pazpi/nix
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

WIP: Authentik

Browse source
This commit is contained in:
pazpi 2025-01-12 22:27:37 +01:00
parent 79bfb5e7e3
commit a1bc147b90
9 changed files with 440 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

240
flake.lock generated
View file

@ -23,11 +23,55 @@
"type": "github" "type": "github"
} }
}, },
"authentik-nix": {
"inputs": {
"authentik-src": "authentik-src",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"napalm": "napalm",
"nixpkgs": [
"nixpkgs"
],
"poetry2nix": "poetry2nix",
"systems": "systems_2"
},
"locked": {
"lastModified": 1736445563,
"narHash": "sha256-+f1MWPtja+LRlTHJP/i/3yxmnzo2LGtZmxtJJTdAp8o=",
"owner": "nix-community",
"repo": "authentik-nix",
"rev": "bf5a5bf42189ff5f468f0ff26c9296233a97eb6c",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "authentik-nix",
"type": "github"
}
},
"authentik-src": {
"flake": false,
"locked": {
"lastModified": 1736440980,
"narHash": "sha256-Z3rFFrXrOKaF9NpY/fInsEbzdOWnWqLfEYl7YX9hFEU=",
"owner": "goauthentik",
"repo": "authentik",
"rev": "9d81f0598c7735e2b4616ee865ab896056a67408",
"type": "github"
},
"original": {
"owner": "goauthentik",
"ref": "version/2024.12.2",
"repo": "authentik",
"type": "github"
}
},
"colmena": { "colmena": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat_2",
"flake-utils": "flake-utils", "flake-utils": "flake-utils_2",
"nix-github-actions": "nix-github-actions", "nix-github-actions": "nix-github-actions_2",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@ -70,6 +114,22 @@
} }
}, },
"flake-compat": { "flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1650374568, "lastModified": 1650374568,
@ -85,7 +145,46 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1727826117,
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": { "flake-utils": {
"inputs": {
"systems": [
"authentik-nix",
"systems"
]
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"locked": { "locked": {
"lastModified": 1659877975, "lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
@ -100,9 +199,9 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_2": { "flake-utils_3": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems_3"
}, },
"locked": { "locked": {
"lastModified": 1726560853, "lastModified": 1726560853,
@ -191,7 +290,7 @@
}, },
"lix-module": { "lix-module": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_3",
"flakey-profile": "flakey-profile", "flakey-profile": "flakey-profile",
"lix": "lix", "lix": "lix",
"nixpkgs": [ "nixpkgs": [
@ -210,7 +309,55 @@
"url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz" "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz"
} }
}, },
"napalm": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nixpkgs": [
"authentik-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1725806412,
"narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
"owner": "willibutz",
"repo": "napalm",
"rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
"type": "github"
},
"original": {
"owner": "willibutz",
"ref": "avoid-foldl-stack-overflow",
"repo": "napalm",
"type": "github"
}
},
"nix-github-actions": { "nix-github-actions": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729742964,
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-github-actions_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"colmena", "colmena",
@ -263,6 +410,18 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-lib": {
"locked": {
"lastModified": 1727825735,
"narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
}
},
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1736012469, "lastModified": 1736012469,
@ -279,9 +438,41 @@
"type": "github" "type": "github"
} }
}, },
"poetry2nix": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"authentik-nix",
"nixpkgs"
],
"systems": [
"authentik-nix",
"systems"
],
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1735164664,
"narHash": "sha256-DaWy+vo3c4TQ93tfLjUgcpPaSoDw4qV4t76Y3Mhu84I=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "1fb01e90771f762655be7e0e805516cd7fa4d58e",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"authentik-nix": "authentik-nix",
"colmena": "colmena", "colmena": "colmena",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"lix-module": "lix-module", "lix-module": "lix-module",
@ -322,6 +513,21 @@
} }
}, },
"systems_2": { "systems_2": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default-linux",
"type": "github"
}
},
"systems_3": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -335,6 +541,28 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730120726,
"narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

