nki/nix-home
1
0
Fork 0
Code Issues Pull requests 2 Packages Projects Releases Wiki Activity

Move authentik to nix!!

Browse source
This commit is contained in:
Natsu Kagami 2023-04-26 23:23:28 +02:00
parent 8f2f511424
commit 8d8052c5cc
Signed by: nki
GPG key ID: 7306B3D3C3AD6E51
5 changed files with 224 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

94
flake.lock
View file

@ -1,10 +1,30 @@
{ {
"nodes": { "nodes": {
"arion": {
"inputs": {
"flake-parts": "flake-parts",
"haskell-flake": "haskell-flake",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1682181677,
"narHash": "sha256-El8WQ2ccxWwkSrjuwKNR0gD/O7vS/KLBY4Q2/nF8m1c=",
"owner": "hercules-ci",
"repo": "arion",
"rev": "6a1f03329c400327b3b2e0ed5e1efff11037ba67",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "arion",
"type": "github"
}
},
"crane": { "crane": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_2",
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
@ -45,7 +65,7 @@
"deploy-rs": { "deploy-rs": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_2",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_3",
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
@ -110,6 +130,27 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"arion",
"nixpkgs"
]
},
"locked": {
"lastModified": 1675933616,
"narHash": "sha256-/rczJkJHtx16IFxMmAWu5nNYcSXNg1YYXTHoGjLrLUA=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "47478a4a003e745402acf63be7f9a092d51b83d7",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": { "flake-utils": {
"locked": { "locked": {
"lastModified": 1676283394, "lastModified": 1676283394,
@ -185,6 +226,22 @@
"type": "github" "type": "github"
} }
}, },
"haskell-flake": {
"locked": {
"lastModified": 1675296942,
"narHash": "sha256-u1X1sblozi5qYEcLp1hxcyo8FfDHnRUVX3dJ/tW19jY=",
"owner": "srid",
"repo": "haskell-flake",
"rev": "c2cafce9d57bfca41794dc3b99c593155006c71e",
"type": "github"
},
"original": {
"owner": "srid",
"ref": "0.1.0",
"repo": "haskell-flake",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -368,16 +425,16 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1677655566, "lastModified": 1676300157,
"narHash": "sha256-I8G8Lmpp3YduYl4+pkiIJFGT1WKw+8ZMH2QwANkTu2U=", "narHash": "sha256-1HjRzfp6LOLfcj/HJHdVKWAkX9QRAouoh6AjzJiIerU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ae8bdd2de4c23b239b5a771501641d2ef5e027d0", "rev": "545c7a31e5dedea4a6d372712a18e00ce097d462",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixpkgs-unstable", "ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -446,6 +503,22 @@
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": {
"lastModified": 1677655566,
"narHash": "sha256-I8G8Lmpp3YduYl4+pkiIJFGT1WKw+8ZMH2QwANkTu2U=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ae8bdd2de4c23b239b5a771501641d2ef5e027d0",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1671417167, "lastModified": 1671417167,
"narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=", "narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=",
@ -461,7 +534,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_3": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1680122840, "lastModified": 1680122840,
"narHash": "sha256-zCQ/9iFHzCW5JMYkkHMwgK1/1/kTMgCMHq4THPINpAU=", "narHash": "sha256-zCQ/9iFHzCW5JMYkkHMwgK1/1/kTMgCMHq4THPINpAU=",
@ -477,7 +550,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_4": { "nixpkgs_5": {
"locked": { "locked": {
"lastModified": 1656753965, "lastModified": 1656753965,
"narHash": "sha256-BCrB3l0qpJokOnIVc3g2lHiGhnjUi0MoXiw6t1o8H1E=", "narHash": "sha256-BCrB3l0qpJokOnIVc3g2lHiGhnjUi0MoXiw6t1o8H1E=",
@ -511,7 +584,7 @@
"rnix-lsp": { "rnix-lsp": {
"inputs": { "inputs": {
"naersk": "naersk", "naersk": "naersk",
"nixpkgs": "nixpkgs_4", "nixpkgs": "nixpkgs_5",
"utils": "utils_4" "utils": "utils_4"
}, },
"locked": { "locked": {
@ -530,6 +603,7 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"arion": "arion",
"crane": "crane", "crane": "crane",
"darwin": "darwin", "darwin": "darwin",
"deploy-rs": "deploy-rs", "deploy-rs": "deploy-rs",
@ -541,7 +615,7 @@
"mpd-mpris": "mpd-mpris", "mpd-mpris": "mpd-mpris",
"nix-gaming": "nix-gaming", "nix-gaming": "nix-gaming",
"nixos-m1": "nixos-m1", "nixos-m1": "nixos-m1",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_4",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"nixpkgs-unstable-asahi": "nixpkgs-unstable-asahi", "nixpkgs-unstable-asahi": "nixpkgs-unstable-asahi",
"nur": "nur", "nur": "nur",

