From 0b267a5a5194c8dd05cd32c9424065faf3a25b47 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Wed, 27 Dec 2023 04:31:40 +0100
Subject: [PATCH] fix(authelia): set up tailscale OIDC

---
 services/authelia.nix | 59 ++++++++++++++++++++++++++++++++++++-------
 1 file changed, 50 insertions(+), 9 deletions(-)

diff --git a/services/authelia.nix b/services/authelia.nix
index 4dde322..0499072 100644
--- a/services/authelia.nix
+++ b/services/authelia.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, lib, ... }:
 
 let
   domain = "auth.felschr.com";
@@ -7,6 +7,19 @@ let
   ldapPort = config.services.lldap.settings.ldap_port;
   redis = config.services.redis.servers.authelia;
   cfg = config.services.authelia.instances.main;
+
+  mkWebfinger = v:
+    pkgs.writeTextDir (lib.escapeURL v.subject) (lib.generators.toJSON { } v);
+  webfingerRoot = pkgs.symlinkJoin {
+    name = "felschr.com-webfinger";
+    paths = builtins.map mkWebfinger [{
+      subject = "acct:me@felschr.com";
+      links = [{
+        rel = "http://openid.net/specs/connect/1.0/issuer";
+        href = "https://auth.felschr.com";
+      }];
+    }];
+  };
 in {
   age.secrets.authelia-jwt = {
     file = ../secrets/authelia/jwt.age;
@@ -108,14 +121,25 @@ in {
       #   host = "smtp.web.de";
       #   port = 587;
       # };
-      identity_providers.oidc.clients = [{
-        id = "miniflux";
-        secret =
-          "$pbkdf2-sha512$310000$1iBgcyIDTDzELv49KWtcHQ$WaRknbgeOHPWIc1BdQsUJaftwISJlY5S1Nyw6Z5omPvnZINhPyn7WVMgogVv1Dekmici7Oz7opb8S7uQAc8hzw";
-        redirect_uris = [ "https://news.felschr.com/oauth2/oidc/callback" ];
-        authorization_policy = "one_factor";
-        scopes = [ "openid" "email" "profile" ];
-      }];
+      identity_providers.oidc.clients = [
+        {
+          id = "miniflux";
+          secret =
+            "$pbkdf2-sha512$310000$1iBgcyIDTDzELv49KWtcHQ$WaRknbgeOHPWIc1BdQsUJaftwISJlY5S1Nyw6Z5omPvnZINhPyn7WVMgogVv1Dekmici7Oz7opb8S7uQAc8hzw";
+          redirect_uris = [ "https://news.felschr.com/oauth2/oidc/callback" ];
+          authorization_policy = "one_factor";
+          scopes = [ "openid" "email" "profile" ];
+        }
+        {
+          id = "tailscale";
+          # The digest of "insecure_secret"
+          secret =
+            "$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng";
+          redirect_uris = [ "https://login.tailscale.com/a/oauth_response" ];
+          authorization_policy = "one_factor";
+          scopes = [ "openid" "email" "profile" ];
+        }
+      ];
     };
   };
 
@@ -143,5 +167,22 @@ in {
     locations."/".proxyPass = "http://[::1]:${toString port}";
   };
 
+  services.nginx.virtualHosts."felschr.com" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/.well-known/webfinger" = {
+      root = webfingerRoot;
+      extraConfig = ''
+        add_header Access-Control-Allow-Origin "*";
+        default_type "application/jrd+json";
+        types { application/jrd+json json; }
+        if ($arg_resource) {
+          rewrite ^(.*)$ /$arg_resource break;
+        }
+        return 400;
+      '';
+    };
+  };
+
   users.users.${cfg.user}.extraGroups = [ "smtp" "ldap" ];
 }