authelia: drop docker migration, tighten secret perms
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
93e79509c4
commit
f65675bd80
1 changed files with 2 additions and 57 deletions
|
|
@ -1,49 +1,6 @@
|
|||
# services/authelia.nix — Native Authelia SSO with auto-migration from Docker
|
||||
# services/authelia.nix — Native Authelia SSO
|
||||
# Secrets live in /var/secrets/authelia (root:authelia-main, 640) — see readme.
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
# Migrates secrets + user DB from the old Docker Authelia setup
|
||||
setupScript = pkgs.writeShellScript "authelia-setup" ''
|
||||
set -euo pipefail
|
||||
YQ="${pkgs.yq-go}/bin/yq"
|
||||
DOCKER_CONFIG="/home/fred/docker/authelia/configuration.yml"
|
||||
SECRETS_DIR="/var/secrets/authelia"
|
||||
STATE_DIR="/var/lib/authelia-main"
|
||||
|
||||
mkdir -p "$SECRETS_DIR"
|
||||
mkdir -p "$STATE_DIR"
|
||||
|
||||
# Migrate secrets from Docker config if they haven't been extracted yet
|
||||
if [ -f "$DOCKER_CONFIG" ]; then
|
||||
if [ ! -f "$SECRETS_DIR/jwt_secret" ]; then
|
||||
$YQ '.identity_validation.reset_password.jwt_secret' "$DOCKER_CONFIG" \
|
||||
| tr -d '"' > "$SECRETS_DIR/jwt_secret"
|
||||
echo "Migrated jwt_secret"
|
||||
fi
|
||||
if [ ! -f "$SECRETS_DIR/session_secret" ]; then
|
||||
$YQ '.session.secret' "$DOCKER_CONFIG" \
|
||||
| tr -d '"' > "$SECRETS_DIR/session_secret"
|
||||
echo "Migrated session_secret"
|
||||
fi
|
||||
if [ ! -f "$SECRETS_DIR/storage_encryption_key" ]; then
|
||||
$YQ '.storage.encryption_key' "$DOCKER_CONFIG" \
|
||||
| tr -d '"' > "$SECRETS_DIR/storage_encryption_key"
|
||||
echo "Migrated storage_encryption_key"
|
||||
fi
|
||||
fi
|
||||
|
||||
chmod 644 "$SECRETS_DIR"/*
|
||||
|
||||
# Migrate users database
|
||||
if [ ! -f "$STATE_DIR/users_database.yml" ] && \
|
||||
[ -f "/home/fred/docker/authelia/users_database.yml" ]; then
|
||||
cp /home/fred/docker/authelia/users_database.yml "$STATE_DIR/"
|
||||
chown authelia-main:authelia-main "$STATE_DIR/users_database.yml"
|
||||
echo "Migrated users_database.yml"
|
||||
fi
|
||||
|
||||
echo "Authelia setup complete."
|
||||
'';
|
||||
in
|
||||
{
|
||||
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
|
||||
|
||||
|
|
@ -100,17 +57,5 @@ in
|
|||
notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
|
||||
};
|
||||
};
|
||||
|
||||
# Auto-migrate Docker Authelia data on first deploy
|
||||
systemd.services.authelia-setup = {
|
||||
description = "Migrate Authelia secrets and user database from Docker";
|
||||
before = [ "authelia-main.service" ];
|
||||
requiredBy = [ "authelia-main.service" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
ExecStart = setupScript;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue