0xa/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

deploy authentik, cleanup

Browse source
This commit is contained in:
Grigory Shipunov 2025-01-21 00:14:24 +00:00
parent 30d2e7fafc
commit ea75d168e4
7 changed files with 258 additions and 58 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

244
flake.lock generated
View file

@ -1,5 +1,49 @@
{ {
"nodes": { "nodes": {
"authentik-nix": {
"inputs": {
"authentik-src": "authentik-src",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"napalm": "napalm",
"nixpkgs": [
"nixpkgs-stable"
],
"poetry2nix": "poetry2nix",
"systems": "systems"
},
"locked": {
"lastModified": 1736445563,
"narHash": "sha256-+f1MWPtja+LRlTHJP/i/3yxmnzo2LGtZmxtJJTdAp8o=",
"owner": "nix-community",
"repo": "authentik-nix",
"rev": "bf5a5bf42189ff5f468f0ff26c9296233a97eb6c",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "authentik-nix",
"type": "github"
}
},
"authentik-src": {
"flake": false,
"locked": {
"lastModified": 1736440980,
"narHash": "sha256-Z3rFFrXrOKaF9NpY/fInsEbzdOWnWqLfEYl7YX9hFEU=",
"owner": "goauthentik",
"repo": "authentik",
"rev": "9d81f0598c7735e2b4616ee865ab896056a67408",
"type": "github"
},
"original": {
"owner": "goauthentik",
"ref": "version/2024.12.2",
"repo": "authentik",
"type": "github"
}
},
"crane": { "crane": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -37,7 +81,41 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": { "flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1727826117,
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"lanzaboote", "lanzaboote",
@ -60,7 +138,28 @@
}, },
"flake-utils": { "flake-utils": {
"inputs": { "inputs": {
"systems": "systems" "systems": [
"authentik-nix",
"systems"
]
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1731533236, "lastModified": 1731533236,
@ -76,9 +175,9 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_2": { "flake-utils_3": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems_3"
}, },
"locked": { "locked": {
"lastModified": 1710146030, "lastModified": 1710146030,
@ -119,9 +218,9 @@
"lanzaboote": { "lanzaboote": {
"inputs": { "inputs": {
"crane": "crane", "crane": "crane",
"flake-compat": "flake-compat", "flake-compat": "flake-compat_2",
"flake-parts": "flake-parts", "flake-parts": "flake-parts_2",
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_3",
"nixpkgs": [ "nixpkgs": [
"nixpkgs-unstable" "nixpkgs-unstable"
], ],
@ -168,6 +267,54 @@
"type": "github" "type": "github"
} }
}, },
"napalm": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nixpkgs": [
"authentik-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1725806412,
"narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
"owner": "willibutz",
"repo": "napalm",
"rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
"type": "github"
},
"original": {
"owner": "willibutz",
"ref": "avoid-foldl-stack-overflow",
"repo": "napalm",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729742964,
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1736978406, "lastModified": 1736978406,
@ -184,6 +331,18 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-lib": {
"locked": {
"lastModified": 1727825735,
"narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
}
},
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1710695816, "lastModified": 1710695816,
@ -232,6 +391,37 @@
"type": "github" "type": "github"
} }
}, },
"poetry2nix": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"authentik-nix",
"nixpkgs"
],
"systems": [
"authentik-nix",
"systems"
],
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1735164664,
"narHash": "sha256-DaWy+vo3c4TQ93tfLjUgcpPaSoDw4qV4t76Y3Mhu84I=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "1fb01e90771f762655be7e0e805516cd7fa4d58e",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"pre-commit-hooks-nix": { "pre-commit-hooks-nix": {
"inputs": { "inputs": {
"flake-compat": [ "flake-compat": [
@ -261,7 +451,8 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"flake-utils": "flake-utils", "authentik-nix": "authentik-nix",
"flake-utils": "flake-utils_2",
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",
"microvm": "microvm", "microvm": "microvm",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
@ -333,6 +524,21 @@
} }
}, },
"systems": { "systems": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default-linux",
"type": "github"
}
},
"systems_2": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -347,7 +553,7 @@
"type": "github" "type": "github"
} }
}, },
"systems_2": { "systems_3": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -377,6 +583,28 @@
"repo": "tmux-yank", "repo": "tmux-yank",
"type": "github" "type": "github"
} }
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730120726,
"narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

