From bd44fc6fcb1fe3df7b8a8c81839e34470fed7911 Mon Sep 17 00:00:00 2001 From: Grisha Shipunov Date: Sun, 12 Jan 2025 21:32:36 +0100 Subject: [PATCH] authentik: init --- .sops.yaml | 9 + flake.lock | 246 +++++++++++++++++++++++- flake.nix | 15 +- hosts/cloud/secrets.nix | 3 + hosts/minime/hardware-configuration.nix | 6 + hosts/minime/networking/default.nix | 3 +- hosts/minime/networking/uvm.nix | 32 ++- hosts/minime/uvm.nix | 10 + microvms/authentik/authentik.nix | 8 + microvms/authentik/default.nix | 76 ++++++++ modules/wg/proxy.nix | 2 +- secrets/authentik/secrets.yaml | 44 +++++ 12 files changed, 428 insertions(+), 26 deletions(-) create mode 100644 hosts/minime/uvm.nix create mode 100644 microvms/authentik/authentik.nix create mode 100644 secrets/authentik/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 6a3de7b..c813570 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,8 +1,11 @@ keys: - &admin_oxa DD0998E6CDF294537FC604F991FA5E5BF9AA901C + # hosts - &toaster age1avaphjah4k8n80jrnraeqh9r94fu6awd6k37z4zfjssl5ft07qkqmuehcm - &cloud age1j3xpuuqaph5z885er90mftfsu6g3hw4q469k37a3veqktwntzdpqgue4z5 - &minime age1chq5k0t38882rtyljez8cwmvtcstu4tafzvveuhjrujvsqk72f9s9guc06 + # microvms + - &authentik age1s9hew4wpff69fmz5lxmn96f8r3xuhqydw82t2dwkrn2rqhcx9pfqm3whvd creation_rules: - path_regex: secrets/toaster/[^/]+\.yaml$ key_groups: @@ -22,3 +25,9 @@ creation_rules: - *admin_oxa age: - *minime + - path_regex: secrets/authentik/[^/]+\.yaml$ + key_groups: + - pgp: + - *admin_oxa + age: + - *authentik diff --git a/flake.lock b/flake.lock index 9baf8ec..eaf0cb6 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,49 @@ { "nodes": { + "authentik-nix": { + "inputs": { + "authentik-src": "authentik-src", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "napalm": "napalm", + "nixpkgs": [ + "nixpkgs-unstable" + ], + "poetry2nix": "poetry2nix", + "systems": "systems" + }, + "locked": { + "lastModified": 1736445563, + "narHash": "sha256-+f1MWPtja+LRlTHJP/i/3yxmnzo2LGtZmxtJJTdAp8o=", + "owner": "nix-community", + "repo": "authentik-nix", + "rev": "bf5a5bf42189ff5f468f0ff26c9296233a97eb6c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "authentik-nix", + "type": "github" + } + }, + "authentik-src": { + "flake": false, + "locked": { + "lastModified": 1736440980, + "narHash": "sha256-Z3rFFrXrOKaF9NpY/fInsEbzdOWnWqLfEYl7YX9hFEU=", + "owner": "goauthentik", + "repo": "authentik", + "rev": "9d81f0598c7735e2b4616ee865ab896056a67408", + "type": "github" + }, + "original": { + "owner": "goauthentik", + "ref": "version/2024.12.2", + "repo": "authentik", + "type": "github" + } + }, "crane": { "inputs": { "nixpkgs": [ @@ -37,7 +81,41 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1727826117, + "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "lanzaboote", @@ -60,7 +138,28 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": [ + "authentik-nix", + "systems" + ] + }, + "locked": { + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -76,9 +175,9 @@ "type": "github" } }, - "flake-utils_2": { + "flake-utils_3": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1710146030, @@ -119,11 +218,11 @@ "lanzaboote": { "inputs": { "crane": "crane", - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", - "flake-utils": "flake-utils_2", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts_2", + "flake-utils": "flake-utils_3", "nixpkgs": [ - "nixpkgs-stable" + "nixpkgs-unstable" ], "pre-commit-hooks-nix": "pre-commit-hooks-nix", "rust-overlay": "rust-overlay" @@ -168,6 +267,54 @@ "type": "github" } }, + "napalm": { + "inputs": { + "flake-utils": [ + "authentik-nix", + "flake-utils" + ], + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1725806412, + "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=", + "owner": "willibutz", + "repo": "napalm", + "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5", + "type": "github" + }, + "original": { + "owner": "willibutz", + "ref": "avoid-foldl-stack-overflow", + "repo": "napalm", + "type": "github" + } + }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, "nixos-hardware": { "locked": { "lastModified": 1736441705, @@ -184,6 +331,18 @@ "type": "github" } }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1727825735, + "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1710695816, @@ -232,6 +391,37 @@ "type": "github" } }, + "poetry2nix": { + "inputs": { + "flake-utils": [ + "authentik-nix", + "flake-utils" + ], + "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ], + "systems": [ + "authentik-nix", + "systems" + ], + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1735164664, + "narHash": "sha256-DaWy+vo3c4TQ93tfLjUgcpPaSoDw4qV4t76Y3Mhu84I=", + "owner": "nix-community", + "repo": "poetry2nix", + "rev": "1fb01e90771f762655be7e0e805516cd7fa4d58e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "poetry2nix", + "type": "github" + } + }, "pre-commit-hooks-nix": { "inputs": { "flake-compat": [ @@ -261,7 +451,8 @@ }, "root": { "inputs": { - "flake-utils": "flake-utils", + "authentik-nix": "authentik-nix", + "flake-utils": "flake-utils_2", "lanzaboote": "lanzaboote", "microvm": "microvm", "nixos-hardware": "nixos-hardware", @@ -333,6 +524,21 @@ } }, "systems": { + "locked": { + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", + "owner": "nix-systems", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default-linux", + "type": "github" + } + }, + "systems_2": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -347,7 +553,7 @@ "type": "github" } }, - "systems_2": { + "systems_3": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -377,6 +583,28 @@ "repo": "tmux-yank", "type": "github" } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730120726, + "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 81d4a40..05582f4 100644 --- a/flake.nix +++ b/flake.nix @@ -108,7 +108,7 @@ }; authentik = nixpkgs-stable.lib.nixosSystem { - system = "x84_64-linux"; + system = "x86_64-linux"; specialArgs = { inherit inputs; }; modules = [ sops-nix.nixosModules.sops @@ -117,17 +117,8 @@ ./microvms/authentik ./modules/server + ]; + }; }; - - - hydraJobs = - let - get-toplevel = ( - host: nixSystem: nixSystem.config.microvm.declaredRunner or nixSystem.config.system.build.toplevel - ); - in - nixpkgs-stable.lib.mapAttrs get-toplevel self.nixosConfigurations; - - formatter.x86_64-linux = nixpkgs-stable.legacyPackages.x86_64-linux.nixfmt-rfc-style; }; } diff --git a/hosts/cloud/secrets.nix b/hosts/cloud/secrets.nix index d9d5b51..e1d492f 100644 --- a/hosts/cloud/secrets.nix +++ b/hosts/cloud/secrets.nix @@ -7,5 +7,8 @@ "wg/0xa-mgmt" = { owner = config.users.users.systemd-network.name; }; + "wg/0xa-proxy" = { + owner = config.users.users.systemd-network.name; + }; }; } diff --git a/hosts/minime/hardware-configuration.nix b/hosts/minime/hardware-configuration.nix index 7e17821..ae2a528 100644 --- a/hosts/minime/hardware-configuration.nix +++ b/hosts/minime/hardware-configuration.nix @@ -65,6 +65,12 @@ options = [ "zfsutil" ]; }; + fileSystems."