0xa/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

authentik: init

Browse source
This commit is contained in:
Grisha Shipunov 2025-01-12 21:32:36 +01:00
parent ea46b0bb1e
commit bd44fc6fcb
12 changed files with 428 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
.sops.yaml
View file

@ -1,8 +1,11 @@
keys: keys:
- &admin_oxa DD0998E6CDF294537FC604F991FA5E5BF9AA901C - &admin_oxa DD0998E6CDF294537FC604F991FA5E5BF9AA901C
# hosts
- &toaster age1avaphjah4k8n80jrnraeqh9r94fu6awd6k37z4zfjssl5ft07qkqmuehcm - &toaster age1avaphjah4k8n80jrnraeqh9r94fu6awd6k37z4zfjssl5ft07qkqmuehcm
- &cloud age1j3xpuuqaph5z885er90mftfsu6g3hw4q469k37a3veqktwntzdpqgue4z5 - &cloud age1j3xpuuqaph5z885er90mftfsu6g3hw4q469k37a3veqktwntzdpqgue4z5
- &minime age1chq5k0t38882rtyljez8cwmvtcstu4tafzvveuhjrujvsqk72f9s9guc06 - &minime age1chq5k0t38882rtyljez8cwmvtcstu4tafzvveuhjrujvsqk72f9s9guc06
# microvms
- &authentik age1s9hew4wpff69fmz5lxmn96f8r3xuhqydw82t2dwkrn2rqhcx9pfqm3whvd
creation_rules: creation_rules:
- path_regex: secrets/toaster/[^/]+\.yaml$ - path_regex: secrets/toaster/[^/]+\.yaml$
key_groups: key_groups:
@ -22,3 +25,9 @@ creation_rules:
- *admin_oxa - *admin_oxa
age: age:
- *minime - *minime
- path_regex: secrets/authentik/[^/]+\.yaml$
key_groups:
- pgp:
- *admin_oxa
age:
- *authentik

246
flake.lock generated
View file

@ -1,5 +1,49 @@
{ {
"nodes": { "nodes": {
"authentik-nix": {
"inputs": {
"authentik-src": "authentik-src",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"napalm": "napalm",
"nixpkgs": [
"nixpkgs-unstable"
],
"poetry2nix": "poetry2nix",
"systems": "systems"
},
"locked": {
"lastModified": 1736445563,
"narHash": "sha256-+f1MWPtja+LRlTHJP/i/3yxmnzo2LGtZmxtJJTdAp8o=",
"owner": "nix-community",
"repo": "authentik-nix",
"rev": "bf5a5bf42189ff5f468f0ff26c9296233a97eb6c",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "authentik-nix",
"type": "github"
}
},
"authentik-src": {
"flake": false,
"locked": {
"lastModified": 1736440980,
"narHash": "sha256-Z3rFFrXrOKaF9NpY/fInsEbzdOWnWqLfEYl7YX9hFEU=",
"owner": "goauthentik",
"repo": "authentik",
"rev": "9d81f0598c7735e2b4616ee865ab896056a67408",
"type": "github"
},
"original": {
"owner": "goauthentik",
"ref": "version/2024.12.2",
"repo": "authentik",
"type": "github"
}
},
"crane": { "crane": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -37,7 +81,41 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": { "flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1727826117,
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"lanzaboote", "lanzaboote",
@ -60,7 +138,28 @@
}, },
"flake-utils": { "flake-utils": {
"inputs": { "inputs": {
"systems": "systems" "systems": [
"authentik-nix",
"systems"
]
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1731533236, "lastModified": 1731533236,
@ -76,9 +175,9 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_2": { "flake-utils_3": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems_3"
}, },
"locked": { "locked": {
"lastModified": 1710146030, "lastModified": 1710146030,
@ -119,11 +218,11 @@
"lanzaboote": { "lanzaboote": {
"inputs": { "inputs": {
"crane": "crane", "crane": "crane",
"flake-compat": "flake-compat", "flake-compat": "flake-compat_2",
"flake-parts": "flake-parts", "flake-parts": "flake-parts_2",
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_3",
"nixpkgs": [ "nixpkgs": [
"nixpkgs-stable" "nixpkgs-unstable"
], ],
"pre-commit-hooks-nix": "pre-commit-hooks-nix", "pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
@ -168,6 +267,54 @@
"type": "github" "type": "github"
} }
}, },
"napalm": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nixpkgs": [
"authentik-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1725806412,
"narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
"owner": "willibutz",
"repo": "napalm",
"rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
"type": "github"
},
"original": {
"owner": "willibutz",
"ref": "avoid-foldl-stack-overflow",
"repo": "napalm",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729742964,
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1736441705, "lastModified": 1736441705,
@ -184,6 +331,18 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-lib": {
"locked": {
"lastModified": 1727825735,
"narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
}
},
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1710695816, "lastModified": 1710695816,
@ -232,6 +391,37 @@
"type": "github" "type": "github"
} }
}, },
"poetry2nix": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"authentik-nix",
"nixpkgs"
],
"systems": [
"authentik-nix",
"systems"
],
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1735164664,
"narHash": "sha256-DaWy+vo3c4TQ93tfLjUgcpPaSoDw4qV4t76Y3Mhu84I=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "1fb01e90771f762655be7e0e805516cd7fa4d58e",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"pre-commit-hooks-nix": { "pre-commit-hooks-nix": {
"inputs": { "inputs": {
"flake-compat": [ "flake-compat": [
@ -261,7 +451,8 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"flake-utils": "flake-utils", "authentik-nix": "authentik-nix",
"flake-utils": "flake-utils_2",
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",
"microvm": "microvm", "microvm": "microvm",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
@ -333,6 +524,21 @@
} }
}, },
"systems": { "systems": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default-linux",
"type": "github"
}
},
"systems_2": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -347,7 +553,7 @@
"type": "github" "type": "github"
} }
}, },
"systems_2": { "systems_3": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -377,6 +583,28 @@
"repo": "tmux-yank", "repo": "tmux-yank",
"type": "github" "type": "github"
} }
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730120726,
"narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