2
flake.nix
View file

@ -21,6 +21,7 @@
# --- Build tools # --- Build tools
flake-utils.url = github:numtide/flake-utils; flake-utils.url = github:numtide/flake-utils;
crane.url = github:ipetkov/crane; crane.url = github:ipetkov/crane;
arion.url = github:hercules-ci/arion;
# --- # ---
# Imported apps # Imported apps
@ -191,6 +192,7 @@
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
(common-nixos nixpkgs) (common-nixos nixpkgs)
inputs.arion.nixosModules.arion
./modules/my-tinc ./modules/my-tinc
inputs.youmubot.nixosModule.x86_64-linux inputs.youmubot.nixosModule.x86_64-linux
./nki-personal-do/configuration.nix ./nki-personal-do/configuration.nix

127
modules/cloud/authentik/default.nix Normal file
View file

@ -0,0 +1,127 @@
{ pkgs, config, lib, ... }:
with lib;
let
cfg = config.cloud.authentik;
mkImage =
{ imageName, imageDigest, ... }: "${imageName}@${imageDigest}";
# If we can pullImage we can just do
# mkImage = pkgs.dockerTools.pullImage;
images = {
postgresql = mkImage {
imageName = "postgres";
finalImageTag = "12-alpine";
imageDigest = "sha256:f52ffee699232c84d820c35c28656363f4fda6a3e3e934b83f4e5e1898e2bdfa";
};
redis = mkImage {
imageName = "redis";
finalImageTag = "alpine";
imageDigest = "sha256:a5481d685c31d0078b319e39639cb4f5c2c9cf4ebfca1ef888f4327be9bcc5a7";
};
authentik = mkImage {
imageName = "ghcr.io/goauthentik/server";
finalImageTag = "2023.4.1";
imageDigest = "sha256:96c9f29247a270524056aff59f1bcb7118ef51d14b334b67ab2b75e8df30e829";
};
};
authentikEnv = pkgs.writeText "authentik.env" ''
AUTHENTIK_POSTGRESQL__PASSWORD=''${PG_PASS}
'';
postgresEnv = pkgs.writeText "postgres.env" ''
POSTGRES_PASSWORD=''${PG_PASS:?database password required}
'';
in
{
options.cloud.authentik = {
enable = mkEnableOption "Enable authentik OAuth server";
envFile = mkOption {
type = types.path;
description = "Path to an environment file that specifies PG_PASS and AUTHENTIK_SECRET_KEY";
};
port = mkOption {
type = types.int;
description = "Exposed port";
default = 9480;
};
};
config = mkIf cfg.enable {
systemd.services.arion-authentik.serviceConfig.EnvironmentFile = cfg.envFile;
virtualisation.arion.projects.authentik.settings = {
services.postgresql.service = {
image = images.postgresql;
restart = "unless-stopped";
healthcheck = {
test = [ "CMD-SHELL" "pg_isready -d $\${POSTGRES_DB} -U $\${POSTGRES_USER}" ];
start_period = "20s";
interval = "30s";
retries = 5;
timeout = "5s";
};
volumes = [ "database:/var/lib/postgresql/data" ];
environment = {
POSTGRES_USER = "authentik";
POSTGRES_DB = "authentik";
};
env_file = [ cfg.envFile "${postgresEnv}" ];
};
services.redis.service = {
image = images.redis;
command = "--save 60 1 --loglevel warning";
restart = "unless-stopped";
healthcheck = {
test = [ "CMD-SHELL" "redis-cli ping | grep PONG" ];
start_period = "20s";
interval = "30s";
retries = 5;
timeout = "3s";
};
volumes = [ "redis:/data" ];
};
services.server.service = {
image = images.authentik;
command = "server";
restart = "unless-stopped";
volumes = [
"/var/lib/authentik/media:/media"
"/var/lib/authentik/custom-templates:/templates"
];
environment = {
AUTHENTIK_REDIS__HOST = "redis";
AUTHENTIK_POSTGRESQL__HOST = "postgresql";
AUTHENTIK_POSTGRESQL__USER = "authentik";
AUTHENTIK_POSTGRESQL__NAME = "authentik";
};
env_file = [ cfg.envFile "${authentikEnv}" ];
ports = [
"${toString cfg.port}:9000"
];
};
services.worker.service = {
image = images.authentik;
command = "worker";
restart = "unless-stopped";
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
"/var/lib/authentik/media:/media"
"/var/lib/authentik/custom-templates:/templates"
"/var/lib/authentik/certs:/certs"
];
environment = {
AUTHENTIK_REDIS__HOST = "redis";
AUTHENTIK_POSTGRESQL__HOST = "postgresql";
AUTHENTIK_POSTGRESQL__USER = "authentik";
AUTHENTIK_POSTGRESQL__NAME = "authentik";
};
env_file = [ cfg.envFile "${authentikEnv}" ];
};
docker-compose.volumes = {
database.driver = "local";
redis.driver = "local";
};
};
};
}

