Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authelia: 4.37.5 -> 4.38.9 #299309

Merged
merged 3 commits into from
Jul 17, 2024
+76 −16,194
Merged

authelia: 4.37.5 -> 4.38.9 #299309

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1e89e85
authelia: 4.37.5 -> 4.38.9
nicomem Mar 27, 2024
4f81a57
nixos/authelia: Remove options incompatible with new settings
nicomem Apr 6, 2024
6bb00fd
maintainers: Add nicomem
nicomem Apr 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions maintainers/maintainer-list.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14395,6 +14395,12 @@
name = "Nicolas Goudry";
keys = [ { fingerprint = "21B6 A59A 4E89 0B1B 83E3 0CDB 01C8 8C03 5450 9AA9"; } ];
};
nicomem = {
email = "nix@nicomem.com";
github = "nicomem";
githubId = 24990385;
name = "Nicolas Mémeint";
};
nicoo = {
email = "nicoo@debian.org";
github = "nbraud";
Expand Down
3 changes: 3 additions & 0 deletions nixos/doc/manual/release-notes/rl-2411.section.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@
This also allows configuring runtime settings of AMDVLK and enabling experimental features.
- The `moonlight-qt` package ([Moonlight game streaming](https://moonlight-stream.org/)) now has HDR support on Linux systems.

- `authelia` has been upgraded to version 4.38. This version brings several features and improvements which are detailed in the [release blog post](https://www.authelia.com/blog/4.38-release-notes/).
This release also deprecates some configuration keys, which are likely to be removed in future version 5.0, but they are still supported and expected to be working in the current version.

## New Services {#sec-release-24.11-new-services}

- [Open-WebUI](https://github.com/open-webui/open-webui), a user-friendly WebUI
Expand Down
48 changes: 34 additions & 14 deletions nixos/modules/services/security/authelia.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ let
cfg = config.services.authelia;

format = pkgs.formats.yaml { };
configFile = format.generate "config.yml" cfg.settings;

autheliaOpts = with lib; { name, ... }: {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
autheliaOpts = with lib; { name, ... }: {
autheliaOpts = with lib; { name, config, ... }: {

This config will be scoped to per-instance, because autheliaOpts is passed to types.submodule.

That way, it should be possible to do warnings per affected instance.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using config here allows for accessing the instance configuration (thank you for the tip), however I still get the infinite recursion :/

I think that it is because I try to lazily define settings (i.e. the address option of the submodule settings) while trying to access the "final state" of settings (i.e. the host/port/path).

When I set the condition to something outside settings (e.g. config.enable), it works.
It is when I try to use something in settings that it breaks.

Also, when using eager functions (e.g. lib.optionalString), it compiles, but the key is still defined in the YAML configuration file (address: ''), and Authelia yells about defining both old and new keys.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm :/ I'd have to take a look to say more, but I guess last resort would be a top-level mapAttrsToList, to generate config.warnings manually ....

options = {
Expand Down Expand Up @@ -156,18 +155,12 @@ let
};

server = {
host = mkOption {
bendlas marked this conversation as resolved.
Show resolved Hide resolved
address = mkOption {
type = types.str;
default = "localhost";
example = "0.0.0.0";
default = "tcp://:9091/";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Defining a default value in the module will break the config of those that are defining host, port or path

That's an excellent point.

Suggested change
default = "tcp://:9091/";
default = if not isNull cfg.settings.host or cfg.settings.port or cfg.settings.path or null then warn "Please replace services.authelia.setings.{host,port,path} with services.authelia.settings.address, before release 4.39" null else "tcp://:9091/";

WARNING untested and probably not working

Maybe something like this could smooth over the transition ...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could not find a way to make this work:

The first problem is that there can be multiple authelia instances, some using the old settings, and others using the new one -> The default value being applied to all, there will be problems.

If we suppose that there is only one instance, after fixing the condition (the settings are accessed with cfg.instances.<name>.settings.server.{host,port,path}), this still generates the server.address setting in the YAML file, with the value null.

I tried to instead conditionnaly set the default value by doing this:

address = mkOption ({
    type = types.str;

    example = "unix:///var/run/authelia.sock";
    description = "The address to listen on.";
  } // lib.optionalAttrs
    (
      let
        instance0 = builtins.elemAt (builtins.attrValues cfg.instances) 0;
      in
      if (instance0.settings.server.host != null) ||
        (instance0.settings.server.port != null) ||
        (instance0.settings.server.path != null) then
        warn "Please replace services.authelia.setings.{host,port,path} with services.authelia.settings.address, before release 4.39" false
      else true
    )
    {
      default = "tcp://:9091/";
    });
};

, but nix encounters an infinite recursion...