15
flake.nix
View file

@ -108,7 +108,7 @@
}; };
authentik = nixpkgs-stable.lib.nixosSystem { authentik = nixpkgs-stable.lib.nixosSystem {
system = "x84_64-linux"; system = "x86_64-linux";
specialArgs = { inherit inputs; }; specialArgs = { inherit inputs; };
modules = [ modules = [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
@ -117,17 +117,8 @@
./microvms/authentik ./microvms/authentik
./modules/server ./modules/server
];
};
}; };
hydraJobs =
let
get-toplevel = (
host: nixSystem: nixSystem.config.microvm.declaredRunner or nixSystem.config.system.build.toplevel
);
in
nixpkgs-stable.lib.mapAttrs get-toplevel self.nixosConfigurations;
formatter.x86_64-linux = nixpkgs-stable.legacyPackages.x86_64-linux.nixfmt-rfc-style;
}; };
} }

3
hosts/cloud/secrets.nix
View file

@ -7,5 +7,8 @@
"wg/0xa-mgmt" = { "wg/0xa-mgmt" = {
owner = config.users.users.systemd-network.name; owner = config.users.users.systemd-network.name;
}; };
"wg/0xa-proxy" = {
owner = config.users.users.systemd-network.name;
};
}; };
} }

6
hosts/minime/hardware-configuration.nix
View file

@ -65,6 +65,12 @@
options = [ "zfsutil" ]; options = [ "zfsutil" ];
}; };
fileSystems."/var/lib/microvms" = {
device = "zpool/data/var/lib/microvms";
fsType = "zfs";
options = [ "zfsutil" ];
};
swapDevices = [ swapDevices = [
{ {
device = "/dev/disk/by-partuuid/7e7d0e0b-90b7-465c-a022-089b38e0f16d"; device = "/dev/disk/by-partuuid/7e7d0e0b-90b7-465c-a022-089b38e0f16d";

3
hosts/minime/networking/default.nix
View file

@ -1,4 +1,5 @@
{ ... }: { { ... }:
{
imports = [ imports = [
./uplink.nix ./uplink.nix
./uvm.nix ./uvm.nix