9
nki-personal-do/configuration.nix
View file

@ -3,6 +3,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
# Set up cloud # Set up cloud
../modules/cloud/authentik
../modules/cloud/postgresql ../modules/cloud/postgresql
../modules/cloud/traefik ../modules/cloud/traefik
../modules/cloud/bitwarden ../modules/cloud/bitwarden
@ -76,6 +77,9 @@
}; };
cloud.traefik.certsDumper.enable = true; cloud.traefik.certsDumper.enable = true;
# Arion
virtualisation.arion.backend = "docker";
# Conduit # Conduit
sops.secrets.heisenbridge = { owner = "heisenbridge"; }; sops.secrets.heisenbridge = { owner = "heisenbridge"; };
sops.secrets.matrix-discord-bridge = { mode = "0644"; }; sops.secrets.matrix-discord-bridge = { mode = "0644"; };
@ -148,7 +152,10 @@
cloud.writefreely.enable = true; cloud.writefreely.enable = true;
# Authentik (running under docker-compose T_T) # Authentik (running under docker-compose T_T)
cloud.traefik.hosts.authentik = { host = "auth.dtth.ch"; port = 9480; }; sops.secrets.authentik-env = { };
cloud.authentik.enable = true;
cloud.authentik.envFile = config.sops.secrets.authentik-env.path;
cloud.traefik.hosts.authentik = { host = "auth.dtth.ch"; port = config.cloud.authentik.port; };
# Outline # Outline
sops.secrets.minio-secret-key = { }; sops.secrets.minio-secret-key = { };

