deploy authentik, cleanup

2025-01-21 00:14:24 +00:00 · 2025-01-21 00:14:24 +00:00 · ea75d168e4
commit ea75d168e4
parent 30d2e7fafc
7 changed files with 258 additions and 58 deletions
--- a/hosts/auth/authentik.nix
+++ b/hosts/auth/authentik.nix
@ -0,0 +1,13 @@
+{ config, ... }:
+{
+  sops.secrets."authentik/env" = {};
+  services.authentik = {
+    enable = true;
+    environmentFile = config.sops.secrets."authentik/env".path;
+    settings = {
+      log_level = "debug";
+      disable_startup_analytics = true;
+      avatars = "initials";
+    };
+  };
+}
--- a/hosts/auth/default.nix
+++ b/hosts/auth/default.nix
@ -4,8 +4,7 @@ let
 in
 {
  imports = [
-    ./keycloak.nix
-    ./oauth2-proxy.nix
+    ./authentik.nix
  ];
  sops.defaultSopsFile = ./secrets.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
--- a/hosts/auth/keycloak.nix
+++ b/hosts/auth/keycloak.nix
@ -1,18 +0,0 @@
-{ config, ... }:
-{
-  services.keycloak = {
-    enable = true;
-    database = {
-      type = "postgresql";
-      createLocally = true;
-      passwordFile = config.sops.secrets."keycloak/db_pass".path;
-    };
-    settings = {
-      hostname = "https://auth.oxapentane.com";
-      http-port = 38080;
-      http-enabled = true;
-      proxy-headers = "xforwarded";
-      proxy-trusted-addresses = "10.89.88.0/24,fd31:185d:722f::/48";
-    };
-  };
-}
--- a/hosts/auth/oauth2-proxy.nix
+++ b/hosts/auth/oauth2-proxy.nix
@ -1,25 +0,0 @@
-{ config, ... }:
-{
-  sops.secrets."oauth2-proxy/env" = {
-    owner = config.users.users.oauth2-proxy.name;
-  };
-
-  services.oauth2-proxy = {
-    enable = true;
-    reverseProxy = true;
-    provider = "keycloak-oidc";
-    httpAddress = "0.0.0.0:4180";
-    oidcIssuerUrl = "https://auth.oxapentane.com/realms/0xalab-prod";
-    clientID = "radicale-proxy";
-    redirectURL = "https://dav.oxapentane.com/oauth2/callback";
-    keyFile = config.sops.secrets."oauth2-proxy/env".path;
-    scope = "openid";
-    email.domains = [ "*" ];
-    setXauthrequest = true;
-    cookie = {
-      secure = true;
-      refresh = "48h0m0s";
-      domain = ".oxapentane.com";
-    };
-  };
-}
--- a/hosts/radicale/radicale.nix
+++ b/hosts/radicale/radicale.nix
@ -1,8 +1,5 @@
 { config, ... }:
 {
-  sops.secrets."radicale/htpasswd" = {
-    owner = config.users.users.radicale.name;
-  };
  services.radicale = {
    enable = true;
    settings = {
@ -11,8 +8,7 @@
        ssl = "False";
      };
      auth = {
-        type = "htpasswd";
-        htpasswd_filename = config.sops.secrets."radicale/htpasswd".path;
+        type = "http_x_remote_user";
      };
      rights = {
        type = "owner_only";