-
-
Notifications
You must be signed in to change notification settings - Fork 13.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
authelia: 4.37.5 -> 4.38.9 #299309
authelia: 4.37.5 -> 4.38.9 #299309
Conversation
Notify maintainers : @06kellyjac @RaitoBezarius @dit7ya |
Gave a try setting this up and the module will need reworking for people who want to take advantage of unix sockets |
The service config will have to be updated. Using |
Gave a try at updating the module (I do not have much experience on that), and have currently the following to still have the host+port settings working but transformed into the address (for backwards compatibility): # In autheliaOpts, remove server.host & server.port and add server.address
imports =
# settings.server.address should be set instead of host + port
(map
(name:
let
serverConfigPath = [ "services" "authelia" "instances" name "settings" "server" ];
hostConfigPath = serverConfigPath ++ [ "host" ];
portConfigPath = serverConfigPath ++ [ "port" ];
addressConfigPath = serverConfigPath ++ [ "address" ];
in
lib.mkMergedOptionModule
[
hostConfigPath
portConfigPath
]
addressConfigPath
(config:
let
host = lib.attrByPath hostConfigPath "" config;
port = lib.attrByPath portConfigPath 9091 config;
in
"tcp://${host}:${port}/"
)
)
(lib.attrNames cfg.instances)); However, this has two problems:
If someone has any idea on how to fix this or a better way of doing things, feel free to share your thoughts. |
To make life simple on yourself, I would just deprecate the config option and show the user where to find the new one. You can use |
|
a525c37
to
4753af3
Compare
Updated again the module due to other options having problems with the new settings:
Updated the manual & added an assertion in the same way as the previously removed options |
430aa2a
to
1a815cf
Compare
Added a commit to add myself as a maintainer. Re-pinging the maintainers : @06kellyjac @dit7ya In case the maintainers still do not respond, also adding @AndersonTorres who merged the init PR (#180469), and @marsam who merged the last authelia PR (#266455) |
Tried to see if we could avoid vendoring the |
The solution seems to work well! I added this modification to the PR |
Changes: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Found more problems during testing: error occurred performing deprecation mapping for keys 'server.host', 'server.port', and 'server.path' to new key server.address: the new key already exists with value 'unix:///run/authelia/http' but the deprecated keys and the new key can't both be configured
-
According to the error message, the
address
option not just supersedeshost
andport
, but also thepath
option. -
I am using the thebut it is an example for why it's preferrable to not put additional restrictions on what's accepted upstream. EDIT: found out, you can pass apath
configuration option. Right now, I'm not sure how to combine that into theaddress
option, together with a unix socket path. This is not a problem to necessarily be solved as part of this PR - I will ask about it upstream -?path=...
argument to the unix socket address.
Second Error: EDIT: solved it. I could update my cert chain config. Will contribute this.identity_providers: oidc: option
jwks must not be configured at the same time as 'issuer_private_key' or 'issuer_certificate_chain'
- This one looks, like it should be fixed in my config. I'll check on how to do that.
So, I managed to get everything running with this PR now, but I feel like the assertion doesn't cut it. To summarize:
|
@bendlas I removed the assertion because as you said, we won't validate all the options. Another thing that I thought is about the default value of the
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Excellent!
default = "localhost"; | ||
example = "0.0.0.0"; | ||
default = "tcp://:9091/"; | ||
example = "unix:///var/run/authelia.sock"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
example = "unix:///var/run/authelia.sock"; | |
example = "unix:///var/run/authelia.sock?path=authelia&umask=0117"; |
this is how I'm running it. I think that's useful as an example, because it shows how to do socket permissions, and in particular, how to translate the path
setting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried and did not manage to make it working.
Do you have a complete authelia config example available on github ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Modification applied
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried and did not manage to make it working. Do you have a complete authelia config example available on github ?
What are you having your issue with @hatch01?
Have you had a working configuration with authelia on a subpath before?
