From f6d88dc51f7ce0f85b6e4985a2ac66653165e628 Mon Sep 17 00:00:00 2001 From: Lucy Hochkamp Date: Sun, 23 Feb 2025 17:59:37 +0100 Subject: [PATCH] authentik --- flake.lock | 21 +++++++++++ flake.nix | 3 ++ hosts/ds9/authentik.nix | 70 +++++++++++++++++++++++++++++++++++++ hosts/ds9/containers.nix | 1 + hosts/ds9/default.nix | 8 +++++ hosts/theseus/default.nix | 38 +++++++++++--------- secrets/ds9AuthentikEnv.age | 18 ++++++++++ secrets/secrets.nix | 1 + 8 files changed, 143 insertions(+), 17 deletions(-) create mode 100644 hosts/ds9/authentik.nix create mode 100644 secrets/ds9AuthentikEnv.age diff --git a/flake.lock b/flake.lock index 8b595cf6..1b6b06e4 100644 --- a/flake.lock +++ b/flake.lock @@ -462,6 +462,26 @@ "type": "github" } }, + "quadlet-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1739316033, + "narHash": "sha256-yHBsu5I2GOTaMzqEYXfDWzEH+pTpNKp/Ew/8x+cVCZg=", + "owner": "SEIAROTg", + "repo": "quadlet-nix", + "rev": "31e4175bdc1cee453f66cada21f9dd6eb90e507f", + "type": "github" + }, + "original": { + "owner": "SEIAROTg", + "repo": "quadlet-nix", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -477,6 +497,7 @@ "nixpkgs-darwin": "nixpkgs-darwin", "nixpkgs-master": "nixpkgs-master", "pandoc-latex-template": "pandoc-latex-template", + "quadlet-nix": "quadlet-nix", "roslyn-language-server": "roslyn-language-server", "spoons": "spoons", "utils": "utils", diff --git a/flake.nix b/flake.nix index 4bb09d0d..82b79329 100644 --- a/flake.nix +++ b/flake.nix @@ -16,6 +16,9 @@ nixos-hardware.url = "github:NixOS/nixos-hardware/master"; darwin.url = "github:lnl7/nix-darwin/master"; darwin.inputs.nixpkgs.follows = "nixpkgs"; + quadlet-nix.url = "github:SEIAROTg/quadlet-nix"; + quadlet-nix.inputs.nixpkgs.follows = "nixpkgs"; + lix-module = { url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/hosts/ds9/authentik.nix b/hosts/ds9/authentik.nix new file mode 100644 index 00000000..d3e8fcc0 --- /dev/null +++ b/hosts/ds9/authentik.nix @@ -0,0 +1,70 @@ +{ pkgs, config, lib, inputs, ... }: +{ + imports = [ + inputs.quadlet-nix.nixosModules.quadlet + ]; + ragon.agenix.secrets.ds9AuthentikEnv = { }; + virtualisation.quadlet = + { + containers = { + authentik-server.containerConfig.image = "ghcr.io/goauthentik/server:2024.12.3"; + + authentik-server.containerConfig.exec = "server"; + authentik-server.containerConfig.networks = [ + "podman" + "db-net" + "authentik-net" + ]; + authentik-server.containerConfig.volumes = [ + "authentik-media:/media" + "authentik-certs:/certs" + ]; + authentik-server.containerConfig.environments = { + AUTHENTIK_REDIS__HOST = "authentik-redis"; + AUTHENTIK_POSTGRESQL__HOST = "postgres"; + AUTHENTIK_POSTGRESQL__USER = "authentik"; + AUTHENTIK_POSTGRESQL__NAME = "authentik"; + + }; + authentik-server.serviceConfig.TimeoutStartSec = "60"; + authentik-server.containerConfig.environmentFiles = [ + config.age.secrets.ds9AuthentikEnv.path + ]; + authentik-worker.containerConfig.image = "ghcr.io/goauthentik/server:2024.12.3"; + + authentik-worker.containerConfig.exec = "worker"; + authentik-worker.containerConfig.networks = [ + "podman" + "db-net" + "authentik-net" + ]; + authentik-worker.containerConfig.volumes = [ + "authentik-media:/media" + "authentik-certs:/certs" + ]; + authentik-worker.containerConfig.environments = { + AUTHENTIK_REDIS__HOST = "authentik-redis"; + AUTHENTIK_POSTGRESQL__HOST = "postgres"; + AUTHENTIK_POSTGRESQL__USER = "authentik"; + AUTHENTIK_POSTGRESQL__NAME = "authentik"; + + }; + authentik-worker.containerConfig.environmentFiles = [ + config.age.secrets.ds9AuthentikEnv.path + ]; + authentik-worker.serviceConfig.TimeoutStartSec = "60"; + authentik-redis.containerConfig.image = "docker.io/library/redis:alpine"; + authentik-redis.containerConfig.networks = [ + "authentik-net" + + ]; + authentik-redis.containerConfig.volumes = [ "authentik-redis:/data" ]; + authentik-redis.serviceConfig.TimeoutStartSec = "60"; + }; + networks = { + authentik.networkConfig.ipv6 = true; + authentik.networkConfig.name = "authentik-net"; + authentik.networkConfig.internal = true; + }; + }; +} diff --git a/hosts/ds9/containers.nix b/hosts/ds9/containers.nix index 422556a3..0f64b9bb 100644 --- a/hosts/ds9/containers.nix +++ b/hosts/ds9/containers.nix @@ -22,6 +22,7 @@ let ''; in { + imports = [ ./authentik.nix ]; networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ]; networking.firewall.interfaces."podman+".allowedTCPPorts = [ 12300 3001 ]; fileSystems."/var/lib/containers" = { diff --git a/hosts/ds9/default.nix b/hosts/ds9/default.nix index d0af41f7..29e346e5 100644 --- a/hosts/ds9/default.nix +++ b/hosts/ds9/default.nix @@ -176,6 +176,14 @@ in handle @jellyfin { import podmanRedir http://jellyfin:8096 } + @auth host auth.hailsatan.eu + handle @auth { + import podmanRedir http://authentik-server:9000 + } + handle { + abort + } + ''; virtualHosts."*.hailsatan.eu".extraConfig = '' import blockBots diff --git a/hosts/theseus/default.nix b/hosts/theseus/default.nix index 955c60f7..cceacb26 100644 --- a/hosts/theseus/default.nix +++ b/hosts/theseus/default.nix @@ -309,24 +309,28 @@ }; programs.borgmatic = { enable = true; - backups.system = { - location.sourceDirectories = [ "/persistent" ]; - location.repositories = [{ path = "ssh://ragon@ds9//backups/theseus"; }]; - location.extraConfig.exclude_if_present = [ ".nobackup" ]; - storage.encryptionPasscommand = "${pkgs.libsecret}/bin/secret-tool lookup borg-repository system"; - location.extraConfig.before_backup = [ "notify-send -u low -a borgmatic borgmatic \"starting backup\" -t 10000" ]; - location.extraConfig.after_backup = [ "notify-send -u low -a borgmatic borgmatic \"finished backup\" -t 10000" ]; - location.extraConfig.on_error = [ "notify-send -u critical -a borgmatic borgmatic \"backup failed\"" ]; - # location.extraConfig.ssh_command = "ssh -i /home/ragon/.ssh/id_ed25519"; - location.extraConfig.one_file_system = true; - retention = { - keepHourly = 24; - keepDaily = 7; - keepWeekly = 4; - keepMonthly = 12; - keepYearly = 2; + backups.system = + let + notify = "${pkgs.libnotify}/bin/notify-send"; + in + { + location.sourceDirectories = [ "/persistent" ]; + location.repositories = [{ path = "ssh://ragon@ds9//backups/theseus"; }]; + location.extraConfig.exclude_if_present = [ ".nobackup" ]; + storage.encryptionPasscommand = "${pkgs.libsecret}/bin/secret-tool lookup borg-repository system"; + location.extraConfig.before_backup = [ "${notify} -u low -a borgmatic borgmatic \"starting backup\" -t 10000" ]; + location.extraConfig.after_backup = [ "${notify} -u low -a borgmatic borgmatic \"finished backup\" -t 10000" ]; + location.extraConfig.on_error = [ "${notify} -u critical -a borgmatic borgmatic \"backup failed\"" ]; + # location.extraConfig.ssh_command = "ssh -i /home/ragon/.ssh/id_ed25519"; + location.extraConfig.one_file_system = true; + retention = { + keepHourly = 24; + keepDaily = 7; + keepWeekly = 4; + keepMonthly = 12; + keepYearly = 2; + }; }; - }; }; services.borgmatic.enable = true; }; diff --git a/secrets/ds9AuthentikEnv.age b/secrets/ds9AuthentikEnv.age new file mode 100644 index 00000000..8eadd1a1 --- /dev/null +++ b/secrets/ds9AuthentikEnv.age @@ -0,0 +1,18 @@ +age-encryption.org/v1 +-> ssh-ed25519 IbXxfw txO+WpNIfkk0D+z+ExISJrmNr7AfnHrUuJism/I1kVg +BAKQgC3NkUZXFEkW8P2sBUs5NhGSWmUpsHYi2t7jzug +-> ssh-ed25519 ugHWWw VFs9ucrZskgkmsM51E6ji4m5bpAYUxPMa81Bt9dJGT0 +ThqJfhsgWZC50MbWLKJQWoHZWOq0oy3XiPmhAhm6IBY +-> ssh-ed25519 UU9RSA i7l1OvugJOKcOWOah4Zv08YRsXRNZu86IYmHGTd8i3A +KzPQDuUTiXhew37g3xWDER+P79GdBAOT/L9UXdXEqOE +-> ssh-ed25519 RJI3BA OBT8HWpEFpfQmhhg7kTDcKjILDcHhjGk5fGKzK3MbBM +ohZ5ROo4V2dJeAR0H+NPYxU35bUPHV71hsVu/JVWOEI +-> ssh-ed25519 XnvJKw PJS/Mj/o704VbaZsOHiW92oMZ151VFxckP5eTAb8KHo +uSyDrXJfTAcVEPpG/Ao8hT/xB71SvY3PC7d8kTWRpD0 +-> ssh-ed25519 7NL5Ng OwMY1YoDoLeCGGUueglr8x+iFzqddP8uWBJ4jiYxKjQ +YZk840SivxItTgQf22pePBDAkYv2bwlua9s7SObjmS4 +-> ssh-ed25519 5Sll2Q 2ddDno8EIqDDZyvPBglkU4OOipXJ5QfMgfc7xtSpB24 +IKe1VvtzE44syNORvI/CoO+xaZiHAIc+lOsAJVlG7Eg +--- SqJy9Y9Fhd/PDUEmvC2c40Ln+VdKEq/o+qu6WWcRO4Y +I޴$ꐜ3#kct"Ds=Wqe/I1\qK.ͪltG6 s\唶O,k01[zNVGmB +/x.vqeZQ=bj 6TWLU"Μ'c5&ať?뵆ǂbYJYuY~F_Z**ɎoX2<Te2[#ttCH'opiĥ.Ck \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e6cccf2a..0870a597 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -20,6 +20,7 @@ in "ds9DynDns.age".publicKeys = pubkeys.ragon.host "ds9"; "ds9PostgresEnv.age".publicKeys = pubkeys.ragon.host "ds9"; "ds9ImmichEnv.age".publicKeys = pubkeys.ragon.host "ds9"; + "ds9AuthentikEnv.age".publicKeys = pubkeys.ragon.host "ds9"; "gatebridgeHostKeys.age".publicKeys = pubkeys.ragon.server; "plausibleAdminPw.age".publicKeys = pubkeys.ragon.host "picard"; "plausibleGoogleClientId.age".publicKeys = pubkeys.ragon.host "picard";