fix(authelia,lldap): Persist important state directories

2025-02-21 18:20:21 -07:00
parent 01d8e5986c
commit a29fcde32d
2 changed files with 139 additions and 145 deletions
--- a/modules/nixos/deertopia/authelia.nix
+++ b/modules/nixos/deertopia/authelia.nix
@@ -11,13 +11,6 @@ in {
      type = lib.types.port;
      default = 9091;
    };
-    stateDirectory = lib.mkOption {
-      description = ''
-        The directory under which Authelia's general state will be stored.
-      '';
-      type = lib.types.path;
-      default = "/var/lib/authelia-deertopia";
-    };
    bindUserName = lib.mkOption {
      description = ''
        The name of the LDAP user Authelia will bind as.
@@ -27,7 +20,9 @@ in {
    };
  };

-  config = lib.mkIf cfg.enable {
+  config = lib.mkIf cfg.enable
+    (let authelia-state-dir = "/var/lib/authelia-deertopia";
+     in {
       sydnix.sops.secrets =
         let e = {
               mode = "0600";
@@ -41,14 +36,9 @@ in {
           authelia-authentication-backend-ldap-password = e;
         };

-    # I don't think the Authelia NixOS module exposes or even creates any paths
-    # for the service's state.  No big deal, we'll do it ourselves…
-    #
-    # It is obligatory that I mention tmpfiles.d(5) every time this setting is used.
-    systemd.tmpfiles.settings."10-authelia".${cfg.stateDirectory} = {
-      v.user = config.services.authelia.instances."deertopia".user;
-      v.group = config.services.authelia.instances."deertopia".group;
-    };
+       sydnix.impermanence.directories = [
+         authelia-state-dir
+       ];

       # See:
       #  - https://github.com/authelia/authelia/blob/v4.38.19/config.template.yml
@@ -74,7 +64,7 @@ in {
           theme = "auto";
           server = {
             address = "tcp://:${builtins.toString cfg.httpPort}";
-          asset_path = "${cfg.stateDirectory}/assets";
+             asset_path = "${authelia-state-dir}/assets";
             # Necessary for Nginx integration.  No, I do not understand what it
             # does.
             endpoints.authz.auth-request.implementation = "AuthRequest";
@@ -134,16 +124,16 @@ in {
               }
             ];
           };
-        storage.local.path = "${cfg.stateDirectory}/db.sqlite";
+           storage.local.path = "${authelia-state-dir}/db.sqlite";
           notifier = {
             disable_startup_check = false;
-          filesystem.filename = "${cfg.stateDirectory}/notifications";
+             filesystem.filename = "${authelia-state-dir}/notifications";
           };
           # Default is false, which prevents anything from showing up when you run
           # `systemctl status authelia-deertopia`, which is really, really confusing.
           log = {
             keep_stdout = true;
-          file_path = "${cfg.stateDirectory}/authelia.log";
+             file_path = "${authelia-state-dir}/authelia.log";
           };
         };
       };
@@ -179,5 +169,5 @@ in {
        '';
         };
       };
-  };
+     });
 }
--- a/modules/nixos/deertopia/lldap.nix
+++ b/modules/nixos/deertopia/lldap.nix
@@ -18,6 +18,10 @@ in {
    };
    users.groups.lldap = {};

+    sydnix.impermanence.directories = [
+      "/var/lib/private/lldap"
+    ];
+
    sydnix.sops.secrets =
      let e = {
            mode = "0440";