I do have a working configuration. It's part of a larger approach, that I'm looking at open-sourcing real soon (tm). If you'd be interested in having a look at that, possibly helping out, I'm happy to share privately. Feel free to DM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll reply in this thread, in order to avoid spamming the main thread more ...
I can obviously write in the file using sudo -u authelia echo test > /var/log/authelia/authelia.log and read it in the same way.
I think the usual way to do this within a nixos module is systemd.tmpfiles.rules
.
If that still doesn't work let's take this elsewhere and let's try to keep this PR focussed on the out-of-box config + stuff that was verified to work before, please.
type = types.str; | ||
default = "localhost"; | ||
example = "0.0.0.0"; | ||
default = "tcp://:9091/"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Defining a default value in the module will break the config of those that are defining host, port or path
That's an excellent point.
default = "tcp://:9091/"; | |
default = if not isNull cfg.settings.host or cfg.settings.port or cfg.settings.path or null then warn "Please replace services.authelia.setings.{host,port,path} with services.authelia.settings.address, before release 4.39" null else "tcp://:9091/"; |
WARNING untested and probably not working
Maybe something like this could smooth over the transition ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I could not find a way to make this work:
The first problem is that there can be multiple authelia instances, some using the old settings, and others using the new one -> The default value being applied to all, there will be problems.
If we suppose that there is only one instance, after fixing the condition (the settings are accessed with cfg.instances.<name>.settings.server.{host,port,path}
), this still generates the server.address
setting in the YAML file, with the value null
.
I tried to instead conditionnaly set the default
value by doing this:
address = mkOption ({
type = types.str;
example = "unix:///var/run/authelia.sock";
description = "The address to listen on.";
} // lib.optionalAttrs
(
let
instance0 = builtins.elemAt (builtins.attrValues cfg.instances) 0;
in
if (instance0.settings.server.host != null) ||
(instance0.settings.server.port != null) ||
(instance0.settings.server.path != null) then
warn "Please replace services.authelia.setings.{host,port,path} with services.authelia.settings.address, before release 4.39" false
else true
)
{
default = "tcp://:9091/";
});
};
, but nix encounters an infinite recursion...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, yeah, I think the infinite recursion comes from builtins.elemAt
and/or builtins.attrValues
being eager.
Also it seems like that snippet would set the default for each authelia instance, based on the setting of the (arbitrary) first one. I don't think, that's what we want to be doing.
Try taking a config
argument in the function for autheliaOpts
, see comment below.
Hi, are you using the log.file_path parameter. juil. 07 16:17:57 nixos authelia[18380]: time="2024-07-07T16:17:57+02:00" level=fatal msg="Cannot configure logger: open /var/log/authelia/authelia.log: read-only file system" stack="github.com/authelia/authelia/v4/internal/commands/root.go:69 (*CmdCtx).RootRunE\ngithub.com/spf13/cobra@v1.8.1/command.go:985 (*Command).execute\ngithub.com/spf13/cobra@v1.8.1/command.go:1117 (*Command).ExecuteC\ngithub.com/spf13/cobra@v1.8.1/command.go:1041 (*Command).Execute\ngithub.com/authelia/authelia/v4/cmd/authelia/main.go:10 main\nruntime/internal/atomic/types.go:194 (*Uint32).Load\nruntime/asm_amd64.s:1695 goexit" I don't know if it is caused by the update or if it was broken before. Ps: |
The authelia instance |
Sorry I forgot to precise my config : https://github.com/hatch01/server-flake/blob/354a795dff56383e466ee414652a0e2441ccf2f3/apps/authelia.nix |
Sorry if my explanation was not clear, but in your config, you are setting the Try setting If for some reason you still want/need to use the |
@@ -8,7 +8,6 @@ let | |||
cfg = config.services.authelia; | |||
|
|||
format = pkgs.formats.yaml { }; | |||
configFile = format.generate "config.yml" cfg.settings; | |||
|
|||
autheliaOpts = with lib; { name, ... }: { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
autheliaOpts = with lib; { name, ... }: { | |
autheliaOpts = with lib; { name, config, ... }: { |
This config
will be scoped to per-instance, because autheliaOpts
is passed to types.submodule
.
