diff --git a/flake.lock b/flake.lock index ab0c251..65c350a 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,49 @@ { "nodes": { + "authentik-nix": { + "inputs": { + "authentik-src": "authentik-src", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "napalm": "napalm", + "nixpkgs": [ + "nixpkgs-stable" + ], + "poetry2nix": "poetry2nix", + "systems": "systems" + }, + "locked": { + "lastModified": 1736445563, + "narHash": "sha256-+f1MWPtja+LRlTHJP/i/3yxmnzo2LGtZmxtJJTdAp8o=", + "owner": "nix-community", + "repo": "authentik-nix", + "rev": "bf5a5bf42189ff5f468f0ff26c9296233a97eb6c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "authentik-nix", + "type": "github" + } + }, + "authentik-src": { + "flake": false, + "locked": { + "lastModified": 1736440980, + "narHash": "sha256-Z3rFFrXrOKaF9NpY/fInsEbzdOWnWqLfEYl7YX9hFEU=", + "owner": "goauthentik", + "repo": "authentik", + "rev": "9d81f0598c7735e2b4616ee865ab896056a67408", + "type": "github" + }, + "original": { + "owner": "goauthentik", + "ref": "version/2024.12.2", + "repo": "authentik", + "type": "github" + } + }, "crane": { "inputs": { "nixpkgs": [ @@ -37,7 +81,41 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1727826117, + "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "lanzaboote", @@ -60,7 +138,28 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": [ + "authentik-nix", + "systems" + ] + }, + "locked": { + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -76,9 +175,9 @@ "type": "github" } }, - "flake-utils_2": { + "flake-utils_3": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1710146030, @@ -119,9 +218,9 @@ "lanzaboote": { "inputs": { "crane": "crane", - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", - "flake-utils": "flake-utils_2", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts_2", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs-unstable" ], @@ -168,6 +267,54 @@ "type": "github" } }, + "napalm": { + "inputs": { + "flake-utils": [ + "authentik-nix", + "flake-utils" + ], + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1725806412, + "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=", + "owner": "willibutz", + "repo": "napalm", + "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5", + "type": "github" + }, + "original": { + "owner": "willibutz", + "ref": "avoid-foldl-stack-overflow", + "repo": "napalm", + "type": "github" + } + }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, "nixos-hardware": { "locked": { "lastModified": 1736978406, @@ -184,6 +331,18 @@ "type": "github" } }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1727825735, + "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1710695816, @@ -232,6 +391,37 @@ "type": "github" } }, + "poetry2nix": { + "inputs": { + "flake-utils": [ + "authentik-nix", + "flake-utils" + ], + "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ], + "systems": [ + "authentik-nix", + "systems" + ], + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1735164664, + "narHash": "sha256-DaWy+vo3c4TQ93tfLjUgcpPaSoDw4qV4t76Y3Mhu84I=", + "owner": "nix-community", + "repo": "poetry2nix", + "rev": "1fb01e90771f762655be7e0e805516cd7fa4d58e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "poetry2nix", + "type": "github" + } + }, "pre-commit-hooks-nix": { "inputs": { "flake-compat": [ @@ -261,7 +451,8 @@ }, "root": { "inputs": { - "flake-utils": "flake-utils", + "authentik-nix": "authentik-nix", + "flake-utils": "flake-utils_2", "lanzaboote": "lanzaboote", "microvm": "microvm", "nixos-hardware": "nixos-hardware", @@ -333,6 +524,21 @@ } }, "systems": { + "locked": { + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", + "owner": "nix-systems", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default-linux", + "type": "github" + } + }, + "systems_2": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -347,7 +553,7 @@ "type": "github" } }, - "systems_2": { + "systems_3": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -377,6 +583,28 @@ "repo": "tmux-yank", "type": "github" } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730120726, + "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 8f5ed17..08ae017 100644 --- a/flake.nix +++ b/flake.nix @@ -25,6 +25,11 @@ inputs.nixpkgs.follows = "nixpkgs-unstable"; }; + authentik-nix = { + url = "github:nix-community/authentik-nix"; + inputs.nixpkgs.follows = "nixpkgs-stable"; + }; + tmux-yank = { url = "github:tmux-plugins/tmux-yank"; flake = false; @@ -34,6 +39,7 @@ outputs = inputs@{ self, + authentik-nix, flake-utils, lanzaboote, microvm, @@ -106,6 +112,7 @@ modules = [ sops-nix.nixosModules.sops microvm.nixosModules.microvm + authentik-nix.nixosModules.default ./hosts/auth ./modules/server diff --git a/hosts/auth/authentik.nix b/hosts/auth/authentik.nix new file mode 100644 index 0000000..00589ab --- /dev/null +++ b/hosts/auth/authentik.nix @@ -0,0 +1,13 @@ +{ config, ... }: +{ + sops.secrets."authentik/env" = {}; + services.authentik = { + enable = true; + environmentFile = config.sops.secrets."authentik/env".path; + settings = { + log_level = "debug"; + disable_startup_analytics = true; + avatars = "initials"; + }; + }; +} diff --git a/hosts/auth/default.nix b/hosts/auth/default.nix index 95e3153..de5044d 100644 --- a/hosts/auth/default.nix +++ b/hosts/auth/default.nix @@ -4,8 +4,7 @@ let in { imports = [ - ./keycloak.nix - ./oauth2-proxy.nix + ./authentik.nix ]; sops.defaultSopsFile = ./secrets.yaml; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; diff --git a/hosts/auth/keycloak.nix b/hosts/auth/keycloak.nix deleted file mode 100644 index de537ef..0000000 --- a/hosts/auth/keycloak.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ config, ... }: -{ - services.keycloak = { - enable = true; - database = { - type = "postgresql"; - createLocally = true; - passwordFile = config.sops.secrets."keycloak/db_pass".path; - }; - settings = { - hostname = "https://auth.oxapentane.com"; - http-port = 38080; - http-enabled = true; - proxy-headers = "xforwarded"; - proxy-trusted-addresses = "10.89.88.0/24,fd31:185d:722f::/48"; - }; - }; -} diff --git a/hosts/auth/oauth2-proxy.nix b/hosts/auth/oauth2-proxy.nix deleted file mode 100644 index 81cdf8f..0000000 --- a/hosts/auth/oauth2-proxy.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, ... }: -{ - sops.secrets."oauth2-proxy/env" = { - owner = config.users.users.oauth2-proxy.name; - }; - - services.oauth2-proxy = { - enable = true; - reverseProxy = true; - provider = "keycloak-oidc"; - httpAddress = "0.0.0.0:4180"; - oidcIssuerUrl = "https://auth.oxapentane.com/realms/0xalab-prod"; - clientID = "radicale-proxy"; - redirectURL = "https://dav.oxapentane.com/oauth2/callback"; - keyFile = config.sops.secrets."oauth2-proxy/env".path; - scope = "openid"; - email.domains = [ "*" ]; - setXauthrequest = true; - cookie = { - secure = true; - refresh = "48h0m0s"; - domain = ".oxapentane.com"; - }; - }; -} diff --git a/hosts/radicale/radicale.nix b/hosts/radicale/radicale.nix index fa2b7bb..9a85a8a 100644 --- a/hosts/radicale/radicale.nix +++ b/hosts/radicale/radicale.nix @@ -1,8 +1,5 @@ { config, ... }: { - sops.secrets."radicale/htpasswd" = { - owner = config.users.users.radicale.name; - }; services.radicale = { enable = true; settings = { @@ -11,8 +8,7 @@ ssl = "False"; }; auth = { - type = "htpasswd"; - htpasswd_filename = config.sops.secrets."radicale/htpasswd".path; + type = "http_x_remote_user"; }; rights = { type = "owner_only";