xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

authentik

Browse source
This commit is contained in:
Lucy Hochkamp 2025-02-23 17:59:37 +01:00
parent 151180b02f
commit f6d88dc51f
No known key found for this signature in database
8 changed files with 143 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

21
flake.lock generated
View file

@ -462,6 +462,26 @@
"type": "github" "type": "github"
} }
}, },
"quadlet-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1739316033,
"narHash": "sha256-yHBsu5I2GOTaMzqEYXfDWzEH+pTpNKp/Ew/8x+cVCZg=",
"owner": "SEIAROTg",
"repo": "quadlet-nix",
"rev": "31e4175bdc1cee453f66cada21f9dd6eb90e507f",
"type": "github"
},
"original": {
"owner": "SEIAROTg",
"repo": "quadlet-nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
@ -477,6 +497,7 @@
"nixpkgs-darwin": "nixpkgs-darwin", "nixpkgs-darwin": "nixpkgs-darwin",
"nixpkgs-master": "nixpkgs-master", "nixpkgs-master": "nixpkgs-master",
"pandoc-latex-template": "pandoc-latex-template", "pandoc-latex-template": "pandoc-latex-template",
"quadlet-nix": "quadlet-nix",
"roslyn-language-server": "roslyn-language-server", "roslyn-language-server": "roslyn-language-server",
"spoons": "spoons", "spoons": "spoons",
"utils": "utils", "utils": "utils",

3
flake.nix
View file

@ -16,6 +16,9 @@
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
darwin.url = "github:lnl7/nix-darwin/master"; darwin.url = "github:lnl7/nix-darwin/master";
darwin.inputs.nixpkgs.follows = "nixpkgs"; darwin.inputs.nixpkgs.follows = "nixpkgs";
quadlet-nix.url = "github:SEIAROTg/quadlet-nix";
quadlet-nix.inputs.nixpkgs.follows = "nixpkgs";
lix-module = { lix-module = {
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz"; url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";

70
hosts/ds9/authentik.nix Normal file
View file

@ -0,0 +1,70 @@
{ pkgs, config, lib, inputs, ... }:
{
imports = [
inputs.quadlet-nix.nixosModules.quadlet
];
ragon.agenix.secrets.ds9AuthentikEnv = { };
virtualisation.quadlet =
{
containers = {
authentik-server.containerConfig.image = "ghcr.io/goauthentik/server:2024.12.3";
authentik-server.containerConfig.exec = "server";
authentik-server.containerConfig.networks = [
"podman"
"db-net"
"authentik-net"
];
authentik-server.containerConfig.volumes = [
"authentik-media:/media"
"authentik-certs:/certs"
];
authentik-server.containerConfig.environments = {
AUTHENTIK_REDIS__HOST = "authentik-redis";
AUTHENTIK_POSTGRESQL__HOST = "postgres";
AUTHENTIK_POSTGRESQL__USER = "authentik";
AUTHENTIK_POSTGRESQL__NAME = "authentik";
};
authentik-server.serviceConfig.TimeoutStartSec = "60";
authentik-server.containerConfig.environmentFiles = [
config.age.secrets.ds9AuthentikEnv.path
];
authentik-worker.containerConfig.image = "ghcr.io/goauthentik/server:2024.12.3";
authentik-worker.containerConfig.exec = "worker";
authentik-worker.containerConfig.networks = [
"podman"
"db-net"
"authentik-net"
];
authentik-worker.containerConfig.volumes = [
"authentik-media:/media"
"authentik-certs:/certs"
];
authentik-worker.containerConfig.environments = {
AUTHENTIK_REDIS__HOST = "authentik-redis";
AUTHENTIK_POSTGRESQL__HOST = "postgres";
AUTHENTIK_POSTGRESQL__USER = "authentik";
AUTHENTIK_POSTGRESQL__NAME = "authentik";
};
authentik-worker.containerConfig.environmentFiles = [
config.age.secrets.ds9AuthentikEnv.path
];
authentik-worker.serviceConfig.TimeoutStartSec = "60";
authentik-redis.containerConfig.image = "docker.io/library/redis:alpine";
authentik-redis.containerConfig.networks = [
"authentik-net"
];
authentik-redis.containerConfig.volumes = [ "authentik-redis:/data" ];
authentik-redis.serviceConfig.TimeoutStartSec = "60";
};
networks = {
authentik.networkConfig.ipv6 = true;
authentik.networkConfig.name = "authentik-net";
authentik.networkConfig.internal = true;
};
};
}