That way, it should be possible to do warnings per affected instance.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using config
here allows for accessing the instance configuration (thank you for the tip), however I still get the infinite recursion :/
I think that it is because I try to lazily define settings
(i.e. the address
option of the submodule settings
) while trying to access the "final state" of settings
(i.e. the host
/port
/path
).
When I set the condition to something outside settings
(e.g. config.enable
), it works.
It is when I try to use something in settings
that it breaks.
Also, when using eager functions (e.g. lib.optionalString
), it compiles, but the key is still defined in the YAML configuration file (address: ''
), and Authelia yells about defining both old and new keys.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm :/ I'd have to take a look to say more, but I guess last resort would be a top-level mapAttrsToList
, to generate config.warnings
manually ....
Hi folks, may I ask if you have any ETA in mind for this PR ? Regards |
- Remove settings.server.{host,port} options - Replaced by settings.server.address - If any of settings.server.{host,port,path} are specified in the configuration, a warning is displayed and these values will be used instead of settings.server.address - Change what secrets.oidcIssuerPrivateKeyFile maps to - Previously: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE - Now: identity_providers.oidc.jwks[0].key - Not done directly in the NixOS settings config but as a separate YAML config file - Done that way because Go templates are not correctly handled by the YAML generator (NixOS#319716) - Change secrets.jwtSecretFile env variable mapping - Previously: AUTHELIA_JWT_SECRET_FILE - Now: AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE
Finally found a way to make the default value of Instead of trying to modify whether we set the default value of This seems to work well:
This now means that this PR now does not bring any breaking change! Thanks again @bendlas for all the comments and ideas to make this work |
Tested and works. Thanks @nicomem, for all your work and being receptive to feedback! I would merge this right now, except it feels like this should be something done by package maintainers. @06kellyjac and @dit7ya don't seem to have participated so far. Let's wait for the weekend, if they get around, otherwise I'll merge.
@dimakow Generally, there are no ETAs, as NixOS is volunteer work. A more productive way to ask something like this, is to pick the PR onto your branch, try it out, and provide feedback based on your experience, or simply ask if there is any way to help move this along. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've not seen it necessary to repeat valid suggestions already posted on quite an active PR.
I've not requested the commit-bit for nixpkgs so I can't merge.
LGTM I don't mind merging now or waiting for @dit7ya
@06kellyjac my bad, sorry. Thanks for approving. I'll merge. |
Description of changes
Closes #296502
Package Update
Updated manually using the
update.sh
script (but as said in #296502, the nixpkgs-update bot will probably not be able to automatically update it).The 4.38.0 version has some big changes and some configuration depreciation, but simply by keeping my old configuration, everything seems to work fine (apart from the depreciation warnings).
Changelogs:
https://github.com/authelia/authelia/releases/tag/v4.38.0
https://github.com/authelia/authelia/releases/tag/v4.38.1
https://github.com/authelia/authelia/releases/tag/v4.38.2
https://github.com/authelia/authelia/releases/tag/v4.38.3
https://github.com/authelia/authelia/releases/tag/v4.38.4
https://github.com/authelia/authelia/releases/tag/v4.38.5
https://github.com/authelia/authelia/releases/tag/v4.38.6
https://github.com/authelia/authelia/releases/tag/v4.38.7
https://github.com/authelia/authelia/releases/tag/v4.38.8
https://github.com/authelia/authelia/releases/tag/v4.38.9
Module Update
Removals
services.authelia.instances.<name>.settings.server.{host,port}
, and addedservices.authelia.instances.<name>.settings.server.address
.If any of the former options are used, an assertion will be triggered.
Other changes
services.authelia.instances.<name>.secrets.jwtSecretFile
now sets theAUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE
environment variable instead ofAUTHELIA_JWT_SECRET_FILE
services.authelia.instances.<name>.secrets.oidcIssuerPrivateKeyFile
now creates a new YAML config file to setidentity_providers.oidc.key
using templatesThings done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.