7
flake.nix
View file

@ -25,6 +25,11 @@
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
authentik-nix = {
url = "github:nix-community/authentik-nix";
inputs.nixpkgs.follows = "nixpkgs-stable";
};
tmux-yank = { tmux-yank = {
url = "github:tmux-plugins/tmux-yank"; url = "github:tmux-plugins/tmux-yank";
flake = false; flake = false;
@ -34,6 +39,7 @@
outputs = outputs =
inputs@{ inputs@{
self, self,
authentik-nix,
flake-utils, flake-utils,
lanzaboote, lanzaboote,
microvm, microvm,
@ -106,6 +112,7 @@
modules = [ modules = [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
microvm.nixosModules.microvm microvm.nixosModules.microvm
authentik-nix.nixosModules.default
./hosts/auth ./hosts/auth
./modules/server ./modules/server

13
hosts/auth/authentik.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, ... }:
{
sops.secrets."authentik/env" = {};
services.authentik = {
enable = true;
environmentFile = config.sops.secrets."authentik/env".path;
settings = {
log_level = "debug";
disable_startup_analytics = true;
avatars = "initials";
};
};
}

3
hosts/auth/default.nix
View file

@ -4,8 +4,7 @@ let
in in
{ {
imports = [ imports = [
./keycloak.nix ./authentik.nix
./oauth2-proxy.nix
]; ];
sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

18
hosts/auth/keycloak.nix
View file

@ -1,18 +0,0 @@
{ config, ... }:
{
services.keycloak = {
enable = true;
database = {
type = "postgresql";
createLocally = true;
passwordFile = config.sops.secrets."keycloak/db_pass".path;
};
settings = {
hostname = "https://auth.oxapentane.com";
http-port = 38080;
http-enabled = true;
proxy-headers = "xforwarded";
proxy-trusted-addresses = "10.89.88.0/24,fd31:185d:722f::/48";
};
};
}

25
hosts/auth/oauth2-proxy.nix
View file

@ -1,25 +0,0 @@
{ config, ... }:
{
sops.secrets."oauth2-proxy/env" = {
owner = config.users.users.oauth2-proxy.name;
};
services.oauth2-proxy = {
enable = true;
reverseProxy = true;
provider = "keycloak-oidc";
httpAddress = "0.0.0.0:4180";
oidcIssuerUrl = "https://auth.oxapentane.com/realms/0xalab-prod";
clientID = "radicale-proxy";
redirectURL = "https://dav.oxapentane.com/oauth2/callback";
keyFile = config.sops.secrets."oauth2-proxy/env".path;
scope = "openid";
email.domains = [ "*" ];
setXauthrequest = true;
cookie = {
secure = true;
refresh = "48h0m0s";
domain = ".oxapentane.com";
};
};
}

6
hosts/radicale/radicale.nix
View file

@ -1,8 +1,5 @@
{ config, ... }: { config, ... }:
{ {
sops.secrets."radicale/htpasswd" = {
owner = config.users.users.radicale.name;
};
services.radicale = { services.radicale = {
enable = true; enable = true;
settings = { settings = {
@ -11,8 +8,7 @@
ssl = "False"; ssl = "False";
}; };
auth = { auth = {
type = "htpasswd"; type = "http_x_remote_user";
htpasswd_filename = config.sops.secrets."radicale/htpasswd".path;
}; };
rights = { rights = {
type = "owner_only"; type = "owner_only";