authentik: init

2025-01-12 21:32:36 +01:00 · 2025-01-12 21:32:36 +01:00 · bd44fc6fcb
commit bd44fc6fcb
parent ea46b0bb1e
12 changed files with 428 additions and 26 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,8 +1,11 @@
 keys:
  - &admin_oxa DD0998E6CDF294537FC604F991FA5E5BF9AA901C
+  # hosts
  - &toaster age1avaphjah4k8n80jrnraeqh9r94fu6awd6k37z4zfjssl5ft07qkqmuehcm
  - &cloud age1j3xpuuqaph5z885er90mftfsu6g3hw4q469k37a3veqktwntzdpqgue4z5
  - &minime age1chq5k0t38882rtyljez8cwmvtcstu4tafzvveuhjrujvsqk72f9s9guc06
+  # microvms
+  - &authentik age1s9hew4wpff69fmz5lxmn96f8r3xuhqydw82t2dwkrn2rqhcx9pfqm3whvd
 creation_rules:
  - path_regex: secrets/toaster/[^/]+\.yaml$
    key_groups:
@ -22,3 +25,9 @@ creation_rules:
        - *admin_oxa
        age:
        - *minime
+  - path_regex: secrets/authentik/[^/]+\.yaml$
+    key_groups:
+      - pgp:
+        - *admin_oxa
+        age:
+        - *authentik
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,49 @@
 {
  "nodes": {
+    "authentik-nix": {
+      "inputs": {
+        "authentik-src": "authentik-src",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "flake-utils": "flake-utils",
+        "napalm": "napalm",
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ],
+        "poetry2nix": "poetry2nix",
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1736445563,
+        "narHash": "sha256-+f1MWPtja+LRlTHJP/i/3yxmnzo2LGtZmxtJJTdAp8o=",
+        "owner": "nix-community",
+        "repo": "authentik-nix",
+        "rev": "bf5a5bf42189ff5f468f0ff26c9296233a97eb6c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "authentik-nix",
+        "type": "github"
+      }
+    },
+    "authentik-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1736440980,
+        "narHash": "sha256-Z3rFFrXrOKaF9NpY/fInsEbzdOWnWqLfEYl7YX9hFEU=",
+        "owner": "goauthentik",
+        "repo": "authentik",
+        "rev": "9d81f0598c7735e2b4616ee865ab896056a67408",
+        "type": "github"
+      },
+      "original": {
+        "owner": "goauthentik",
+        "ref": "version/2024.12.2",
+        "repo": "authentik",
+        "type": "github"
+      }
+    },
    "crane": {
      "inputs": {
        "nixpkgs": [
@ -37,7 +81,41 @@
        "type": "github"
      }
    },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1727826117,
+        "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
      "inputs": {
        "nixpkgs-lib": [
          "lanzaboote",
@ -60,7 +138,28 @@
    },
    "flake-utils": {
      "inputs": {
-        "systems": "systems"
+        "systems": [
+          "authentik-nix",
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1731533236,
@ -76,9 +175,9 @@
        "type": "github"
      }
    },
-    "flake-utils_2": {
+    "flake-utils_3": {
      "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1710146030,
@ -119,11 +218,11 @@
    "lanzaboote": {
      "inputs": {
        "crane": "crane",
-        "flake-compat": "flake-compat",
-        "flake-parts": "flake-parts",
-        "flake-utils": "flake-utils_2",
+        "flake-compat": "flake-compat_2",
+        "flake-parts": "flake-parts_2",
+        "flake-utils": "flake-utils_3",
        "nixpkgs": [
-          "nixpkgs-stable"
+          "nixpkgs-unstable"
        ],
        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
        "rust-overlay": "rust-overlay"
@ -168,6 +267,54 @@
        "type": "github"
      }
    },
+    "napalm": {
+      "inputs": {
+        "flake-utils": [