18
flake.nix
View file

@ -36,6 +36,10 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
authentik-nix = {
url = "github:nix-community/authentik-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = outputs =
@ -45,6 +49,7 @@
nixpkgs-unstable, nixpkgs-unstable,
nixos-hardware, nixos-hardware,
lix-module, lix-module,
authentik-nix,
agenix, agenix,
colmena, colmena,
home-manager, home-manager,
@ -90,10 +95,11 @@
"lxc" "lxc"
"bacco" "bacco"
"arr" "arr"
"auth"
"metrics" "metrics"
"nextcloud" "nextcloud"
"vaultwarden"
"portainer" "portainer"
"vaultwarden"
]; ];
}; };
@ -141,6 +147,15 @@
]; ];
}; };
authentik.deployment = {
targetHost = "192.168.1.157";
tags = [
"lxc"
"node"
"auth"
];
};
deadbeef.deployment = { deadbeef.deployment = {
allowLocalDeployment = true; allowLocalDeployment = true;
targetHost = null; targetHost = null;
@ -157,6 +172,7 @@
agenix.packages.${system}.agenix agenix.packages.${system}.agenix
colmena.packages.${system}.colmena colmena.packages.${system}.colmena
]; ];
}; };
}; };

38
hosts/authentik/default.nix Normal file
View file

@ -0,0 +1,38 @@
{
config,
pkgs,
lib,
imports,
...
}:
{
age.secrets.authentik-env.file = ../../secrets/authentik-env.age;
my = {
utils = {
commons.enable = true;
lxc-standard.enable = true;
};
services.authentik = {
enable = true;
envFile = config.age.secrets.authentik-env.path;
email = {
host = "smtp.eu.mailgun.org";
port = 587;
username = "Auth Pazpi.top";
use_tls = true;
use_ssl = false;
from = "auth@pazpi.top";
};
proxy.domain = "tegola.pro";
};
virtualisation.proxmox.enable = true;
};
# Extra packages
environment.systemPackages = with pkgs; [ ];
system.stateVersion = "24.11";
}

31
hosts/default.nix
View file

@ -5,6 +5,7 @@
agenix, agenix,
home-manager, home-manager,
lix-module, lix-module,
authentik-nix,
self, self,
... ...
}: }:
@ -40,6 +41,7 @@ let
myModule = { myModule = {
imports = [ imports = [
lix-module.nixosModules.default lix-module.nixosModules.default
authentik-nix.nixosModules.default
../modules ../modules
]; ];
}; };
@ -55,7 +57,7 @@ in
deadbeef = nixpkgs.lib.nixosSystem { deadbeef = nixpkgs.lib.nixosSystem {
pkgs = pkgs "x86_64-linux"; pkgs = pkgs "x86_64-linux";
modules = [ modules = [
myModule myModules
./deadbeef ./deadbeef
nixos-hardware.nixosModules.dell-xps-15-9560 nixos-hardware.nixosModules.dell-xps-15-9560
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
@ -67,7 +69,7 @@ in
baseLXC = nixpkgs.lib.nixosSystem { baseLXC = nixpkgs.lib.nixosSystem {
pkgs = pkgs "x86_64-linux"; pkgs = pkgs "x86_64-linux";
modules = [ modules = [
myModule myModules
proxmoxModule proxmoxModule
./base-lxc.nix ./base-lxc.nix
agenix.nixosModules.default agenix.nixosModules.default
@ -80,7 +82,7 @@ in
arr = nixpkgs.lib.nixosSystem { arr = nixpkgs.lib.nixosSystem {
pkgs = pkgs "x86_64-linux"; pkgs = pkgs "x86_64-linux";
modules = [ modules = [
myModule myModules
proxmoxModule proxmoxModule
./arr ./arr
agenix.nixosModules.default agenix.nixosModules.default
@ -91,7 +93,7 @@ in
caddy = nixpkgs.lib.nixosSystem { caddy = nixpkgs.lib.nixosSystem {
pkgs = pkgs "x86_64-linux"; pkgs = pkgs "x86_64-linux";
modules = [ modules = [
myModule myModules
proxmoxModule proxmoxModule
./caddy ./caddy
agenix.nixosModules.default agenix.nixosModules.default
@ -102,7 +104,7 @@ in
metrics = nixpkgs.lib.nixosSystem { metrics = nixpkgs.lib.nixosSystem {
pkgs = pkgs "x86_64-linux"; pkgs = pkgs "x86_64-linux";
modules = [ modules = [
myModule myModules
proxmoxModule proxmoxModule
./metrics ./metrics
agenix.nixosModules.default agenix.nixosModules.default
@ -113,7 +115,7 @@ in
nextcloud = nixpkgs.lib.nixosSystem { nextcloud = nixpkgs.lib.nixosSystem {
pkgs = pkgs "x86_64-linux"; pkgs = pkgs "x86_64-linux";
modules = [ modules = [
myModule myModules
proxmoxModule proxmoxModule
./nextcloud ./nextcloud
agenix.nixosModules.default agenix.nixosModules.default
@ -124,7 +126,7 @@ in
plex = nixpkgs.lib.nixosSystem { plex = nixpkgs.lib.nixosSystem {
pkgs = pkgs "x86_64-linux"; pkgs = pkgs "x86_64-linux";
modules = [ modules = [
myModule myModules
proxmoxModule proxmoxModule
./plex ./plex
agenix.nixosModules.default agenix.nixosModules.default
@ -135,7 +137,7 @@ in
vaultwarden = nixpkgs.lib.nixosSystem { vaultwarden = nixpkgs.lib.nixosSystem {
pkgs = pkgs "x86_64-linux"; pkgs = pkgs "x86_64-linux";
modules = [ modules = [
myModule myModules
proxmoxModule proxmoxModule
./vaultwarden ./vaultwarden
agenix.nixosModules.default agenix.nixosModules.default
@ -146,7 +148,7 @@ in
portainer = nixpkgs.lib.nixosSystem { portainer = nixpkgs.lib.nixosSystem {
pkgs = pkgs "x86_64-linux"; pkgs = pkgs "x86_64-linux";
modules = [ modules = [
myModule myModules
proxmoxModule proxmoxModule
./portainer ./portainer
agenix.nixosModules.default agenix.nixosModules.default
@ -154,4 +156,15 @@ in
# specialArgs = { }; # specialArgs = { };
}; };
authentik = nixpkgs.lib.nixosSystem {
pkgs = pkgs "x86_64-linux";
modules = [
myModules
proxmoxModule
./authentik
agenix.nixosModules.default
];
# specialArgs = { };
};
} }