32
hosts/minime/networking/uvm.nix
View file

@ -1,8 +1,10 @@
{ ... }: { { ... }:
{
# TODO: make a module
systemd.network = { systemd.network = {
netdevs."10-uvm-br" = { netdevs."10-uvm-br" = {
netdevConfig = { netdevConfig = {
Kind = bridge; Kind = "bridge";
Name = "uvm-br"; Name = "uvm-br";
}; };
}; };
@ -13,7 +15,31 @@
DHCPServer = false; DHCPServer = false;
IPv6SendRA = true; IPv6SendRA = true;
}; };
Address = [ ]; addresses = [
{
Address = "10.99.99.1/24";
}
{
Address = "fd12:3456:789a::1/64";
}
];
ipv6Prefixes = [
{
Prefix = "fd12:3456:789a::/64";
}
];
}; };
networks."11-uvm-br" = {
matchConfig.Name = "uvm-*";
networkConfig.Bridge = "uvm-br";
};
};
networking.nat = {
enable = true;
enableIPv6 = true;
externalInterface = "enp90s0";
internalInterfaces = [ "uvm-br" ];
}; };
} }

10
hosts/minime/uvm.nix Normal file
View file

@ -0,0 +1,10 @@
{ inputs, ... }:
{
microvm.stateDir = "/var/lib/microvms";
microvm.vms = {
authentik = {
flake = inputs.self;
updateFlake = "github:gshipunov/nix-config/master";
};
};
}

8
microvms/authentik/authentik.nix Normal file
View file

@ -0,0 +1,8 @@
{ config, ... }:
{
services.authentik = {
enable = true;
environmentFile = config.sops.secrets."authentik/envfile".path;
settings.disable_startup_analytics = true;
};
}

76
microvms/authentik/default.nix
View file

@ -0,0 +1,76 @@
{ config, lib, ... }:
let
mac = "c0:ff:ee:00:00:00";
in
{
imports = [
./authentik.nix
];
sops.defaultSopsFile = ../../secrets/authentik/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
"wg/0xa-proxy" = {
owner = config.users.users.systemd-network.name;
};
"authentik/envfile" = { };
};
microvm = {
hypervisor = "cloud-hypervisor";
mem = 2 * 1024;
vcpu = 2;
interfaces = [
{
type = "tap";
id = "uvm-authentik";
mac = mac;
}
];
shares =
[
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "store";
proto = "virtiofs";
socket = "store.socket";
}
]
++ map
(dir: {
source = dir;
mountPoint = "/${dir}";
tag = dir;
proto = "virtiofs";
socket = "${dir}.socket";
})
[
"etc"
"var"
"home"
];
};
networking.useNetworkd = true;
networking.firewall.enable = lib.mkForce false; # firewalling done by the host
systemd.network = {
enable = true;
networks."11-host" = {
matchConfig.MACAddress = mac;
networkConfig.Address = "10.99.99.10/24";
routes = [
{
Gateway = "10.99.99.1";
Destination = "0.0.0.0/0";
Metric = 1024;
}
];
};
};
networking.hostName = "authentik";
system.stateVersion = "24.11";
}

2
modules/wg/proxy.nix
View file

@ -28,7 +28,7 @@
"10.89.88.2/24" "10.89.88.2/24"
"fd31:185d:722f::2/48" "fd31:185d:722f::2/48"
]; ];
publicKey = ""; publicKey = "/0DRKWg3U/WuR8iYtH8bD2i+RXTWRzj6+MCS3xFfg1o=";
privateKeyFile = config.sops.secrets."wg/0xa-proxy".path; privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
}; };
}; };