5
nki-personal-do/secrets/secrets.yaml
View file

@ -13,6 +13,7 @@ outline:
smtp-password: ENC[AES256_GCM,data:zpIi6jVB2Y7ksBOR8SGFgjOD1x3aS6dKa6taLKB8v2l9p92iWDti75qgB1puglmmq8mCzz8KXLrM0Bv7W8GWRg==,iv:6tKINzQcApmNuIbNn0kSzFJtwn3rky/uFG2Ff3lazUk=,tag:kjB6qB87tRQVpy32Pt3D5A==,type:str] smtp-password: ENC[AES256_GCM,data:zpIi6jVB2Y7ksBOR8SGFgjOD1x3aS6dKa6taLKB8v2l9p92iWDti75qgB1puglmmq8mCzz8KXLrM0Bv7W8GWRg==,iv:6tKINzQcApmNuIbNn0kSzFJtwn3rky/uFG2Ff3lazUk=,tag:kjB6qB87tRQVpy32Pt3D5A==,type:str]
heisenbridge: ENC[AES256_GCM,data:rJY7gpcOY8nODR3KlYW1rEs54mKxr+AjNBeg1/2vTG0Gzpuvjgbnn5UVJS+P8uej/P4HfeFtlQSFZCEy8cXcwvwq97ppVliCGL4GMLRWaFmop35feC8t2ovh79cy/vKC7drASeGvWYNUmGRjboPuKA8W5LARa0HVDPGDLIEMVgJfYry/YKR3gsGmLzU7Mx1yLO6M/EFOJQJc84bSuu+CPSZcyUVF4SSNBiaDU5/NazlqaA9KWL6Xzu1MD2LEYdEFkRfitNgYj2m2gLd9voyGV4cfaCqJvYjJPwuZeZUoqCpDnom2JoV29q/Yq/gmyumPgOvriGxLsYBqV14MaCcE6KXE2uLicD+I/5or1AxepVDVjG9NoSgho1HpLvpRhMSCeXLk9+U+ykH3QA+0M+VVu9pswMMVQifnTtXZRM6pWxOnRVAzGf2tGDo4jy36S7pHaRn7SJcrljjWLfwHuNiu7E2uZhMrkcCjnjcBA9Xrb3drDQYVHya7XcoD4wOBHBDvVZwhYkNdkS3oYkom8A==,iv:fO1onfon3EdSNC/LjN1aWxpHBYq5aa0F/h0V6gl88ac=,tag:NL9p2nhIlEqgOdvUDM19Dg==,type:str] heisenbridge: ENC[AES256_GCM,data:rJY7gpcOY8nODR3KlYW1rEs54mKxr+AjNBeg1/2vTG0Gzpuvjgbnn5UVJS+P8uej/P4HfeFtlQSFZCEy8cXcwvwq97ppVliCGL4GMLRWaFmop35feC8t2ovh79cy/vKC7drASeGvWYNUmGRjboPuKA8W5LARa0HVDPGDLIEMVgJfYry/YKR3gsGmLzU7Mx1yLO6M/EFOJQJc84bSuu+CPSZcyUVF4SSNBiaDU5/NazlqaA9KWL6Xzu1MD2LEYdEFkRfitNgYj2m2gLd9voyGV4cfaCqJvYjJPwuZeZUoqCpDnom2JoV29q/Yq/gmyumPgOvriGxLsYBqV14MaCcE6KXE2uLicD+I/5or1AxepVDVjG9NoSgho1HpLvpRhMSCeXLk9+U+ykH3QA+0M+VVu9pswMMVQifnTtXZRM6pWxOnRVAzGf2tGDo4jy36S7pHaRn7SJcrljjWLfwHuNiu7E2uZhMrkcCjnjcBA9Xrb3drDQYVHya7XcoD4wOBHBDvVZwhYkNdkS3oYkom8A==,iv:fO1onfon3EdSNC/LjN1aWxpHBYq5aa0F/h0V6gl88ac=,tag:NL9p2nhIlEqgOdvUDM19Dg==,type:str]
