msyds/sydnix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(authelia,lldap): Persist important state directories

Browse Source
This commit is contained in:
Madeleine Sydney
2025-02-21 18:20:21 -07:00
parent 01d8e5986c
commit a29fcde32d
2 changed files with 139 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
modules/nixos/deertopia/authelia.nix
View File

@@ -11,13 +11,6 @@ in {
type = lib.types.port; type = lib.types.port;
default = 9091; default = 9091;
}; };
stateDirectory = lib.mkOption {
description = ''
The directory under which Authelia's general state will be stored.
'';
type = lib.types.path;
default = "/var/lib/authelia-deertopia";
};
bindUserName = lib.mkOption { bindUserName = lib.mkOption {
description = '' description = ''
The name of the LDAP user Authelia will bind as. The name of the LDAP user Authelia will bind as.
@@ -27,7 +20,9 @@ in {
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable
(let authelia-state-dir = "/var/lib/authelia-deertopia";
in {
sydnix.sops.secrets = sydnix.sops.secrets =
let e = { let e = {
mode = "0600"; mode = "0600";
@@ -41,14 +36,9 @@ in {
authelia-authentication-backend-ldap-password = e; authelia-authentication-backend-ldap-password = e;
}; };
# I don't think the Authelia NixOS module exposes or even creates any paths sydnix.impermanence.directories = [
# for the service's state. No big deal, we'll do it ourselves… authelia-state-dir
# ];
# It is obligatory that I mention tmpfiles.d(5) every time this setting is used.
systemd.tmpfiles.settings."10-authelia".${cfg.stateDirectory} = {
v.user = config.services.authelia.instances."deertopia".user;
v.group = config.services.authelia.instances."deertopia".group;
};
# See: # See:
# - https://github.com/authelia/authelia/blob/v4.38.19/config.template.yml # - https://github.com/authelia/authelia/blob/v4.38.19/config.template.yml
@@ -74,7 +64,7 @@ in {
theme = "auto"; theme = "auto";
server = { server = {
address = "tcp://:${builtins.toString cfg.httpPort}"; address = "tcp://:${builtins.toString cfg.httpPort}";
asset_path = "${cfg.stateDirectory}/assets"; asset_path = "${authelia-state-dir}/assets";
# Necessary for Nginx integration. No, I do not understand what it # Necessary for Nginx integration. No, I do not understand what it
# does. # does.
endpoints.authz.auth-request.implementation = "AuthRequest"; endpoints.authz.auth-request.implementation = "AuthRequest";
@@ -134,16 +124,16 @@ in {
} }
]; ];
}; };
storage.local.path = "${cfg.stateDirectory}/db.sqlite"; storage.local.path = "${authelia-state-dir}/db.sqlite";
notifier = { notifier = {
disable_startup_check = false; disable_startup_check = false;
filesystem.filename = "${cfg.stateDirectory}/notifications"; filesystem.filename = "${authelia-state-dir}/notifications";
}; };
# Default is false, which prevents anything from showing up when you run # Default is false, which prevents anything from showing up when you run
# `systemctl status authelia-deertopia`, which is really, really confusing. # `systemctl status authelia-deertopia`, which is really, really confusing.
log = { log = {
keep_stdout = true; keep_stdout = true;
file_path = "${cfg.stateDirectory}/authelia.log"; file_path = "${authelia-state-dir}/authelia.log";
}; };
}; };
}; };
@@ -179,5 +169,5 @@ in {
''; '';
}; };
}; };
}; });
} }

4
modules/nixos/deertopia/lldap.nix
View File

@@ -18,6 +18,10 @@ in {
}; };
users.groups.lldap = {}; users.groups.lldap = {};
sydnix.impermanence.directories = [
"/var/lib/private/lldap"
];
sydnix.sops.secrets = sydnix.sops.secrets =
let e = { let e = {
mode = "0440"; mode = "0440";