44
secrets/authentik/secrets.yaml Normal file
View file

@ -0,0 +1,44 @@
authentik:
envfile: ENC[AES256_GCM,data:c3VuszxqS2F5ltuXJp04sMXLcgw+MGPKrab3kphB2xCZ7aYSTWHgIpqWWB+3u1VDkeDPR41aZJC7Byd4otQnEAlz/sCMXt4z3l5VR8q2BgGPtFt4kA4Vlob4072FGMALYk+lNofEA4lptgX7vzqTUA==,iv:LwfNcTX8ruHowjOE2NCzXrjpcxzPr55dHITinrSka/c=,tag:2OL66aTPAIB8mosevRuZjg==,type:str]
wg:
0xa-proxy: ENC[AES256_GCM,data:mIYz1DK+aKnd+9krPxwOSpXe7n7DRedCKvmO46Lwtb4ri/8DYtKxUeGpGmI=,iv:kAaiXXILSFLA3hdKng5OsK5ToPNxu9OyWbqz32gjBFk=,tag:s2TGabr3B5JOLFXjKQ7tfw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1s9hew4wpff69fmz5lxmn96f8r3xuhqydw82t2dwkrn2rqhcx9pfqm3whvd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaWHkwWCtGa1A2Wk9QMGc4
bm0rN2pGRzdyeWpUTUdHa0x4eFViQmxreFNzCmhXc0JYZWlXd0Fod1QxYnJDYXdl
ZEJZbDBoWWRWVm9aeVhwcWxsb3ZXbmMKLS0tIHFGNThkQTJrdWpLOGFHc01GMlNT
QXh1c3BhaExUWFdldC9ib0NNTzdaWk0KF+KZEPxYLyFwUj7pBXR6ULuwZB92wITr
8TXyfh+NkS+px9jMICprOqwNgcBuVxTJL5FGbtMTAiAMpcPlExnoSA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-12T20:02:11Z"
mac: ENC[AES256_GCM,data:v2XTbr7NMOgh/Xb1aAFQuojXWqU5oVgkvvl1a7/fzXyr4z38bBbbheH88C+hUyDZm3nUDheMvkvdndwM15ZrPU8ucb2JxbIcfP5URKxp0tefCxPPiDnuS3z2sG+0IgcMs32Ozulf3Q7P3DwH3z8fZizyfTrfvlLDD52i6HUt8u0=,iv:UPtCUkvutJ9Ny8QtUOJIJgHZ2LjHGuJOPmDdocUnK8c=,tag:3lYhR9RS+yUtsigoQ3nZEA==,type:str]
pgp:
- created_at: "2025-01-12T19:54:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7zUOKwzpAE7AQ/7BD8AdH3N/iaGJpScMgFjvFcUoypmxN+B4OxFtHSHVb/t
q361mcgvUcd1T5KNx45smVzoH+2DrTFYiFd5rO/sfaytIRlRAvm542bKbkQLe2xX
PMeu4LnO6WrVoZDDetM7DhpwRyDaD38bXMg7bl1KjoTCdul34aHTWczErCEm0YtK
VO0tJ1R2eu8Z9JcUm/kFA+4bIRyF62hLio86E2o+1pWYpeLsb3RGnI4ttv9imIGT
IvoHidpLP3YRuykEtfiz9rjcTqpYkj8PDnA5ote/cSqNdx6TbVTL0n5yQvvDW183
I819ScBbXHz2i/zNjMWsq2mgD67vCFtWS7A56qslv7qNv2PpK+ABiH1ZfnrpvbWL
YzfLZ0bIP+Qzes1NrQsMM3/Kn/7/xN2rU0xDHNymnVp+M/8ELGR4n1QJF+ETdG6C
b/gc8i4n+Rv1fXhuKVJlP7v+j6xJxK1FYd+K3nrPD4iRx0lX1/BzDxPH4b3xEIfO
voyFWseAPA9VdgOyfjFIMcND5g/JTpVJWS3EDSl1DhtM83vXNVa1gNj3PsJ5ud1V
OHThu0X52ruAkmKfOL2+zEu7UV46DvHCtMj07Ie0RMRQIUu/4TKXKQePZswyY8TR
Y9Xi7OASCGIoZ4Nfnf1bFkDR0umd/9ep0K68GcRR6jFxnu9i6nv6RkjicZj6LBzS
XgE1b+T1j6ujvl6SibMpkclhbSBp7fjYhXbxfACqk1bZvs5DDtdTtmcTmvMt6Iwz
2hENzitwjJ1sCNHlQi37sLVIOU3c2BmLrS1I+WzhpkK61RbnTqwXJhR+XV8hS+Y=
=AIdw
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
unencrypted_suffix: _unencrypted
version: 3.9.2