From a1bc147b909fb2c26f28d36cf910f889e5d7a05d Mon Sep 17 00:00:00 2001 From: pazpi Date: Sun, 12 Jan 2025 22:27:37 +0100 Subject: [PATCH] WIP: Authentik --- flake.lock | 240 ++++++++++++++++++++++++++++++++- flake.nix | 18 ++- hosts/authentik/default.nix | 38 ++++++ hosts/default.nix | 31 +++-- modules/services/authentik.nix | 115 ++++++++++++++++ modules/services/default.nix | 1 + secrets.nix | 1 + secrets/authentik-env.age | 11 ++ ssh-keys.nix | 2 +- 9 files changed, 440 insertions(+), 17 deletions(-) create mode 100644 hosts/authentik/default.nix create mode 100644 modules/services/authentik.nix create mode 100644 secrets/authentik-env.age diff --git a/flake.lock b/flake.lock index 0a5480c..255784d 100644 --- a/flake.lock +++ b/flake.lock @@ -23,11 +23,55 @@ "type": "github" } }, + "authentik-nix": { + "inputs": { + "authentik-src": "authentik-src", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "napalm": "napalm", + "nixpkgs": [ + "nixpkgs" + ], + "poetry2nix": "poetry2nix", + "systems": "systems_2" + }, + "locked": { + "lastModified": 1736445563, + "narHash": "sha256-+f1MWPtja+LRlTHJP/i/3yxmnzo2LGtZmxtJJTdAp8o=", + "owner": "nix-community", + "repo": "authentik-nix", + "rev": "bf5a5bf42189ff5f468f0ff26c9296233a97eb6c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "authentik-nix", + "type": "github" + } + }, + "authentik-src": { + "flake": false, + "locked": { + "lastModified": 1736440980, + "narHash": "sha256-Z3rFFrXrOKaF9NpY/fInsEbzdOWnWqLfEYl7YX9hFEU=", + "owner": "goauthentik", + "repo": "authentik", + "rev": "9d81f0598c7735e2b4616ee865ab896056a67408", + "type": "github" + }, + "original": { + "owner": "goauthentik", + "ref": "version/2024.12.2", + "repo": "authentik", + "type": "github" + } + }, "colmena": { "inputs": { - "flake-compat": "flake-compat", - "flake-utils": "flake-utils", - "nix-github-actions": "nix-github-actions", + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_2", + "nix-github-actions": "nix-github-actions_2", "nixpkgs": [ "nixpkgs" ], @@ -70,6 +114,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1650374568, @@ -85,7 +145,46 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1727826117, + "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { + "inputs": { + "systems": [ + "authentik-nix", + "systems" + ] + }, + "locked": { + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { "locked": { "lastModified": 1659877975, "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", @@ -100,9 +199,9 @@ "type": "github" } }, - "flake-utils_2": { + "flake-utils_3": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1726560853, @@ -191,7 +290,7 @@ }, "lix-module": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "flakey-profile": "flakey-profile", "lix": "lix", "nixpkgs": [ @@ -210,7 +309,55 @@ "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz" } }, + "napalm": { + "inputs": { + "flake-utils": [ + "authentik-nix", + "flake-utils" + ], + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1725806412, + "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=", + "owner": "willibutz", + "repo": "napalm", + "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5", + "type": "github" + }, + "original": { + "owner": "willibutz", + "ref": "avoid-foldl-stack-overflow", + "repo": "napalm", + "type": "github" + } + }, "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nix-github-actions_2": { "inputs": { "nixpkgs": [ "colmena", @@ -263,6 +410,18 @@ "type": "github" } }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1727825735, + "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1736012469, @@ -279,9 +438,41 @@ "type": "github" } }, + "poetry2nix": { + "inputs": { + "flake-utils": [ + "authentik-nix", + "flake-utils" + ], + "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ], + "systems": [ + "authentik-nix", + "systems" + ], + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1735164664, + "narHash": "sha256-DaWy+vo3c4TQ93tfLjUgcpPaSoDw4qV4t76Y3Mhu84I=", + "owner": "nix-community", + "repo": "poetry2nix", + "rev": "1fb01e90771f762655be7e0e805516cd7fa4d58e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "poetry2nix", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", + "authentik-nix": "authentik-nix", "colmena": "colmena", "home-manager": "home-manager_2", "lix-module": "lix-module", @@ -322,6 +513,21 @@ } }, "systems_2": { + "locked": { + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", + "owner": "nix-systems", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default-linux", + "type": "github" + } + }, + "systems_3": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -335,6 +541,28 @@ "repo": "default", "type": "github" } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730120726, + "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 84711e5..a8cec5f 100644 --- a/flake.nix +++ b/flake.nix @@ -36,6 +36,10 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + authentik-nix = { + url = "github:nix-community/authentik-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = @@ -45,6 +49,7 @@ nixpkgs-unstable, nixos-hardware, lix-module, + authentik-nix, agenix, colmena, home-manager, @@ -90,10 +95,11 @@ "lxc" "bacco" "arr" + "auth" "metrics" "nextcloud" - "vaultwarden" "portainer" + "vaultwarden" ]; }; @@ -141,6 +147,15 @@ ]; }; + authentik.deployment = { + targetHost = "192.168.1.157"; + tags = [ + "lxc" + "node" + "auth" + ]; + }; + deadbeef.deployment = { allowLocalDeployment = true; targetHost = null; @@ -157,6 +172,7 @@ agenix.packages.${system}.agenix colmena.packages.${system}.colmena ]; + }; }; diff --git a/hosts/authentik/default.nix b/hosts/authentik/default.nix new file mode 100644 index 0000000..22475b5 --- /dev/null +++ b/hosts/authentik/default.nix @@ -0,0 +1,38 @@ +{ + config, + pkgs, + lib, + imports, + ... +}: +{ + + age.secrets.authentik-env.file = ../../secrets/authentik-env.age; + + my = { + utils = { + commons.enable = true; + lxc-standard.enable = true; + }; + + services.authentik = { + enable = true; + envFile = config.age.secrets.authentik-env.path; + email = { + host = "smtp.eu.mailgun.org"; + port = 587; + username = "Auth Pazpi.top"; + use_tls = true; + use_ssl = false; + from = "auth@pazpi.top"; + }; + proxy.domain = "tegola.pro"; + }; + virtualisation.proxmox.enable = true; + }; + + # Extra packages + environment.systemPackages = with pkgs; [ ]; + + system.stateVersion = "24.11"; +} diff --git a/hosts/default.nix b/hosts/default.nix index 5fd879c..18dd7e9 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -5,6 +5,7 @@ agenix, home-manager, lix-module, + authentik-nix, self, ... }: @@ -40,6 +41,7 @@ let myModule = { imports = [ lix-module.nixosModules.default + authentik-nix.nixosModules.default ../modules ]; }; @@ -55,7 +57,7 @@ in deadbeef = nixpkgs.lib.nixosSystem { pkgs = pkgs "x86_64-linux"; modules = [ - myModule + myModules ./deadbeef nixos-hardware.nixosModules.dell-xps-15-9560 home-manager.nixosModules.home-manager @@ -67,7 +69,7 @@ in baseLXC = nixpkgs.lib.nixosSystem { pkgs = pkgs "x86_64-linux"; modules = [ - myModule + myModules proxmoxModule ./base-lxc.nix agenix.nixosModules.default @@ -80,7 +82,7 @@ in arr = nixpkgs.lib.nixosSystem { pkgs = pkgs "x86_64-linux"; modules = [ - myModule + myModules proxmoxModule ./arr agenix.nixosModules.default @@ -91,7 +93,7 @@ in caddy = nixpkgs.lib.nixosSystem { pkgs = pkgs "x86_64-linux"; modules = [ - myModule + myModules proxmoxModule ./caddy agenix.nixosModules.default @@ -102,7 +104,7 @@ in metrics = nixpkgs.lib.nixosSystem { pkgs = pkgs "x86_64-linux"; modules = [ - myModule + myModules proxmoxModule ./metrics agenix.nixosModules.default @@ -113,7 +115,7 @@ in nextcloud = nixpkgs.lib.nixosSystem { pkgs = pkgs "x86_64-linux"; modules = [ - myModule + myModules proxmoxModule ./nextcloud agenix.nixosModules.default @@ -124,7 +126,7 @@ in plex = nixpkgs.lib.nixosSystem { pkgs = pkgs "x86_64-linux"; modules = [ - myModule + myModules proxmoxModule ./plex agenix.nixosModules.default @@ -135,7 +137,7 @@ in vaultwarden = nixpkgs.lib.nixosSystem { pkgs = pkgs "x86_64-linux"; modules = [ - myModule + myModules proxmoxModule ./vaultwarden agenix.nixosModules.default @@ -146,7 +148,7 @@ in portainer = nixpkgs.lib.nixosSystem { pkgs = pkgs "x86_64-linux"; modules = [ - myModule + myModules proxmoxModule ./portainer agenix.nixosModules.default @@ -154,4 +156,15 @@ in # specialArgs = { }; }; + authentik = nixpkgs.lib.nixosSystem { + pkgs = pkgs "x86_64-linux"; + modules = [ + myModules + proxmoxModule + ./authentik + agenix.nixosModules.default + ]; + # specialArgs = { }; + }; + } diff --git a/modules/services/authentik.nix b/modules/services/authentik.nix new file mode 100644 index 0000000..793dc1e --- /dev/null +++ b/modules/services/authentik.nix @@ -0,0 +1,115 @@ +{ + lib, + config, + pkgs, + ... +}: +let + cfg = config.my.services.authentik; +in +{ + + options.my.services.authentik = { + enable = lib.mkEnableOption "Enable Authentik module"; + + envFile = lib.mkOption { + default = ""; + type = lib.types.str; + description = '' + The path to the env file + ''; + }; + + email = { + host = lib.mkOption { + type = lib.types.str; + description = "SMTP server host for Authentik."; + default = "smtp.example.com"; + }; + port = lib.mkOption { + type = lib.types.int; + description = "SMTP server port for Authentik."; + default = 587; + }; + username = lib.mkOption { + type = lib.types.str; + description = "SMTP username for Authentik."; + default = "authentik@example.com"; + }; + use_tls = lib.mkOption { + type = lib.types.bool; + description = "Use TLS for SMTP connection."; + default = true; + }; + use_ssl = lib.mkOption { + type = lib.types.bool; + description = "Use SSL for SMTP connection."; + default = false; + }; + from = lib.mkOption { + type = lib.types.str; + description = "Email address to use in the From field."; + default = "authentik@example.com"; + }; + }; + + proxy = { + enable = lib.mkEnableOption "Set the proxy entry for this service"; + + domain = lib.mkOption { + default = "example.com"; + type = lib.types.str; + description = '' + The domain where Caddy is reachable + ''; + }; + + subdomain = lib.mkOption { + default = "auth"; + type = lib.types.str; + description = '' + The subdomain where the service is reachable + ''; + }; + + host = lib.mkOption { + default = "localhost"; + type = lib.types.str; + description = '' + host name where the service is running + ''; + }; + + }; + }; + + config = lib.mkMerge [ + (lib.mkIf cfg.enable { + + services.authentik = { + enable = true; + environmentFile = cfg.envFile; + settings = { + email = cfg.email; + disable_startup_analytics = true; + avatars = "initials"; + }; + nginx = { + enable = true; + enableACME = false; + host = "${cfg.proxy.subdomain}.${cfg.proxy.domain}"; + }; + }; + + }) + + (lib.mkIf cfg.proxy.enable { + services.caddy = with cfg.proxy; { + virtualHosts."${subdomain}.${domain}".extraConfig = '' + reverse_proxy http://localhost:9000 + import cloudflare_${domain} + ''; + }; + }) + ]; +} diff --git a/modules/services/default.nix b/modules/services/default.nix index a41b26e..717b808 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -1,5 +1,6 @@ { imports = [ + ./authentik.nix ./dashy.nix ./media-mgr.nix ./nextcloud.nix diff --git a/secrets.nix b/secrets.nix index 4e2cc6f..9a547c6 100644 --- a/secrets.nix +++ b/secrets.nix @@ -19,6 +19,7 @@ let machines.metrics ]; watchtower-secrets = [ machines.portainer ]; + authentik-env = [ machines.auth ]; }; in builtins.listToAttrs ( diff --git a/secrets/authentik-env.age b/secrets/authentik-env.age new file mode 100644 index 0000000..2466ecc --- /dev/null +++ b/secrets/authentik-env.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 uNzX0g VzdrdyXxPMlZD90+MHqtNgQ99GxUb6qzHgXL1zwdDDg +1xc65mEn4A19szmjMrivnki2js4ETO61TZZuTgo2xBg +-> ssh-ed25519 Si3UKw 2I91ZFM44fSWG3g9D1mDZhM8tjF01ZZYezyTFPHHG2c +zI5qXYR21jlgoDmpcvvVBv8wg+pdyWw5Y4Nlh3ohEPw +-> ssh-ed25519 3UG3uw 6pUbFJ2dfTDrfu2tiNXHifb/n2WJJverDFMpNBTOKRk +PMq5d1+Gz2qE0a7bAzqYXGWYOf0876YGEkf0RIjgL14 +-> ssh-ed25519 JEhtoQ Q5NEsZCbFNNPpTuZ31ddzEyBNmUegc39KMyRHmurlGM +PpUA5KjDa7lmOvVsbewptA2d1rGd4CcLeuPBtso0qqQ +--- H+mfOPwlLK3n64f9ubuDGqEEC9w1UyU4gxWtTr+Ot6Q +œ-Û=í¬à؇@´þ”ÈѶè•$dÖ" òý”hfkSŸ»¤º¨tTo}<&ÅôܪPx£˜Zƒ _˜Æ—ûqüI?/FUFà.B€Ú­ÇE_k–RÀ+ÀT÷-wæ~IÙx2ʾ3+³«ß—BªÆ“Ó´*Åì’H©kqÈü§‘Nš˜iÉ£:˜)~‰ý)N£ ]úNY‡ ¥‚Ó ý‡Aoçpù ]…ÙOÍÎ>û‰™Ö­4KJ \ No newline at end of file diff --git a/ssh-keys.nix b/ssh-keys.nix index 10b5139..d28a804 100644 --- a/ssh-keys.nix +++ b/ssh-keys.nix @@ -12,9 +12,9 @@ rec { metrics = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFRY4bpw1gCJAWMtBTSm2/09gcniFkSyCKCKPyGHVbr"; nextcloud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYobAlQ9tPKjyh7eE2Ku81ZiMY6OWd3ELDqo+xBmjbC"; vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOW9uYQpPMiKvI/KFRvd/5f9J8a0zLaQxstWRI8VNObV"; - # search = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBhRxaMK+swWcbd6dyBvPw74EtB5mghjgBzmIhXy9cRt"; # TODO: Update this key plex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINp9itRJGSSVWLxwrcudyGUNOOKl+qqtf+IzLHrhffyt"; portainer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMgg4SKMCw2/21l1crY7trFnrCmNSrkYPl3vEDnJ8aQn"; + auth = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINFOmlg2aI9tZ/ysAR4Cyxsyi6KQrgilg+QYyuCNPTI1"; }; # Machines able to provision other machines