/var/lib/microvms" = { + device = "zpool/data/var/lib/microvms"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + swapDevices = [ { device = "/dev/disk/by-partuuid/7e7d0e0b-90b7-465c-a022-089b38e0f16d"; diff --git a/hosts/minime/networking/default.nix b/hosts/minime/networking/default.nix index b1c044f..25e20b3 100644 --- a/hosts/minime/networking/default.nix +++ b/hosts/minime/networking/default.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ imports = [ ./uplink.nix ./uvm.nix diff --git a/hosts/minime/networking/uvm.nix b/hosts/minime/networking/uvm.nix index 15e498e..dfcb14c 100644 --- a/hosts/minime/networking/uvm.nix +++ b/hosts/minime/networking/uvm.nix @@ -1,8 +1,10 @@ -{ ... }: { +{ ... }: +{ + # TODO: make a module systemd.network = { netdevs."10-uvm-br" = { netdevConfig = { - Kind = bridge; + Kind = "bridge"; Name = "uvm-br"; }; }; @@ -13,7 +15,31 @@ DHCPServer = false; IPv6SendRA = true; }; - Address = [ ]; + addresses = [ + { + Address = "10.99.99.1/24"; + } + { + Address = "fd12:3456:789a::1/64"; + } + ]; + ipv6Prefixes = [ + { + Prefix = "fd12:3456:789a::/64"; + } + ]; }; + + networks."11-uvm-br" = { + matchConfig.Name = "uvm-*"; + networkConfig.Bridge = "uvm-br"; + }; + + }; + networking.nat = { + enable = true; + enableIPv6 = true; + externalInterface = "enp90s0"; + internalInterfaces = [ "uvm-br" ]; }; } diff --git a/hosts/minime/uvm.nix b/hosts/minime/uvm.nix new file mode 100644 index 0000000..7f10579 --- /dev/null +++ b/hosts/minime/uvm.nix @@ -0,0 +1,10 @@ +{ inputs, ... }: +{ + microvm.stateDir = "/var/lib/microvms"; + microvm.vms = { + authentik = { + flake = inputs.self; + updateFlake = "github:gshipunov/nix-config/master"; + }; + }; +} diff --git a/microvms/authentik/authentik.nix b/microvms/authentik/authentik.nix new file mode 100644 index 0000000..3095944 --- /dev/null +++ b/microvms/authentik/authentik.nix @@ -0,0 +1,8 @@ +{ config, ... }: +{ + services.authentik = { + enable = true; + environmentFile = config.sops.secrets."authentik/envfile".path; + settings.disable_startup_analytics = true; + }; +} diff --git a/microvms/authentik/default.nix b/microvms/authentik/default.nix index e69de29..a0b3ac8 100644 --- a/microvms/authentik/default.nix +++ b/microvms/authentik/default.nix @@ -0,0 +1,76 @@ +{ config, lib, ... }: +let + mac = "c0:ff:ee:00:00:00"; +in +{ + imports = [ + ./authentik.nix + ]; + + sops.defaultSopsFile = ../../secrets/authentik/secrets.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + sops.secrets = { + "wg/0xa-proxy" = { + owner = config.users.users.systemd-network.name; + }; + "authentik/envfile" = { }; + }; + + microvm = { + hypervisor = "cloud-hypervisor"; + mem = 2 * 1024; + vcpu = 2; + interfaces = [ + { + type = "tap"; + id = "uvm-authentik"; + mac = mac; + } + ]; + shares = + [ + { + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "store"; + proto = "virtiofs"; + socket = "store.socket"; + } + ] + ++ map + (dir: { + source = dir; + mountPoint = "/${dir}"; + tag = dir; + proto = "virtiofs"; + socket = "${dir}.socket"; + }) + [ + "etc" + "var" + "home" + ]; + }; + + networking.useNetworkd = true; + networking.firewall.enable = lib.mkForce false; # firewalling done by the host + + systemd.network = { + enable = true; + networks."11-host" = { + matchConfig.MACAddress = mac; + networkConfig.Address = "10.99.99.10/24"; + routes = [ + { + Gateway = "10.99.99.1"; + Destination = "0.0.0.0/0"; + Metric = 1024; + } + ]; + }; + }; + + networking.hostName = "authentik"; + system.stateVersion = "24.11"; +} diff --git a/modules/wg/proxy.nix b/modules/wg/proxy.nix index 4151d59..60516fe 100644 --- a/modules/wg/proxy.nix +++ b/modules/wg/proxy.nix @@ -28,7 +28,7 @@ "10.89.88.2/24" "fd31:185d:722f::2/48" ]; - publicKey = ""; + publicKey = "/0DRKWg3U/WuR8iYtH8bD2i+RXTWRzj6+MCS3xFfg1o="; privateKeyFile = config.sops.secrets."wg/0xa-proxy".path; }; }; diff --git a/secrets/authentik/secrets.yaml b/secrets/authentik/secrets.yaml new file mode 100644 index 0000000..45e2287 --- /dev/null +++ b/secrets/authentik/secrets.yaml @@ -0,0 +1,44 @@ +authentik: + envfile: ENC[AES256_GCM,data:c3VuszxqS2F5ltuXJp04sMXLcgw+MGPKrab3kphB2xCZ7aYSTWHgIpqWWB+3u1VDkeDPR41aZJC7Byd4otQnEAlz/sCMXt4z3l5VR8q2BgGPtFt4kA4Vlob4072FGMALYk+lNofEA4lptgX7vzqTUA==,iv:LwfNcTX8ruHowjOE2NCzXrjpcxzPr55dHITinrSka/c=,tag:2OL66aTPAIB8mosevRuZjg==,type:str] +wg: + 0xa-proxy: ENC[AES256_GCM,data:mIYz1DK+aKnd+9krPxwOSpXe7n7DRedCKvmO46Lwtb4ri/8DYtKxUeGpGmI=,iv:kAaiXXILSFLA3hdKng5OsK5ToPNxu9OyWbqz32gjBFk=,tag:s2TGabr3B5JOLFXjKQ7tfw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1s9hew4wpff69fmz5lxmn96f8r3xuhqydw82t2dwkrn2rqhcx9pfqm3whvd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaWHkwWCtGa1A2Wk9QMGc4 + bm0rN2pGRzdyeWpUTUdHa0x4eFViQmxreFNzCmhXc0JYZWlXd0Fod1QxYnJDYXdl + ZEJZbDBoWWRWVm9aeVhwcWxsb3ZXbmMKLS0tIHFGNThkQTJrdWpLOGFHc01GMlNT + QXh1c3BhaExUWFdldC9ib0NNTzdaWk0KF+KZEPxYLyFwUj7pBXR6ULuwZB92wITr + 8TXyfh+NkS+px9jMICprOqwNgcBuVxTJL5FGbtMTAiAMpcPlExnoSA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-12T20:02:11Z" + mac: ENC[AES256_GCM,data:v2XTbr7NMOgh/Xb1aAFQuojXWqU5oVgkvvl1a7/fzXyr4z38bBbbheH88C+hUyDZm3nUDheMvkvdndwM15ZrPU8ucb2JxbIcfP5URKxp0tefCxPPiDnuS3z2sG+0IgcMs32Ozulf3Q7P3DwH3z8fZizyfTrfvlLDD52i6HUt8u0=,iv:UPtCUkvutJ9Ny8QtUOJIJgHZ2LjHGuJOPmDdocUnK8c=,tag:3lYhR9RS+yUtsigoQ3nZEA==,type:str] + pgp: + - created_at: "2025-01-12T19:54:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA7zUOKwzpAE7AQ/7BD8AdH3N/iaGJpScMgFjvFcUoypmxN+B4OxFtHSHVb/t + q361mcgvUcd1T5KNx45smVzoH+2DrTFYiFd5rO/sfaytIRlRAvm542bKbkQLe2xX + PMeu4LnO6WrVoZDDetM7DhpwRyDaD38bXMg7bl1KjoTCdul34aHTWczErCEm0YtK + VO0tJ1R2eu8Z9JcUm/kFA+4bIRyF62hLio86E2o+1pWYpeLsb3RGnI4ttv9imIGT + IvoHidpLP3YRuykEtfiz9rjcTqpYkj8PDnA5ote/cSqNdx6TbVTL0n5yQvvDW183 + I819ScBbXHz2i/zNjMWsq2mgD67vCFtWS7A56qslv7qNv2PpK+ABiH1ZfnrpvbWL + YzfLZ0bIP+Qzes1NrQsMM3/Kn/7/xN2rU0xDHNymnVp+M/8ELGR4n1QJF+ETdG6C + b/gc8i4n+Rv1fXhuKVJlP7v+j6xJxK1FYd+K3nrPD4iRx0lX1/BzDxPH4b3xEIfO + voyFWseAPA9VdgOyfjFIMcND5g/JTpVJWS3EDSl1DhtM83vXNVa1gNj3PsJ5ud1V + OHThu0X52ruAkmKfOL2+zEu7UV46DvHCtMj07Ie0RMRQIUu/4TKXKQePZswyY8TR + Y9Xi7OASCGIoZ4Nfnf1bFkDR0umd/9ep0K68GcRR6jFxnu9i6nv6RkjicZj6LBzS + XgE1b+T1j6ujvl6SibMpkclhbSBp7fjYhXbxfACqk1bZvs5DDtdTtmcTmvMt6Iwz + 2hENzitwjJ1sCNHlQi37sLVIOU3c2BmLrS1I+WzhpkK61RbnTqwXJhR+XV8hS+Y= + =AIdw + -----END PGP MESSAGE----- + fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C + unencrypted_suffix: _unencrypted + version: 3.9.2