matrix-discord-bridge: ENC[AES256_GCM,data:/rlSjD6inKfak7HKKghH5ays5RjKmb9czGsoIOYHyTZC4A5EMucCbfn8DL1gkYXgvRHJ+QglGX/BGo5ebaxSj6nF60+aW87UG31KggOt5kkMuWsPsjvrufoc5IlNfWnXIWmqf8cdC01hmHEp7biUpI8CcfEZiD9OkOxbZcRfYqW+ttnzplFniRBjGPVZfL5g4DBbuJen5MuOrrMDo5CT+78n,iv:r9VBbDCAAElisCaDehrB6PhJHsaaHjdrk3103lmBT7o=,tag:WoNMMfyMifsL56yWq3MUOg==,type:str] matrix-discord-bridge: ENC[AES256_GCM,data:/rlSjD6inKfak7HKKghH5ays5RjKmb9czGsoIOYHyTZC4A5EMucCbfn8DL1gkYXgvRHJ+QglGX/BGo5ebaxSj6nF60+aW87UG31KggOt5kkMuWsPsjvrufoc5IlNfWnXIWmqf8cdC01hmHEp7biUpI8CcfEZiD9OkOxbZcRfYqW+ttnzplFniRBjGPVZfL5g4DBbuJen5MuOrrMDo5CT+78n,iv:r9VBbDCAAElisCaDehrB6PhJHsaaHjdrk3103lmBT7o=,tag:WoNMMfyMifsL56yWq3MUOg==,type:str]
authentik-env: ENC[AES256_GCM,data:CjxTaqIcpBX7ea9L3tgJDELr8HBPJdxXsrOfhsiH4cXwCEzktsNKHjF7l95ZFgI5O08q4Vlbln5Dg4xPEx33nwUesEbQrT5d+n+2YaAxmm/WInrYzF+jB7HYTXASb3rY9PWgd2C3v+YPBkJetHlTUc/k19Q7lOQRNw==,iv:cG8Bi2eCsS+v94tSJBsqp+bjVLzXZvvwX1QVVSYExL8=,tag:VmbfcxCcfi3IpKjg3f8QPw==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -46,8 +47,8 @@ sops:
by9kZFlTRVdCZFkxYTVVb0RIRk8zUlkKCqMw9oL9RaYBV5Hhy3o8Nm5xmGrPH8Sd by9kZFlTRVdCZFkxYTVVb0RIRk8zUlkKCqMw9oL9RaYBV5Hhy3o8Nm5xmGrPH8Sd
hv36sxRFFNZT/DCKaHaSRbT3mfpBZSTXJt1dgl4nZe6whH54t/1KmA== hv36sxRFFNZT/DCKaHaSRbT3mfpBZSTXJt1dgl4nZe6whH54t/1KmA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-03T20:09:31Z" lastmodified: "2023-04-26T19:50:09Z"
mac: ENC[AES256_GCM,data:7TBLlaplxp6+/qXgx6LDVywqqhIHRn3gw2287cVEHHTr7wLdZMle1EvRSAFP+2jYeAAhie/MaLvFKYSEZ2KHHVwvtBRS08ieJ2lnsIWRqkYVxFPgOeCCJei1IuEXKxmDB2yRGV/paE6w/1HW3j5iaVh1TIjkHpKDqpsMdFcYoZw=,iv:CSHDBO1crdJilcHFkxDQMNWk/ClsyV/g4aDECPMpT7E=,tag:r9LRx0Ler7dDXhkNp9pTLA==,type:str] mac: ENC[AES256_GCM,data:QSS+gJoTtSwaB/seeo4QHEjdmzQ+qdYwmDtKWKV44KZnudHQuNYTlklKBC7gzLncOIaoPgQ04ZSlL/J4RSI4gLLrNuf+DkxX8OSIOv44U8ynBP/yWObgCPz8XjS38Jl9ovhLAPXYb6GK3DGl4q01ghXSpvfVsjCpz8W7SAVkVSA=,iv:Po0fPtu+gznmPalCm77RG3WloTKtRIEHLAec5lTYvaE=,tag:ulfUHDy1UAmj6d/R4kO42A==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.7.3