From a32218ba2c7f44f7347497e2717dd3178c9d69f2 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Fri, 10 May 2024 16:59:38 +0200 Subject: [PATCH] authentik part 1 --- modules/auth.nix | 35 +++++++++++++++++++++++++++++++++++ modules/default.nix | 13 ++++++++++--- secrets/authentik_env.age | 15 +++++++++++++++ secrets/secrets.nix | 2 ++ 4 files changed, 62 insertions(+), 3 deletions(-) create mode 100644 modules/auth.nix create mode 100644 secrets/authentik_env.age diff --git a/modules/auth.nix b/modules/auth.nix new file mode 100644 index 0000000..ba54704 --- /dev/null +++ b/modules/auth.nix @@ -0,0 +1,35 @@ +{config, ...}: let + inherit (config.serverConfig) ports vhosts; + inherit (config.networking) domain; +in { + + + services.authentik = { + enable = true; + # The environmentFile needs to be on the target host! + # Best use something like sops-nix or agenix to manage it + environmentFile = "/run/secrets/authentik/authentik-env"; + + # authentik_env.age + + age.secrets.authentik_env = { + file = ../secrets/authentik_env.age; + owner = "authentik"; + group = "authentik"; + mode = "0600"; + }; + + settings = { + email = rec { + host = vhosts.mail_host.host; + port = 465; + username = "admin@${domain}"; + use_tls = true; + use_ssl = true; + from = username; + }; + disable_startup_analytics = true; + avatars = "initials"; + }; + }; +} diff --git a/modules/default.nix b/modules/default.nix index 15791c0..c72bd8b 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -138,10 +138,12 @@ in puffer_host = { port = 8080; host = "puffer.${domain}"; + accessType = "proxy"; }; tlemap_host = { port = 8100; host = "tlemap.${domain}"; + accessType = "proxy"; }; mail_host = { host = "mail.${domain}"; @@ -150,6 +152,7 @@ in gitea_host = { host = "git.${domain}"; port = 8081; + accessType = "proxy"; }; matrix_host = { accessType = "redirect"; @@ -162,6 +165,7 @@ in }; grafana_host = { host = "grafana.${domain}"; + accessType = "proxy"; port = 8082; }; nextcloud_host = rec { @@ -172,12 +176,15 @@ in }; mastodon_host = { host = "mastodon.${domain}"; - accessType = "none"; }; - nix_cache_host = rec { + nix_cache_host = { host = "nixcache.${domain}"; port = 5000; - + }; + auth_host = { + host = "auth.${domain}"; + port = 9443; + accessType = "proxy"; }; }; }; diff --git a/secrets/authentik_env.age b/secrets/authentik_env.age new file mode 100644 index 0000000..8b139a6 --- /dev/null +++ b/secrets/authentik_env.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-rsa jWbwAg +wOku8nfaZn+SYKhPgDbnU2OFXP7bBnrhE8H87YRgkg2eReMD1t4fzg6GiGCW9Urj +ia3xivhGNq6GavB7RS1LKx3cRqjjIXHdtG0XERe72vY6bjfbA4afamJI6pKLzmti +M5dhZpqOA1WPrkZTGy+f6P+klpl3WEUg+vyslcfIO3pRPwazebER8EwtlxEzZkCH +HM015bFmJJQ26WD9wNj4IhpuOi6BO1ZtcyiEJigs8ylCnoBH9D8okaMzqlEb8G1E +MhCb4umcrXsNHux4qG33NQbo/ZaN8+1tPnOpkSE2wslYy8gvFaMSCWcHVzpf1tlL +GpDheRXrbN+cgczpmSD2CECv8EWLcI5fvqsKRRbH2WHvKa9tcwc9RKPWeeL9flNX +wpqQMbUBGGbXPJNd/D63xNKCOEcZuskRwiSgGYqrr864YY1kFvBxRM2BP/xcpKRh +2YKHrL4Bp/It5NHnkVSWqxF6CnajuXEL+R2Yh8aIl932gOpCwZSGkZnqVbLsdX3i +x3tFmB+Cfi9yrIWSPtxy2yswj09OT1sVkaDPRzYW3GD8JMQIl7INn9QdW9O9AzoE +Nhr44vbc1pnSjWucxaCD3+htt0PZLELV4001xlBFkpyuErjZcgJ3/x1rhKeXPwpo +q70dkDXEetnkfXiZ8uDKzeAzXBMEFjui5v/PcB4tHQA +--- bv5wWftXB8PIPk8118XQEhVViIO6FTX2ywc8R27770I +=z4}!I-wȃ8"Զ=ֳ@#1 XRwlI =!N{#NL9qouD*8aNUU(aMA y+AKxC5q[qP dt?}}{nX \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 81f95ab..e841314 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -13,6 +13,8 @@ in # "duckdns_token.age".publicKeys = [ contabo_nix_pub ]; "synapse_db_pass.age".publicKeys = [ contabo_nix_pub ]; + "authentik_env.age".publicKeys = [ contabo_nix_pub ]; + "synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ]; "grafana_admin_pass.age".publicKeys = [ contabo_nix_pub ]; "nextcloud_admin_pass.age".publicKeys = [ contabo_nix_pub ];