some configuration keys, which are likely to be removed in future version 5.0, but they are still supported and expected to be working in the current version.
 
+ Some NixOS configuration defined in the module has however been removed: see the backwards-incompatible section for more information.
+
 - The PipeWire and WirePlumber modules have removed support for using
 `environment.etc."pipewire/..."` and `environment.etc."wireplumber/..."`.
 Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for PipeWire and
@@ -333,6 +335,11 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - Ada packages (libraries and tools) have been moved into the `gnatPackages` scope. `gnatPackages` uses the default GNAT compiler, `gnat12Packages` and `gnat13Packages` use the respective matching compiler version.
 
+- Some Authelia options have been replaced or removed
+ - `services.authelia.instances.<name>.settings.server.{host,port}` options have been replaced with `services.authelia.instances.<name>.settings.server.address`. Usage of the former options will result in a nixos-rebuild build error.
+ See the [Authelia documentation](https://www.authelia.com/configuration/miscellaneous/server/#address) for the new setting.
+ - `services.authelia.instances.<name>.secrets.oidcIssuerPrivateKeyFile` option has been removed. For security purposes, it is advised to set the `identity_providers.oidc.jwks.key` Authelia setting using `services.authelia.<name>.settingsFiles`, and setting the appropriate file permissions.
+
 - `spark2014` has been renamed to `gnatprove`. A version of `gnatprove` matching different GNAT versions is available from the different `gnatPackages` sets.
 
 - `services.resolved.fallbackDns` can now be used to disable the upstream fallback servers entirely by setting it to an empty list. To get the previous behaviour of the upstream defaults set it to null, the new default, instead.

nixos/modules/services/security/authelia.nix

@@ -8,7 +8,6 @@ let
  cfg = config.services.authelia;
 
  format = pkgs.formats.yaml { };
- configFile = format.generate "config.yml" cfg.settings;
 
  autheliaOpts = with lib; { name, ... }: {
  options = {
@@ -71,14 +70,6 @@ let
  '';
  };
 
- oidcIssuerPrivateKeyFile = mkOption {
- type = types.nullOr types.path;
- default = null;
- description = ''
- Path to your private key file used to encrypt OIDC JWTs.
- '';
- };
-
  oidcHmacSecretFile = mkOption {
  type = types.nullOr types.path;
  default = null;
@@ -156,18 +147,12 @@ let
  };
 
  server = {
- host = mkOption {
+ address = mkOption {
  type = types.str;
- default = "localhost";
- example = "0.0.0.0";
+ default = "tcp://:9091/";
+ example = "unix:///var/run/authelia.sock";
  description = "The address to listen on.";
  };
-
- port = mkOption {
- type = types.port;
- default = 9091;
- description = "The port to listen on.";
- };
  };
 
  log = {
@@ -291,10 +276,9 @@ in
  after = [ "network.target" ];
  environment =
  (lib.filterAttrs (_: v: v != null) {
- AUTHELIA_JWT_SECRET_FILE = instance.secrets.jwtSecretFile;
+ AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = instance.secrets.jwtSecretFile;
  AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = instance.secrets.storageEncryptionKeyFile;
  AUTHELIA_SESSION_SECRET_FILE = instance.secrets.sessionSecretFile;
- AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = instance.secrets.oidcIssuerPrivateKeyFile;
  AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = instance.secrets.oidcHmacSecretFile;
  })
  // instance.environmentVariables;
@@ -379,6 +363,28 @@ in
  Do not include raw secrets in nix settings.
  '';
  }
+ # Removed options. Cannot use mkRemovedOptionModule (or similar methods) due to errors.
+ # See https://github.com/NixOS/nixpkgs/pull/299309#issuecomment-2038240493
+ {
+ assertion = !((instance.settings.server ? host) || (instance.settings.server ? port));
+ message = ''
+ The options `services.authelia.${name}.settings.server.host' and `services.authelia.${name}.settings.server.port'
+ have been replaced with `services.authelia.${name}.settings.server.address'.
+ '';
+ }
+ {
+ assertion = !(instance.secrets ? oidcIssuerPrivateKeyFile);
+ message = ''
+ The option `services.authelia.${name}.secrets.oidcIssuerPrivateKeyFile' has been removed.
+ Previously, this mapped to an environment variable, but Authelia now requires this
+ to be defined in `identity_providers.oidc.jwks.key'.
+
+ As the template file filter does not play well with the YAML conversion of the NixOS
+ attribute set, it is advised for security purposes to instead set this setting in
+ another YAML configuration file using `services.authelia.${name}.settingsFiles',
+ with the appropriate file permissions.
+ '';
+ }
  ]
  ));