115
modules/services/authentik.nix Normal file
View file

@ -0,0 +1,115 @@
{
lib,
config,
pkgs,
...
}:
let
cfg = config.my.services.authentik;
in
{
options.my.services.authentik = {
enable = lib.mkEnableOption "Enable Authentik module";
envFile = lib.mkOption {
default = "";
type = lib.types.str;
description = ''
The path to the env file
'';
};
email = {
host = lib.mkOption {
type = lib.types.str;
description = "SMTP server host for Authentik.";
default = "smtp.example.com";
};
port = lib.mkOption {
type = lib.types.int;
description = "SMTP server port for Authentik.";
default = 587;
};
username = lib.mkOption {
type = lib.types.str;
description = "SMTP username for Authentik.";
default = "authentik@example.com";
};
use_tls = lib.mkOption {
type = lib.types.bool;
description = "Use TLS for SMTP connection.";
default = true;
};
use_ssl = lib.mkOption {
type = lib.types.bool;
description = "Use SSL for SMTP connection.";
default = false;
};
from = lib.mkOption {
type = lib.types.str;
description = "Email address to use in the From field.";
default = "authentik@example.com";
};
};
proxy = {
enable = lib.mkEnableOption "Set the proxy entry for this service";
domain = lib.mkOption {
default = "example.com";
type = lib.types.str;
description = ''
The domain where Caddy is reachable
'';
};
subdomain = lib.mkOption {
default = "auth";
type = lib.types.str;
description = ''
The subdomain where the service is reachable
'';
};
host = lib.mkOption {
default = "localhost";
type = lib.types.str;
description = ''
host name where the service is running
'';
};
};
};
config = lib.mkMerge [
(lib.mkIf cfg.enable {
services.authentik = {
enable = true;
environmentFile = cfg.envFile;
settings = {
email = cfg.email;
disable_startup_analytics = true;
avatars = "initials";
};
nginx = {
enable = true;
enableACME = false;
host = "${cfg.proxy.subdomain}.${cfg.proxy.domain}";
};
};
})
(lib.mkIf cfg.proxy.enable {
services.caddy = with cfg.proxy; {
virtualHosts."${subdomain}.${domain}".extraConfig = ''
reverse_proxy http://localhost:9000
import cloudflare_${domain}
'';
};
})
];
}