+          "authentik-nix",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1725806412,
+        "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
+        "owner": "willibutz",
+        "repo": "napalm",
+        "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "willibutz",
+        "ref": "avoid-foldl-stack-overflow",
+        "repo": "napalm",
+        "type": "github"
+      }
+    },
+    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "poetry2nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1729742964,
+        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
    "nixos-hardware": {
      "locked": {
        "lastModified": 1736441705,
@ -184,6 +331,18 @@
        "type": "github"
      }
    },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1727825735,
+        "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+      }
+    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1710695816,
@ -232,6 +391,37 @@
        "type": "github"
      }
    },
+    "poetry2nix": {
+      "inputs": {
+        "flake-utils": [
+          "authentik-nix",
+          "flake-utils"
+        ],
+        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ],
+        "systems": [
+          "authentik-nix",
+          "systems"
+        ],
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1735164664,
+        "narHash": "sha256-DaWy+vo3c4TQ93tfLjUgcpPaSoDw4qV4t76Y3Mhu84I=",
+        "owner": "nix-community",
+        "repo": "poetry2nix",
+        "rev": "1fb01e90771f762655be7e0e805516cd7fa4d58e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "poetry2nix",
+        "type": "github"
+      }
+    },
    "pre-commit-hooks-nix": {
      "inputs": {
        "flake-compat": [
@ -261,7 +451,8 @@
    },
    "root": {
      "inputs": {
-        "flake-utils": "flake-utils",
+        "authentik-nix": "authentik-nix",
+        "flake-utils": "flake-utils_2",
        "lanzaboote": "lanzaboote",
        "microvm": "microvm",
        "nixos-hardware": "nixos-hardware",
@ -333,6 +524,21 @@
      }
    },
    "systems": {
+      "locked": {
+        "lastModified": 1689347949,
+        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
+        "owner": "nix-systems",
+        "repo": "default-linux",
+        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default-linux",
+        "type": "github"
+      }
+    },
+    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -347,7 +553,7 @@
        "type": "github"
      }
    },
-    "systems_2": {
+    "systems_3": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -377,6 +583,28 @@
        "repo": "tmux-yank",
        "type": "github"
      }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "poetry2nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1730120726,
+        "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -108,7 +108,7 @@
        };

        authentik = nixpkgs-stable.lib.nixosSystem {
-          system = "x84_64-linux";
+          system = "x86_64-linux";
          specialArgs = { inherit inputs; };
          modules = [
            sops-nix.nixosModules.sops
@ -117,17 +117,8 @@

            ./microvms/authentik
            ./modules/server
+          ];
+        };
      };
-
-
-      hydraJobs =
-        let
-          get-toplevel = (
-            host: nixSystem: nixSystem.config.microvm.declaredRunner or nixSystem.config.system.build.toplevel
-          );
-        in
-        nixpkgs-stable.lib.mapAttrs get-toplevel self.nixosConfigurations;
-