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, yeah, I think the infinite recursion comes from builtins.elemAt and/or builtins.attrValues being eager.

Also it seems like that snippet would set the default for each authelia instance, based on the setting of the (arbitrary) first one. I don't think, that's what we want to be doing.

Try taking a config argument in the function for autheliaOpts, see comment below.

example = "unix:///var/run/authelia.sock?path=authelia&umask=0117";
description = "The address to listen on.";
};

port = mkOption {
type = types.port;
default = 9091;
description = "The port to listen on.";
};
};

log = {
Expand Down Expand Up @@ -233,6 +226,23 @@ let
};
};
};

writeOidcJwksConfigFile = oidcIssuerPrivateKeyFile: pkgs.writeText "oidc-jwks.yaml" ''
identity_providers:
oidc:
jwks:
- key: {{ secret "${oidcIssuerPrivateKeyFile}" | mindent 10 "|" | msquote }}
'';

# Remove an attribute in a nested set
# https://discourse.nixos.org/t/modify-an-attrset-in-nix/29919/5
removeAttrByPath = set: pathList:
lib.updateManyAttrsByPath [{
path = lib.init pathList;
update = old:
lib.filterAttrs (n: v: n != (lib.last pathList)) old;
}]
set;
in
{
options.services.authelia.instances = with lib; mkOption {
Expand Down Expand Up @@ -281,20 +291,30 @@ in
let
mkInstanceServiceConfig = instance:
let
cleanedSettings =
if (instance.settings.server?host || instance.settings.server?port || instance.settings.server?path) then
# Old settings are used: display a warning and remove the default value of server.address
# as authelia does not allow both old and new settings to be set
lib.warn "Please replace services.authelia.instances.${instance.name}.settings.{host,port,path} with services.authelia.instances.${instance.name}.settings.address, before release 5.0.0"
(removeAttrByPath instance.settings [ "server" "address" ])
else
instance.settings;

execCommand = "${instance.package}/bin/authelia";
configFile = format.generate "config.yml" instance.settings;
configArg = "--config ${builtins.concatStringsSep "," (lib.concatLists [[configFile] instance.settingsFiles])}";
configFile = format.generate "config.yml" cleanedSettings;
oidcJwksConfigFile = lib.optional (instance.secrets.oidcIssuerPrivateKeyFile != null) (writeOidcJwksConfigFile instance.secrets.oidcIssuerPrivateKeyFile);
configArg = "--config ${builtins.concatStringsSep "," (lib.concatLists [[configFile] instance.settingsFiles oidcJwksConfigFile])}";
in
{
description = "Authelia authentication and authorization server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
environment =
(lib.filterAttrs (_: v: v != null) {
AUTHELIA_JWT_SECRET_FILE = instance.secrets.jwtSecretFile;
X_AUTHELIA_CONFIG_FILTERS = lib.mkIf (oidcJwksConfigFile != [ ]) "template";
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = instance.secrets.jwtSecretFile;
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = instance.secrets.storageEncryptionKeyFile;
AUTHELIA_SESSION_SECRET_FILE = instance.secrets.sessionSecretFile;
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = instance.secrets.oidcIssuerPrivateKeyFile;
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = instance.secrets.oidcHmacSecretFile;
})
// instance.environmentVariables;
Expand Down
6 changes: 3 additions & 3 deletions pkgs/servers/authelia/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
{ lib, fetchFromGitHub, buildGoModule, installShellFiles, callPackage, nixosTests }:
{ lib, nodejs, pnpm, fetchFromGitHub, buildGoModule, installShellFiles, callPackage, nixosTests }:

let
inherit (import ./sources.nix { inherit fetchFromGitHub; }) pname version src vendorHash;
web = callPackage ./web.nix { };
web = callPackage ./web.nix { inherit nodejs pnpm fetchFromGitHub; };
in
buildGoModule rec {
inherit pname version src vendorHash;
Expand Down Expand Up @@ -72,7 +72,7 @@ buildGoModule rec {
authentication.
'';
license = licenses.asl20;
maintainers = with maintainers; [ jk dit7ya ];
maintainers = with maintainers; [ jk dit7ya nicomem ];
mainProgram = "authelia";
};
}
Loading