authentik

2025-02-23 17:59:37 +01:00 · 2025-02-23 17:59:37 +01:00 · f6d88dc51f
commit f6d88dc51f
parent 151180b02f
8 changed files with 143 additions and 17 deletions
--- a/hosts/ds9/authentik.nix
+++ b/hosts/ds9/authentik.nix
@ -0,0 +1,70 @@
+{ pkgs, config, lib, inputs, ... }:
+{
+  imports = [
+    inputs.quadlet-nix.nixosModules.quadlet
+  ];
+  ragon.agenix.secrets.ds9AuthentikEnv = { };
+  virtualisation.quadlet =
+    {
+      containers = {
+        authentik-server.containerConfig.image = "ghcr.io/goauthentik/server:2024.12.3";
+
+        authentik-server.containerConfig.exec = "server";
+        authentik-server.containerConfig.networks = [
+          "podman"
+          "db-net"
+          "authentik-net"
+        ];
+        authentik-server.containerConfig.volumes = [
+          "authentik-media:/media"
+          "authentik-certs:/certs"
+        ];
+        authentik-server.containerConfig.environments = {
+          AUTHENTIK_REDIS__HOST = "authentik-redis";
+          AUTHENTIK_POSTGRESQL__HOST = "postgres";
+          AUTHENTIK_POSTGRESQL__USER = "authentik";
+          AUTHENTIK_POSTGRESQL__NAME = "authentik";
+
+        };
+        authentik-server.serviceConfig.TimeoutStartSec = "60";
+        authentik-server.containerConfig.environmentFiles = [
+          config.age.secrets.ds9AuthentikEnv.path
+        ];
+        authentik-worker.containerConfig.image = "ghcr.io/goauthentik/server:2024.12.3";
+
+        authentik-worker.containerConfig.exec = "worker";
+        authentik-worker.containerConfig.networks = [
+          "podman"
+          "db-net"
+          "authentik-net"
+        ];
+        authentik-worker.containerConfig.volumes = [
+          "authentik-media:/media"
+          "authentik-certs:/certs"
+        ];
+        authentik-worker.containerConfig.environments = {
+          AUTHENTIK_REDIS__HOST = "authentik-redis";
+          AUTHENTIK_POSTGRESQL__HOST = "postgres";
+          AUTHENTIK_POSTGRESQL__USER = "authentik";
+          AUTHENTIK_POSTGRESQL__NAME = "authentik";
+
+        };
+        authentik-worker.containerConfig.environmentFiles = [
+          config.age.secrets.ds9AuthentikEnv.path
+        ];
+        authentik-worker.serviceConfig.TimeoutStartSec = "60";
+        authentik-redis.containerConfig.image = "docker.io/library/redis:alpine";
+        authentik-redis.containerConfig.networks = [
+          "authentik-net"
+
+        ];
+        authentik-redis.containerConfig.volumes = [ "authentik-redis:/data" ];
+        authentik-redis.serviceConfig.TimeoutStartSec = "60";
+      };
+      networks = {
+        authentik.networkConfig.ipv6 = true;
+        authentik.networkConfig.name = "authentik-net";
+        authentik.networkConfig.internal = true;
+      };
+    };
+}
--- a/hosts/ds9/containers.nix
+++ b/hosts/ds9/containers.nix
@ -22,6 +22,7 @@ let
  '';
 in
 {
+  imports = [ ./authentik.nix ];
  networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
  networking.firewall.interfaces."podman+".allowedTCPPorts = [ 12300 3001 ];
  fileSystems."/var/lib/containers" = {
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@ -176,6 +176,14 @@ in
      handle @jellyfin {
        import podmanRedir http://jellyfin:8096 
      }
+      @auth host auth.hailsatan.eu
+      handle @auth {
+        import podmanRedir http://authentik-server:9000
+      }
+      handle {
+        abort
+      }
+      
    '';
    virtualHosts."*.hailsatan.eu".extraConfig = ''
      import blockBots
--- a/hosts/theseus/default.nix
+++ b/hosts/theseus/default.nix
@ -309,24 +309,28 @@
    };
    programs.borgmatic = {
      enable = true;
-      backups.system = {
-        location.sourceDirectories = [ "/persistent" ];
-        location.repositories = [{ path = "ssh://ragon@ds9//backups/theseus"; }];
-        location.extraConfig.exclude_if_present = [ ".nobackup" ];
-        storage.encryptionPasscommand = "${pkgs.libsecret}/bin/secret-tool lookup borg-repository system";
-        location.extraConfig.before_backup = [ "notify-send -u low -a borgmatic borgmatic \"starting backup\" -t 10000" ];
-        location.extraConfig.after_backup = [ "notify-send -u low -a borgmatic borgmatic \"finished backup\" -t 10000" ];
-        location.extraConfig.on_error = [ "notify-send -u critical -a borgmatic borgmatic \"backup failed\"" ];
-        # location.extraConfig.ssh_command = "ssh -i /home/ragon/.ssh/id_ed25519";
-        location.extraConfig.one_file_system = true;
-        retention = {
-          keepHourly = 24;
-          keepDaily = 7;
-          keepWeekly = 4;
-          keepMonthly = 12;
-          keepYearly = 2;
+      backups.system =
+        let
+          notify = "${pkgs.libnotify}/bin/notify-send";
+        in
+        {
+          location.sourceDirectories = [ "/persistent" ];
+          location.repositories = [{ path = "ssh://ragon@ds9//backups/theseus"; }];
+          location.extraConfig.exclude_if_present = [ ".nobackup" ];
+          storage.encryptionPasscommand = "${pkgs.libsecret}/bin/secret-tool lookup borg-repository system";
+          location.extraConfig.before_backup = [ "${notify} -u low -a borgmatic borgmatic \"starting backup\" -t 10000" ];
+          location.extraConfig.after_backup = [ "${notify} -u low -a borgmatic borgmatic \"finished backup\" -t 10000" ];
+          location.extraConfig.on_error = [ "${notify} -u critical -a borgmatic borgmatic \"backup failed\"" ];
+          # location.extraConfig.ssh_command = "ssh -i /home/ragon/.ssh/id_ed25519";
+          location.extraConfig.one_file_system = true;
+          retention = {
+            keepHourly = 24;
+            keepDaily = 7;
+            keepWeekly = 4;
+            keepMonthly = 12;
+            keepYearly = 2;
+          };
        };
-      };
    };
    services.borgmatic.enable = true;
  };