-      formatter.x86_64-linux = nixpkgs-stable.legacyPackages.x86_64-linux.nixfmt-rfc-style;
    };
 }
--- a/hosts/cloud/secrets.nix
+++ b/hosts/cloud/secrets.nix
@ -7,5 +7,8 @@
    "wg/0xa-mgmt" = {
      owner = config.users.users.systemd-network.name;
    };
+    "wg/0xa-proxy" = {
+      owner = config.users.users.systemd-network.name;
+    };
  };
 }
--- a/hosts/minime/hardware-configuration.nix
+++ b/hosts/minime/hardware-configuration.nix
@ -65,6 +65,12 @@
    options = [ "zfsutil" ];
  };

+  fileSystems."/var/lib/microvms" = {
+    device = "zpool/data/var/lib/microvms";
+    fsType = "zfs";
+    options = [ "zfsutil" ];
+  };
+
  swapDevices = [
    {
      device = "/dev/disk/by-partuuid/7e7d0e0b-90b7-465c-a022-089b38e0f16d";
--- a/hosts/minime/networking/default.nix
+++ b/hosts/minime/networking/default.nix
@ -1,4 +1,5 @@
-{ ... }: {
+{ ... }:
+{
  imports = [
    ./uplink.nix
    ./uvm.nix
--- a/hosts/minime/networking/uvm.nix
+++ b/hosts/minime/networking/uvm.nix
@ -1,8 +1,10 @@
-{ ... }: {
+{ ... }:
+{
+  # TODO: make a module
  systemd.network = {
    netdevs."10-uvm-br" = {
      netdevConfig = {
-        Kind = bridge;
+        Kind = "bridge";
        Name = "uvm-br";
      };
    };
@ -13,7 +15,31 @@
        DHCPServer = false;
        IPv6SendRA = true;
      };
-      Address = [ ];
+      addresses = [
+        {
+          Address = "10.99.99.1/24";
+        }
+        {
+          Address = "fd12:3456:789a::1/64";
+        }
+      ];
+      ipv6Prefixes = [
+        {
+          Prefix = "fd12:3456:789a::/64";
+        }
+      ];
    };
+
+    networks."11-uvm-br" = {
+      matchConfig.Name = "uvm-*";
+      networkConfig.Bridge = "uvm-br";
+    };
+
+  };
+  networking.nat = {
+    enable = true;
+    enableIPv6 = true;
+    externalInterface = "enp90s0";
+    internalInterfaces = [ "uvm-br" ];
  };
 }
--- a/hosts/minime/uvm.nix
+++ b/hosts/minime/uvm.nix
@ -0,0 +1,10 @@
+{ inputs, ... }:
+{
+  microvm.stateDir = "/var/lib/microvms";
+  microvm.vms = {
+    authentik = {
+      flake = inputs.self;
+      updateFlake = "github:gshipunov/nix-config/master";
+    };
+  };
+}
--- a/microvms/authentik/authentik.nix
+++ b/microvms/authentik/authentik.nix
@ -0,0 +1,8 @@
+{ config, ... }:
+{
+  services.authentik = {
+    enable = true;
+    environmentFile = config.sops.secrets."authentik/envfile".path;
+    settings.disable_startup_analytics = true;
+  };
+}
--- a/microvms/authentik/default.nix
+++ b/microvms/authentik/default.nix
@ -0,0 +1,76 @@
+{ config, lib, ... }:
+let
+  mac = "c0:ff:ee:00:00:00";
+in
+{
+  imports = [
+    ./authentik.nix
+  ];
+
+  sops.defaultSopsFile = ../../secrets/authentik/secrets.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  sops.secrets = {
+    "wg/0xa-proxy" = {
+      owner = config.users.users.systemd-network.name;
+    };
+    "authentik/envfile" = { };
+  };
+
+  microvm = {
+    hypervisor = "cloud-hypervisor";
+    mem = 2 * 1024;
+    vcpu = 2;
+    interfaces = [
+      {
+        type = "tap";
+        id = "uvm-authentik";
+        mac = mac;
+      }
+    ];
+    shares =
+      [
+        {
+          source = "/nix/store";
+          mountPoint = "/nix/.ro-store";
+          tag = "store";
+          proto = "virtiofs";
+          socket = "store.socket";
+        }
+      ]
+      ++ map
+        (dir: {
+          source = dir;
+          mountPoint = "/${dir}";
+          tag = dir;
+          proto = "virtiofs";
+          socket = "${dir}.socket";
+        })
+        [
+          "etc"
+          "var"
