From 4e384211bacbe8b36261633f84d6713e5daf897e Mon Sep 17 00:00:00 2001 From: ibizaman Date: Sun, 10 May 2026 00:00:02 +0200 Subject: [PATCH] authelia: update test now that authelia forbids http --- modules/blocks/authelia.nix | 1 + test/blocks/authelia.nix | 25 +++++++++++++++++++++++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/modules/blocks/authelia.nix b/modules/blocks/authelia.nix index b3e18c5..c27cc9d 100644 --- a/modules/blocks/authelia.nix +++ b/modules/blocks/authelia.nix @@ -645,6 +645,7 @@ in shb.mitmdump.instances."authelia-${fqdn}" = lib.mkIf cfg.debug { listenPort = 9091; upstreamPort = 9090; + timeout = 30; after = [ "authelia-${fqdn}.service" ]; enabledAddons = [ config.shb.mitmdump.addons.logger ]; extraArgs = [ diff --git a/test/blocks/authelia.nix b/test/blocks/authelia.nix index 9339c50..b9aa4bc 100644 --- a/test/blocks/authelia.nix +++ b/test/blocks/authelia.nix @@ -16,6 +16,7 @@ in (pkgs'.path + "/nixos/modules/profiles/qemu-guest.nix") ../../modules/blocks/authelia.nix ../../modules/blocks/hardcodedsecret.nix + ../../modules/blocks/ssl.nix ]; networking.hosts = { @@ -28,11 +29,29 @@ in ]; }; + shb.certs.cas.selfsigned.myca = { + name = "My CA"; + }; + shb.certs.certs.selfsigned = { + "machine.com" = { + ca = config.shb.certs.cas.selfsigned.myca; + + domain = "*.machine.com"; + group = "nginx"; + }; + }; + systemd.services.nginx.after = [ config.shb.certs.certs.selfsigned."machine.com".systemdService ]; + systemd.services.nginx.requires = [ + config.shb.certs.certs.selfsigned."machine.com".systemdService + ]; + shb.lldap = { enable = true; dcdomain = "dc=example,dc=com"; subdomain = "ldap"; domain = "machine.com"; + ssl = config.shb.certs.certs.selfsigned."machine.com"; + ldapUserPassword.result = config.shb.hardcodedsecret.ldapUserPassword.result; jwtSecret.result = config.shb.hardcodedsecret.jwtSecret.result; }; @@ -50,6 +69,8 @@ in enable = true; subdomain = "authelia"; domain = "machine.com"; + ssl = config.shb.certs.certs.selfsigned."machine.com"; + ldapHostname = "${config.shb.lldap.subdomain}.${config.shb.lldap.domain}"; ldapPort = config.shb.lldap.ldapPort; dcdomain = config.shb.lldap.dcdomain; @@ -136,10 +157,10 @@ in machine.wait_for_unit("authelia-authelia.machine.com.target") machine.wait_for_open_port(9091) - endpoints = json.loads(machine.succeed("curl -s http://machine.com/.well-known/openid-configuration")) + endpoints = json.loads(machine.succeed("curl -s https://authelia.machine.com/.well-known/openid-configuration")) auth_endpoint = endpoints['authorization_endpoint'] print(f"auth_endpoint: {auth_endpoint}") - if auth_endpoint != "http://machine.com/api/oidc/authorization": + if auth_endpoint != "https://authelia.machine.com/api/oidc/authorization": raise Exception("Unexpected auth_endpoint") resp = machine.succeed(