authelia: drop docker migration, tighten secret perms
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
93e79509c4
commit
f65675bd80
1 changed files with 2 additions and 57 deletions
|
|
@ -1,49 +1,6 @@
|
||||||
# services/authelia.nix — Native Authelia SSO with auto-migration from Docker
|
# services/authelia.nix — Native Authelia SSO
|
||||||
|
# Secrets live in /var/secrets/authelia (root:authelia-main, 640) — see readme.
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
let
|
|
||||||
# Migrates secrets + user DB from the old Docker Authelia setup
|
|
||||||
setupScript = pkgs.writeShellScript "authelia-setup" ''
|
|
||||||
set -euo pipefail
|
|
||||||
YQ="${pkgs.yq-go}/bin/yq"
|
|
||||||
DOCKER_CONFIG="/home/fred/docker/authelia/configuration.yml"
|
|
||||||
SECRETS_DIR="/var/secrets/authelia"
|
|
||||||
STATE_DIR="/var/lib/authelia-main"
|
|
||||||
|
|
||||||
mkdir -p "$SECRETS_DIR"
|
|
||||||
mkdir -p "$STATE_DIR"
|
|
||||||
|
|
||||||
# Migrate secrets from Docker config if they haven't been extracted yet
|
|
||||||
if [ -f "$DOCKER_CONFIG" ]; then
|
|
||||||
if [ ! -f "$SECRETS_DIR/jwt_secret" ]; then
|
|
||||||
$YQ '.identity_validation.reset_password.jwt_secret' "$DOCKER_CONFIG" \
|
|
||||||
| tr -d '"' > "$SECRETS_DIR/jwt_secret"
|
|
||||||
echo "Migrated jwt_secret"
|
|
||||||
fi
|
|
||||||
if [ ! -f "$SECRETS_DIR/session_secret" ]; then
|
|
||||||
$YQ '.session.secret' "$DOCKER_CONFIG" \
|
|
||||||
| tr -d '"' > "$SECRETS_DIR/session_secret"
|
|
||||||
echo "Migrated session_secret"
|
|
||||||
fi
|
|
||||||
if [ ! -f "$SECRETS_DIR/storage_encryption_key" ]; then
|
|
||||||
$YQ '.storage.encryption_key' "$DOCKER_CONFIG" \
|
|
||||||
| tr -d '"' > "$SECRETS_DIR/storage_encryption_key"
|
|
||||||
echo "Migrated storage_encryption_key"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
chmod 644 "$SECRETS_DIR"/*
|
|
||||||
|
|
||||||
# Migrate users database
|
|
||||||
if [ ! -f "$STATE_DIR/users_database.yml" ] && \
|
|
||||||
[ -f "/home/fred/docker/authelia/users_database.yml" ]; then
|
|
||||||
cp /home/fred/docker/authelia/users_database.yml "$STATE_DIR/"
|
|
||||||
chown authelia-main:authelia-main "$STATE_DIR/users_database.yml"
|
|
||||||
echo "Migrated users_database.yml"
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Authelia setup complete."
|
|
||||||
'';
|
|
||||||
in
|
|
||||||
{
|
{
|
||||||
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
|
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
|
||||||
|
|
||||||
|
|
@ -100,17 +57,5 @@ in
|
||||||
notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
|
notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Auto-migrate Docker Authelia data on first deploy
|
|
||||||
systemd.services.authelia-setup = {
|
|
||||||
description = "Migrate Authelia secrets and user database from Docker";
|
|
||||||
before = [ "authelia-main.service" ];
|
|
||||||
requiredBy = [ "authelia-main.service" ];
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "oneshot";
|
|
||||||
RemainAfterExit = true;
|
|
||||||
ExecStart = setupScript;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue