Move authentik to nix!!

2023-04-26 23:23:28 +02:00 · 2023-04-26 23:23:28 +02:00 · 8d8052c5cc
parent 8f2f511424
commit 8d8052c5cc
5 changed files with 224 additions and 13 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,10 +1,30 @@
 {
  "nodes": {
+    "arion": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "haskell-flake": "haskell-flake",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1682181677,
+        "narHash": "sha256-El8WQ2ccxWwkSrjuwKNR0gD/O7vS/KLBY4Q2/nF8m1c=",
+        "owner": "hercules-ci",
+        "repo": "arion",
+        "rev": "6a1f03329c400327b3b2e0ed5e1efff11037ba67",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "arion",
+        "type": "github"
+      }
+    },
    "crane": {
      "inputs": {
        "flake-compat": "flake-compat",
        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
        "rust-overlay": "rust-overlay"
      },
      "locked": {
@ -45,7 +65,7 @@
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat_2",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
        "utils": "utils"
      },
      "locked": {
@ -110,6 +130,27 @@
        "type": "github"
      }
    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "arion",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1675933616,
+        "narHash": "sha256-/rczJkJHtx16IFxMmAWu5nNYcSXNg1YYXTHoGjLrLUA=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "47478a4a003e745402acf63be7f9a092d51b83d7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
    "flake-utils": {
      "locked": {
        "lastModified": 1676283394,
@ -185,6 +226,22 @@
        "type": "github"
      }
    },
+    "haskell-flake": {
+      "locked": {
+        "lastModified": 1675296942,
+        "narHash": "sha256-u1X1sblozi5qYEcLp1hxcyo8FfDHnRUVX3dJ/tW19jY=",
+        "owner": "srid",
+        "repo": "haskell-flake",
+        "rev": "c2cafce9d57bfca41794dc3b99c593155006c71e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "srid",
+        "ref": "0.1.0",
+        "repo": "haskell-flake",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -368,16 +425,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1677655566,
-        "narHash": "sha256-I8G8Lmpp3YduYl4+pkiIJFGT1WKw+8ZMH2QwANkTu2U=",
+        "lastModified": 1676300157,
+        "narHash": "sha256-1HjRzfp6LOLfcj/HJHdVKWAkX9QRAouoh6AjzJiIerU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ae8bdd2de4c23b239b5a771501641d2ef5e027d0",
+        "rev": "545c7a31e5dedea4a6d372712a18e00ce097d462",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -446,6 +503,22 @@
      }
    },
    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1677655566,
+        "narHash": "sha256-I8G8Lmpp3YduYl4+pkiIJFGT1WKw+8ZMH2QwANkTu2U=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ae8bdd2de4c23b239b5a771501641d2ef5e027d0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
      "locked": {
        "lastModified": 1671417167,
        "narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=",
@ -461,7 +534,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_3": {
+    "nixpkgs_4": {
      "locked": {
        "lastModified": 1680122840,
        "narHash": "sha256-zCQ/9iFHzCW5JMYkkHMwgK1/1/kTMgCMHq4THPINpAU=",
@ -477,7 +550,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_4": {
+    "nixpkgs_5": {
      "locked": {
        "lastModified": 1656753965,
        "narHash": "sha256-BCrB3l0qpJokOnIVc3g2lHiGhnjUi0MoXiw6t1o8H1E=",
@ -511,7 +584,7 @@
    "rnix-lsp": {
      "inputs": {
        "naersk": "naersk",
-        "nixpkgs": "nixpkgs_4",
+        "nixpkgs": "nixpkgs_5",
        "utils": "utils_4"
      },
      "locked": {
@ -530,6 +603,7 @@
    },
    "root": {
      "inputs": {
+        "arion": "arion",
        "crane": "crane",
        "darwin": "darwin",
        "deploy-rs": "deploy-rs",
@ -541,7 +615,7 @@
        "mpd-mpris": "mpd-mpris",
        "nix-gaming": "nix-gaming",
        "nixos-m1": "nixos-m1",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_4",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "nixpkgs-unstable-asahi": "nixpkgs-unstable-asahi",
        "nur": "nur",
--- a/flake.nix
+++ b/flake.nix
@ -21,6 +21,7 @@
    # --- Build tools
    flake-utils.url = github:numtide/flake-utils;
    crane.url = github:ipetkov/crane;
+    arion.url = github:hercules-ci/arion;

    # ---
    # Imported apps
@ -191,6 +192,7 @@
        system = "x86_64-linux";
        modules = [
          (common-nixos nixpkgs)
+          inputs.arion.nixosModules.arion
          ./modules/my-tinc
          inputs.youmubot.nixosModule.x86_64-linux
          ./nki-personal-do/configuration.nix
--- a/modules/cloud/authentik/default.nix
+++ b/modules/cloud/authentik/default.nix
@ -0,0 +1,127 @@
+{ pkgs, config, lib, ... }:
+
+with lib;
+let
+  cfg = config.cloud.authentik;
+
+  mkImage =
+    { imageName, imageDigest, ... }: "${imageName}@${imageDigest}";
+  # If we can pullImage we can just do
+  # mkImage = pkgs.dockerTools.pullImage;
+
+  images = {
+    postgresql = mkImage {
+      imageName = "postgres";
+      finalImageTag = "12-alpine";
+      imageDigest = "sha256:f52ffee699232c84d820c35c28656363f4fda6a3e3e934b83f4e5e1898e2bdfa";
+    };
+    redis = mkImage {
+      imageName = "redis";
+      finalImageTag = "alpine";
+      imageDigest = "sha256:a5481d685c31d0078b319e39639cb4f5c2c9cf4ebfca1ef888f4327be9bcc5a7";
+    };
+    authentik = mkImage {
+      imageName = "ghcr.io/goauthentik/server";
+      finalImageTag = "2023.4.1";
+      imageDigest = "sha256:96c9f29247a270524056aff59f1bcb7118ef51d14b334b67ab2b75e8df30e829";
+    };
+  };
+  authentikEnv = pkgs.writeText "authentik.env" ''
+    AUTHENTIK_POSTGRESQL__PASSWORD=''${PG_PASS}
+  '';
+  postgresEnv = pkgs.writeText "postgres.env" ''
+    POSTGRES_PASSWORD=''${PG_PASS:?database password required}
+  '';
+in
+{
+  options.cloud.authentik = {
+    enable = mkEnableOption "Enable authentik OAuth server";
+    envFile = mkOption {
+      type = types.path;
+      description = "Path to an environment file that specifies PG_PASS and AUTHENTIK_SECRET_KEY";
+    };
+    port = mkOption {
+      type = types.int;
+      description = "Exposed port";
+      default = 9480;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.arion-authentik.serviceConfig.EnvironmentFile = cfg.envFile;
+    virtualisation.arion.projects.authentik.settings = {
+      services.postgresql.service = {
+        image = images.postgresql;
+        restart = "unless-stopped";
+        healthcheck = {
+          test = [ "CMD-SHELL" "pg_isready -d $\${POSTGRES_DB} -U $\${POSTGRES_USER}" ];
+          start_period = "20s";
+          interval = "30s";
+          retries = 5;
+          timeout = "5s";
+        };
+        volumes = [ "database:/var/lib/postgresql/data" ];
+        environment = {
+          POSTGRES_USER = "authentik";
+          POSTGRES_DB = "authentik";
+        };
+        env_file = [ cfg.envFile "${postgresEnv}" ];
+      };
+      services.redis.service = {
+        image = images.redis;
+        command = "--save 60 1 --loglevel warning";
+        restart = "unless-stopped";
+        healthcheck = {
+          test = [ "CMD-SHELL" "redis-cli ping | grep PONG" ];
+          start_period = "20s";
+          interval = "30s";
+          retries = 5;
+          timeout = "3s";
+        };
+        volumes = [ "redis:/data" ];
+      };
+      services.server.service = {
+        image = images.authentik;
+        command = "server";
+        restart = "unless-stopped";
+        volumes = [
+          "/var/lib/authentik/media:/media"
+          "/var/lib/authentik/custom-templates:/templates"
+        ];
+        environment = {
+          AUTHENTIK_REDIS__HOST = "redis";
+          AUTHENTIK_POSTGRESQL__HOST = "postgresql";
+          AUTHENTIK_POSTGRESQL__USER = "authentik";
+          AUTHENTIK_POSTGRESQL__NAME = "authentik";
+        };
+        env_file = [ cfg.envFile "${authentikEnv}" ];
+        ports = [
+          "${toString cfg.port}:9000"
+        ];
+      };
+      services.worker.service = {
+        image = images.authentik;
+        command = "worker";
+        restart = "unless-stopped";
+        volumes = [
+          "/var/run/docker.sock:/var/run/docker.sock"
+          "/var/lib/authentik/media:/media"
+          "/var/lib/authentik/custom-templates:/templates"
+          "/var/lib/authentik/certs:/certs"
+        ];
+        environment = {
+          AUTHENTIK_REDIS__HOST = "redis";
+          AUTHENTIK_POSTGRESQL__HOST = "postgresql";
+          AUTHENTIK_POSTGRESQL__USER = "authentik";
+          AUTHENTIK_POSTGRESQL__NAME = "authentik";
+        };
+        env_file = [ cfg.envFile "${authentikEnv}" ];
+      };
+      docker-compose.volumes = {
+        database.driver = "local";
+        redis.driver = "local";
+      };
+    };
+  };
+}
+
--- a/nki-personal-do/configuration.nix
+++ b/nki-personal-do/configuration.nix
@ -3,6 +3,7 @@
    ./hardware-configuration.nix

    # Set up cloud
+    ../modules/cloud/authentik
    ../modules/cloud/postgresql
    ../modules/cloud/traefik
    ../modules/cloud/bitwarden
@ -76,6 +77,9 @@
  };
  cloud.traefik.certsDumper.enable = true;

+  # Arion
+  virtualisation.arion.backend = "docker";
+
  # Conduit
  sops.secrets.heisenbridge = { owner = "heisenbridge"; };
