authentik part 1

modules/auth.nix

@@ -0,0 +1,35 @@
+{config, ...}: let 
+  inherit (config.serverConfig) ports vhosts;
+  inherit (config.networking) domain;
+in {
+  
+
+  services.authentik = {
+    enable = true;
+    # The environmentFile needs to be on the target host!
+    # Best use something like sops-nix or agenix to manage it
+    environmentFile = "/run/secrets/authentik/authentik-env";
+
+    # authentik_env.age
+
+    age.secrets.authentik_env = {
+      file = ../secrets/authentik_env.age;
+      owner = "authentik";
+      group = "authentik";
+      mode = "0600";
+    };
+
+    settings = {
+      email = rec {
+        host = vhosts.mail_host.host;
+        port = 465;
+        username = "admin@${domain}";
+        use_tls = true;
+        use_ssl = true;
+        from = username;
+      };
+      disable_startup_analytics = true;
+      avatars = "initials";
+    };    
+  };
+}

modules/default.nix

@@ -138,10 +138,12 @@ in
         puffer_host = {
           port = 8080;
           host = "puffer.${domain}";
+          accessType = "proxy";
         };
         tlemap_host = {
           port = 8100;
           host = "tlemap.${domain}";
+          accessType = "proxy";
         };
         mail_host = {
           host = "mail.${domain}";
@@ -150,6 +152,7 @@ in
         gitea_host = {
           host = "git.${domain}";
           port = 8081;
+          accessType = "proxy";
         };
         matrix_host = {
           accessType = "redirect";
@@ -162,6 +165,7 @@ in
         };
         grafana_host = {
           host = "grafana.${domain}";
+          accessType = "proxy";
           port = 8082;
         };
         nextcloud_host = rec {
@@ -172,12 +176,15 @@ in
         };
         mastodon_host = {
           host = "mastodon.${domain}";
-          accessType = "none";
         };
-        nix_cache_host = rec {
+        nix_cache_host = {
           host = "nixcache.${domain}";
           port = 5000;
-
+        };
+        auth_host = {
+          host = "auth.${domain}";
+          port = 9443;
+          accessType = "proxy";
         };
       };
     };

secrets/authentik_env.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-rsa jWbwAg
+wOku8nfaZn+SYKhPgDbnU2OFXP7bBnrhE8H87YRgkg2eReMD1t4fzg6GiGCW9Urj
+ia3xivhGNq6GavB7RS1LKx3cRqjjIXHdtG0XERe72vY6bjfbA4afamJI6pKLzmti
+M5dhZpqOA1WPrkZTGy+f6P+klpl3WEUg+vyslcfIO3pRPwazebER8EwtlxEzZkCH
+HM015bFmJJQ26WD9wNj4IhpuOi6BO1ZtcyiEJigs8ylCnoBH9D8okaMzqlEb8G1E
+MhCb4umcrXsNHux4qG33NQbo/ZaN8+1tPnOpkSE2wslYy8gvFaMSCWcHVzpf1tlL
+GpDheRXrbN+cgczpmSD2CECv8EWLcI5fvqsKRRbH2WHvKa9tcwc9RKPWeeL9flNX
+wpqQMbUBGGbXPJNd/D63xNKCOEcZuskRwiSgGYqrr864YY1kFvBxRM2BP/xcpKRh
+2YKHrL4Bp/It5NHnkVSWqxF6CnajuXEL+R2Yh8aIl932gOpCwZSGkZnqVbLsdX3i
+x3tFmB+Cfi9yrIWSPtxy2yswj09OT1sVkaDPRzYW3GD8JMQIl7INn9QdW9O9AzoE
+Nhr44vbc1pnSjWucxaCD3+htt0PZLELV4001xlBFkpyuErjZcgJ3/x1rhKeXPwpo
+q70dkDXEetnkfXiZ8uDKzeAzXBMEFjui5v/PcB4tHQA
+--- bv5wWftXB8PIPk8118XQEhVViIO6FTX2ywc8R27770I
+=zø4š¶<C5A1>}
!IÇ-w©Èƒ×Á8"Ô¶Ö=Ö³@#1
í†öXRôÀÔwl˜IÚ
’=¥!N¼{#<23>NLÞ9qØo<C398>Õu¾D¦*ÈôŽñ‚8ªa©ô<C2A9>œNë°ô‹UUºá–æ(¬aMœA
™§åy+ü×AKx™C<E284A2>Û5–qÅ[qÞPæË	dÉìÌt?}ò}½{›n´X

secrets/secrets.nix

@@ -13,6 +13,8 @@ in
 
   # "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
   "synapse_db_pass.age".publicKeys = [ contabo_nix_pub ];
+  "authentik_env.age".publicKeys = [ contabo_nix_pub ];
+
   "synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ];
   "grafana_admin_pass.age".publicKeys = [ contabo_nix_pub ];
   "nextcloud_admin_pass.age".publicKeys = [ contabo_nix_pub ];