+          "home"
+        ];
+  };
+
+  networking.useNetworkd = true;
+  networking.firewall.enable = lib.mkForce false; # firewalling done by the host
+
+  systemd.network = {
+    enable = true;
+    networks."11-host" = {
+      matchConfig.MACAddress = mac;
+      networkConfig.Address = "10.99.99.10/24";
+      routes = [
+        {
+          Gateway = "10.99.99.1";
+          Destination = "0.0.0.0/0";
+          Metric = 1024;
+        }
+      ];
+    };
+  };
+
+  networking.hostName = "authentik";
+  system.stateVersion = "24.11";
+}
--- a/modules/wg/proxy.nix
+++ b/modules/wg/proxy.nix
@ -28,7 +28,7 @@
            "10.89.88.2/24"
            "fd31:185d:722f::2/48"
          ];
-          publicKey = "";
+          publicKey = "/0DRKWg3U/WuR8iYtH8bD2i+RXTWRzj6+MCS3xFfg1o=";
          privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
        };
      };
--- a/secrets/authentik/secrets.yaml
+++ b/secrets/authentik/secrets.yaml
@ -0,0 +1,44 @@
+authentik:
+    envfile: ENC[AES256_GCM,data:c3VuszxqS2F5ltuXJp04sMXLcgw+MGPKrab3kphB2xCZ7aYSTWHgIpqWWB+3u1VDkeDPR41aZJC7Byd4otQnEAlz/sCMXt4z3l5VR8q2BgGPtFt4kA4Vlob4072FGMALYk+lNofEA4lptgX7vzqTUA==,iv:LwfNcTX8ruHowjOE2NCzXrjpcxzPr55dHITinrSka/c=,tag:2OL66aTPAIB8mosevRuZjg==,type:str]
+wg:
+    0xa-proxy: ENC[AES256_GCM,data:mIYz1DK+aKnd+9krPxwOSpXe7n7DRedCKvmO46Lwtb4ri/8DYtKxUeGpGmI=,iv:kAaiXXILSFLA3hdKng5OsK5ToPNxu9OyWbqz32gjBFk=,tag:s2TGabr3B5JOLFXjKQ7tfw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1s9hew4wpff69fmz5lxmn96f8r3xuhqydw82t2dwkrn2rqhcx9pfqm3whvd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaWHkwWCtGa1A2Wk9QMGc4
+            bm0rN2pGRzdyeWpUTUdHa0x4eFViQmxreFNzCmhXc0JYZWlXd0Fod1QxYnJDYXdl
+            ZEJZbDBoWWRWVm9aeVhwcWxsb3ZXbmMKLS0tIHFGNThkQTJrdWpLOGFHc01GMlNT
+            QXh1c3BhaExUWFdldC9ib0NNTzdaWk0KF+KZEPxYLyFwUj7pBXR6ULuwZB92wITr
+            8TXyfh+NkS+px9jMICprOqwNgcBuVxTJL5FGbtMTAiAMpcPlExnoSA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-12T20:02:11Z"
+    mac: ENC[AES256_GCM,data:v2XTbr7NMOgh/Xb1aAFQuojXWqU5oVgkvvl1a7/fzXyr4z38bBbbheH88C+hUyDZm3nUDheMvkvdndwM15ZrPU8ucb2JxbIcfP5URKxp0tefCxPPiDnuS3z2sG+0IgcMs32Ozulf3Q7P3DwH3z8fZizyfTrfvlLDD52i6HUt8u0=,iv:UPtCUkvutJ9Ny8QtUOJIJgHZ2LjHGuJOPmDdocUnK8c=,tag:3lYhR9RS+yUtsigoQ3nZEA==,type:str]
+    pgp:
+        - created_at: "2025-01-12T19:54:13Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7zUOKwzpAE7AQ/7BD8AdH3N/iaGJpScMgFjvFcUoypmxN+B4OxFtHSHVb/t
+            q361mcgvUcd1T5KNx45smVzoH+2DrTFYiFd5rO/sfaytIRlRAvm542bKbkQLe2xX
+            PMeu4LnO6WrVoZDDetM7DhpwRyDaD38bXMg7bl1KjoTCdul34aHTWczErCEm0YtK
+            VO0tJ1R2eu8Z9JcUm/kFA+4bIRyF62hLio86E2o+1pWYpeLsb3RGnI4ttv9imIGT
+            IvoHidpLP3YRuykEtfiz9rjcTqpYkj8PDnA5ote/cSqNdx6TbVTL0n5yQvvDW183
+            I819ScBbXHz2i/zNjMWsq2mgD67vCFtWS7A56qslv7qNv2PpK+ABiH1ZfnrpvbWL
+            YzfLZ0bIP+Qzes1NrQsMM3/Kn/7/xN2rU0xDHNymnVp+M/8ELGR4n1QJF+ETdG6C
+            b/gc8i4n+Rv1fXhuKVJlP7v+j6xJxK1FYd+K3nrPD4iRx0lX1/BzDxPH4b3xEIfO
+            voyFWseAPA9VdgOyfjFIMcND5g/JTpVJWS3EDSl1DhtM83vXNVa1gNj3PsJ5ud1V
+            OHThu0X52ruAkmKfOL2+zEu7UV46DvHCtMj07Ie0RMRQIUu/4TKXKQePZswyY8TR
+            Y9Xi7OASCGIoZ4Nfnf1bFkDR0umd/9ep0K68GcRR6jFxnu9i6nv6RkjicZj6LBzS
+            XgE1b+T1j6ujvl6SibMpkclhbSBp7fjYhXbxfACqk1bZvs5DDtdTtmcTmvMt6Iwz
+            2hENzitwjJ1sCNHlQi37sLVIOU3c2BmLrS1I+WzhpkK61RbnTqwXJhR+XV8hS+Y=
+            =AIdw
+            -----END PGP MESSAGE-----
+          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2