  sops.secrets.matrix-discord-bridge = { mode = "0644"; };
@ -148,7 +152,10 @@
  cloud.writefreely.enable = true;

  # Authentik (running under docker-compose T_T)
-  cloud.traefik.hosts.authentik = { host = "auth.dtth.ch"; port = 9480; };
+  sops.secrets.authentik-env = { };
+  cloud.authentik.enable = true;
+  cloud.authentik.envFile = config.sops.secrets.authentik-env.path;
+  cloud.traefik.hosts.authentik = { host = "auth.dtth.ch"; port = config.cloud.authentik.port; };

  # Outline
  sops.secrets.minio-secret-key = { };
--- a/nki-personal-do/secrets/secrets.yaml
+++ b/nki-personal-do/secrets/secrets.yaml
@ -13,6 +13,7 @@ outline:
    smtp-password: ENC[AES256_GCM,data:zpIi6jVB2Y7ksBOR8SGFgjOD1x3aS6dKa6taLKB8v2l9p92iWDti75qgB1puglmmq8mCzz8KXLrM0Bv7W8GWRg==,iv:6tKINzQcApmNuIbNn0kSzFJtwn3rky/uFG2Ff3lazUk=,tag:kjB6qB87tRQVpy32Pt3D5A==,type:str]
 heisenbridge: ENC[AES256_GCM,data:rJY7gpcOY8nODR3KlYW1rEs54mKxr+AjNBeg1/2vTG0Gzpuvjgbnn5UVJS+P8uej/P4HfeFtlQSFZCEy8cXcwvwq97ppVliCGL4GMLRWaFmop35feC8t2ovh79cy/vKC7drASeGvWYNUmGRjboPuKA8W5LARa0HVDPGDLIEMVgJfYry/YKR3gsGmLzU7Mx1yLO6M/EFOJQJc84bSuu+CPSZcyUVF4SSNBiaDU5/NazlqaA9KWL6Xzu1MD2LEYdEFkRfitNgYj2m2gLd9voyGV4cfaCqJvYjJPwuZeZUoqCpDnom2JoV29q/Yq/gmyumPgOvriGxLsYBqV14MaCcE6KXE2uLicD+I/5or1AxepVDVjG9NoSgho1HpLvpRhMSCeXLk9+U+ykH3QA+0M+VVu9pswMMVQifnTtXZRM6pWxOnRVAzGf2tGDo4jy36S7pHaRn7SJcrljjWLfwHuNiu7E2uZhMrkcCjnjcBA9Xrb3drDQYVHya7XcoD4wOBHBDvVZwhYkNdkS3oYkom8A==,iv:fO1onfon3EdSNC/LjN1aWxpHBYq5aa0F/h0V6gl88ac=,tag:NL9p2nhIlEqgOdvUDM19Dg==,type:str]
 matrix-discord-bridge: ENC[AES256_GCM,data:/rlSjD6inKfak7HKKghH5ays5RjKmb9czGsoIOYHyTZC4A5EMucCbfn8DL1gkYXgvRHJ+QglGX/BGo5ebaxSj6nF60+aW87UG31KggOt5kkMuWsPsjvrufoc5IlNfWnXIWmqf8cdC01hmHEp7biUpI8CcfEZiD9OkOxbZcRfYqW+ttnzplFniRBjGPVZfL5g4DBbuJen5MuOrrMDo5CT+78n,iv:r9VBbDCAAElisCaDehrB6PhJHsaaHjdrk3103lmBT7o=,tag:WoNMMfyMifsL56yWq3MUOg==,type:str]
+authentik-env: ENC[AES256_GCM,data:CjxTaqIcpBX7ea9L3tgJDELr8HBPJdxXsrOfhsiH4cXwCEzktsNKHjF7l95ZFgI5O08q4Vlbln5Dg4xPEx33nwUesEbQrT5d+n+2YaAxmm/WInrYzF+jB7HYTXASb3rY9PWgd2C3v+YPBkJetHlTUc/k19Q7lOQRNw==,iv:cG8Bi2eCsS+v94tSJBsqp+bjVLzXZvvwX1QVVSYExL8=,tag:VmbfcxCcfi3IpKjg3f8QPw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -46,8 +47,8 @@ sops:
            by9kZFlTRVdCZFkxYTVVb0RIRk8zUlkKCqMw9oL9RaYBV5Hhy3o8Nm5xmGrPH8Sd
            hv36sxRFFNZT/DCKaHaSRbT3mfpBZSTXJt1dgl4nZe6whH54t/1KmA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-04-03T20:09:31Z"
-    mac: ENC[AES256_GCM,data:7TBLlaplxp6+/qXgx6LDVywqqhIHRn3gw2287cVEHHTr7wLdZMle1EvRSAFP+2jYeAAhie/MaLvFKYSEZ2KHHVwvtBRS08ieJ2lnsIWRqkYVxFPgOeCCJei1IuEXKxmDB2yRGV/paE6w/1HW3j5iaVh1TIjkHpKDqpsMdFcYoZw=,iv:CSHDBO1crdJilcHFkxDQMNWk/ClsyV/g4aDECPMpT7E=,tag:r9LRx0Ler7dDXhkNp9pTLA==,type:str]
+    lastmodified: "2023-04-26T19:50:09Z"
+    mac: ENC[AES256_GCM,data:QSS+gJoTtSwaB/seeo4QHEjdmzQ+qdYwmDtKWKV44KZnudHQuNYTlklKBC7gzLncOIaoPgQ04ZSlL/J4RSI4gLLrNuf+DkxX8OSIOv44U8ynBP/yWObgCPz8XjS38Jl9ovhLAPXYb6GK3DGl4q01ghXSpvfVsjCpz8W7SAVkVSA=,iv:Po0fPtu+gznmPalCm77RG3WloTKtRIEHLAec5lTYvaE=,tag:ulfUHDy1UAmj6d/R4kO42A==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3