diff --git a/sys/srv/authentik.nix b/sys/srv/authentik.nix index bc7e1e6..8b68fe3 100644 --- a/sys/srv/authentik.nix +++ b/sys/srv/authentik.nix @@ -19,37 +19,45 @@ with lib; { default = false; type = bool; }; + locations = mkOption { + type = attrsOf ( + submodule { + config = mkIf config.enableAuthentik { + extraConfig = '' + auth_request /outpost.goauthentik.io/auth/nginx; + error_page 401 = @goauthentik_proxy_signin; + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + + # translate headers from the outposts back to the actual upstream + auth_request_set $authentik_username $upstream_http_x_authentik_username; + auth_request_set $authentik_groups $upstream_http_x_authentik_groups; + auth_request_set $authentik_email $upstream_http_x_authentik_email; + auth_request_set $authentik_name $upstream_http_x_authentik_name; + auth_request_set $authentik_uid $upstream_http_x_authentik_uid; + + proxy_set_header X-authentik-username $authentik_username; + proxy_set_header X-authentik-groups $authentik_groups; + proxy_set_header X-authentik-email $authentik_email; + proxy_set_header X-authentik-name $authentik_name; + proxy_set_header X-authentik-uid $authentik_uid; + ''; + }; + } + ); + }; }; config = mkIf config.enableAuthentik { extraConfig = '' - auth_request /outpost.goauthentik.io/auth/nginx; - error_page 401 = @goauthentik_proxy_signin; - auth_request_set $auth_cookie $upstream_http_set_cookie; - add_header Set-Cookie $auth_cookie; - - # translate headers from the outposts back to the actual upstream - auth_request_set $authentik_username $upstream_http_x_authentik_username; - auth_request_set $authentik_groups $upstream_http_x_authentik_groups; - auth_request_set $authentik_email $upstream_http_x_authentik_email; - auth_request_set $authentik_name $upstream_http_x_authentik_name; - auth_request_set $authentik_uid $upstream_http_x_authentik_uid; - - proxy_set_header X-authentik-username $authentik_username; - proxy_set_header X-authentik-groups $authentik_groups; - proxy_set_header X-authentik-email $authentik_email; - proxy_set_header X-authentik-name $authentik_name; - proxy_set_header X-authentik-uid $authentik_uid; - - proxy_redirect http:// $scheme://; - proxy_buffers 8 16k; proxy_buffer_size 32k; location /outpost.goauthentik.io { - proxy_pass http://auth.posixlycorrect.com/outpost.goauthentik.io; + proxy_pass http://localhost:9000/outpost.goauthentik.io; # ensure the host of this vserver matches your external URL you've configured # in authentik - proxy_set_header X-Forwarded-Host $host; + proxy_set_header Host $host; + proxy_redirect http://localhost:9000 https://auth.posixlycorrect.com; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; @@ -62,7 +70,7 @@ with lib; { location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; - return 302 /outpost.goauthentik.io/start?rd=$request_uri; + return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; }