1
modules/services/default.nix
View file

@ -1,5 +1,6 @@
{ {
imports = [ imports = [
./authentik.nix
./dashy.nix ./dashy.nix
./media-mgr.nix ./media-mgr.nix
./nextcloud.nix ./nextcloud.nix

1
secrets.nix
View file

@ -19,6 +19,7 @@ let
machines.metrics machines.metrics
]; ];
watchtower-secrets = [ machines.portainer ]; watchtower-secrets = [ machines.portainer ];
authentik-env = [ machines.auth ];
}; };
in in
builtins.listToAttrs ( builtins.listToAttrs (

11
secrets/authentik-env.age Normal file
View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 uNzX0g VzdrdyXxPMlZD90+MHqtNgQ99GxUb6qzHgXL1zwdDDg
1xc65mEn4A19szmjMrivnki2js4ETO61TZZuTgo2xBg
-> ssh-ed25519 Si3UKw 2I91ZFM44fSWG3g9D1mDZhM8tjF01ZZYezyTFPHHG2c
zI5qXYR21jlgoDmpcvvVBv8wg+pdyWw5Y4Nlh3ohEPw
-> ssh-ed25519 3UG3uw 6pUbFJ2dfTDrfu2tiNXHifb/n2WJJverDFMpNBTOKRk
PMq5d1+Gz2qE0a7bAzqYXGWYOf0876YGEkf0RIjgL14
-> ssh-ed25519 JEhtoQ Q5NEsZCbFNNPpTuZ31ddzEyBNmUegc39KMyRHmurlGM
PpUA5KjDa7lmOvVsbewptA2d1rGd4CcLeuPBtso0qqQ
--- H+mfOPwlLK3n64f9ubuDGqEEC9w1UyU4gxWtTr+Ot6Q
œ-Û=í¬à؇@´þ”ÈѶè•$dÃ" òý”hfkSŸ»¤º¨tTo}<&Åôܪ<C39C>Px£˜Zƒ _˜Æ—ûq<C3BB>üI?/FUFà.B€Ú­ÇE_kïƒT÷-wæ~IÙx2ʾ3+³«ß—BªÆ“Ó´*ÅìkqÈü§˜<69>£:˜)~‰ý)N£ ]úNY‡ ¥‚Ó ý‡Aoçpù ]…ÙOÍÎ>û‰™Ö­4KJ

2
ssh-keys.nix
View file

@ -12,9 +12,9 @@ rec {
metrics = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFRY4bpw1gCJAWMtBTSm2/09gcniFkSyCKCKPyGHVbr"; metrics = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFRY4bpw1gCJAWMtBTSm2/09gcniFkSyCKCKPyGHVbr";
nextcloud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYobAlQ9tPKjyh7eE2Ku81ZiMY6OWd3ELDqo+xBmjbC"; nextcloud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYobAlQ9tPKjyh7eE2Ku81ZiMY6OWd3ELDqo+xBmjbC";
vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOW9uYQpPMiKvI/KFRvd/5f9J8a0zLaQxstWRI8VNObV"; vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOW9uYQpPMiKvI/KFRvd/5f9J8a0zLaQxstWRI8VNObV";
# search = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBhRxaMK+swWcbd6dyBvPw74EtB5mghjgBzmIhXy9cRt"; # TODO: Update this key
plex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINp9itRJGSSVWLxwrcudyGUNOOKl+qqtf+IzLHrhffyt"; plex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINp9itRJGSSVWLxwrcudyGUNOOKl+qqtf+IzLHrhffyt";
portainer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMgg4SKMCw2/21l1crY7trFnrCmNSrkYPl3vEDnJ8aQn"; portainer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMgg4SKMCw2/21l1crY7trFnrCmNSrkYPl3vEDnJ8aQn";
auth = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINFOmlg2aI9tZ/ysAR4Cyxsyi6KQrgilg+QYyuCNPTI1";
}; };
# Machines able to provision other machines # Machines able to provision other machines