From e5d9d21647459c663f7638809fa3e55de1beeda8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Fri, 6 Jun 2025 17:50:30 +0200
Subject: [PATCH] fix(nginx-authelia): fix authelia integration

---
 modules/nginx-authelia.nix | 58 +++++++++++++++-----------------------
 services/authelia.nix      |  2 +-
 2 files changed, 23 insertions(+), 37 deletions(-)

diff --git a/modules/nginx-authelia.nix b/modules/nginx-authelia.nix
index c6662dc..a1f6454 100644
--- a/modules/nginx-authelia.nix
+++ b/modules/nginx-authelia.nix
@@ -9,41 +9,24 @@ let
         enableAutheliaAuth = lib.mkEnableOption "Enable authelia auth";
       };
       config = lib.mkIf config.enableAutheliaAuth {
-        locations."/authelia".extraConfig = ''
-          set $upstream_authelia http://${cfg.host}:${toString cfg.port}/api/verify;
+        locations."/authelia" = {
+          proxyPass = "http://${cfg.host}:${toString cfg.port}/api/verify";
+          extraConfig = ''
+            internal;
 
-          ## Essential Proxy Configuration
-          internal;
-          proxy_pass $upstream_authelia;
-
-          ## Headers
-          ## The headers starting with X-* are required.
-          proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
-          proxy_set_header X-Original-Method $request_method;
-          proxy_set_header X-Forwarded-Method $request_method;
-          proxy_set_header X-Forwarded-Proto $scheme;
-          proxy_set_header X-Forwarded-Host $http_host;
-          proxy_set_header X-Forwarded-Uri $request_uri;
-          proxy_set_header X-Forwarded-For $remote_addr;
-          proxy_set_header Content-Length "";
-          proxy_set_header Connection "";
-
-          ## Basic Proxy Configuration
-          proxy_pass_request_body off;
-          proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
-          proxy_redirect http:// $scheme://;
-          proxy_http_version 1.1;
-          proxy_cache_bypass $cookie_session;
-          proxy_no_cache $cookie_session;
-          proxy_buffers 4 32k;
-          client_body_buffer_size 128k;
-
-          ## Advanced Proxy Configuration
-          send_timeout 5m;
-          proxy_read_timeout 240;
-          proxy_send_timeout 240;
-          proxy_connect_timeout 240;
-        '';
+            ## Headers
+            ## The headers starting with X-* are required.
+            proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+            proxy_set_header X-Original-Method $request_method;
+            proxy_set_header X-Forwarded-Method $request_method;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $http_host;
+            proxy_set_header X-Forwarded-Uri $request_uri;
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header Content-Length "";
+            proxy_set_header Connection "";
+          '';
+        };
         locations."/".extraConfig = ''
           ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
           auth_request /authelia;
@@ -51,7 +34,7 @@ let
           ## Set the $target_url variable based on the original request.
 
           ## Requires nginx http_set_misc module.
-          set_escape_uri $target_url $scheme://$http_host$request_uri;
+          set $target_url $scheme://$http_host$request_uri;
 
           ## Save the upstream response headers from Authelia to variables.
           auth_request_set $user $upstream_http_remote_user;
@@ -66,7 +49,7 @@ let
           proxy_set_header Remote-Email $email;
 
           ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
-          error_page 401 =302 https://auth.zx.dev/?rd=$target_url;
+          error_page 401 =302 https://${cfg.domain}/?rd=$target_url;
         '';
       };
     };
@@ -121,6 +104,9 @@ in
 {
   options = {
     services.nginx-authelia = {
+      domain = lib.mkOption {
+        type = lib.types.str;
+      };
       host = lib.mkOption {
         type = lib.types.str;
         default = "localhost";
diff --git a/services/authelia.nix b/services/authelia.nix
index 6209d9f..b707199 100644
--- a/services/authelia.nix
+++ b/services/authelia.nix
@@ -211,7 +211,7 @@ in
   ];
 
   services.nginx-authelia = {
-    inherit port;
+    inherit domain port;
   };
 
   services.postgresql = {