1
hosts/ds9/containers.nix
View file

@ -22,6 +22,7 @@ let
''; '';
in in
{ {
imports = [ ./authentik.nix ];
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ]; networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
networking.firewall.interfaces."podman+".allowedTCPPorts = [ 12300 3001 ]; networking.firewall.interfaces."podman+".allowedTCPPorts = [ 12300 3001 ];
fileSystems."/var/lib/containers" = { fileSystems."/var/lib/containers" = {

8
hosts/ds9/default.nix
View file

@ -176,6 +176,14 @@ in
handle @jellyfin { handle @jellyfin {
import podmanRedir http://jellyfin:8096 import podmanRedir http://jellyfin:8096
} }
@auth host auth.hailsatan.eu
handle @auth {
import podmanRedir http://authentik-server:9000
}
handle {
abort
}
''; '';
virtualHosts."*.hailsatan.eu".extraConfig = '' virtualHosts."*.hailsatan.eu".extraConfig = ''
import blockBots import blockBots

38
hosts/theseus/default.nix
View file

@ -309,24 +309,28 @@
}; };
programs.borgmatic = { programs.borgmatic = {
enable = true; enable = true;
backups.system = { backups.system =
location.sourceDirectories = [ "/persistent" ]; let
location.repositories = [{ path = "ssh://ragon@ds9//backups/theseus"; }]; notify = "${pkgs.libnotify}/bin/notify-send";
location.extraConfig.exclude_if_present = [ ".nobackup" ]; in
storage.encryptionPasscommand = "${pkgs.libsecret}/bin/secret-tool lookup borg-repository system"; {
location.extraConfig.before_backup = [ "notify-send -u low -a borgmatic borgmatic \"starting backup\" -t 10000" ]; location.sourceDirectories = [ "/persistent" ];
location.extraConfig.after_backup = [ "notify-send -u low -a borgmatic borgmatic \"finished backup\" -t 10000" ]; location.repositories = [{ path = "ssh://ragon@ds9//backups/theseus"; }];
location.extraConfig.on_error = [ "notify-send -u critical -a borgmatic borgmatic \"backup failed\"" ]; location.extraConfig.exclude_if_present = [ ".nobackup" ];
# location.extraConfig.ssh_command = "ssh -i /home/ragon/.ssh/id_ed25519"; storage.encryptionPasscommand = "${pkgs.libsecret}/bin/secret-tool lookup borg-repository system";
location.extraConfig.one_file_system = true; location.extraConfig.before_backup = [ "${notify} -u low -a borgmatic borgmatic \"starting backup\" -t 10000" ];
retention = { location.extraConfig.after_backup = [ "${notify} -u low -a borgmatic borgmatic \"finished backup\" -t 10000" ];
keepHourly = 24; location.extraConfig.on_error = [ "${notify} -u critical -a borgmatic borgmatic \"backup failed\"" ];
keepDaily = 7; # location.extraConfig.ssh_command = "ssh -i /home/ragon/.ssh/id_ed25519";
keepWeekly = 4; location.extraConfig.one_file_system = true;
keepMonthly = 12; retention = {
keepYearly = 2; keepHourly = 24;
keepDaily = 7;
keepWeekly = 4;
keepMonthly = 12;
keepYearly = 2;
};
}; };
};
}; };
services.borgmatic.enable = true; services.borgmatic.enable = true;
}; };

18
secrets/ds9AuthentikEnv.age Normal file
View file

@ -0,0 +1,18 @@
age-encryption.org/v1
-> ssh-ed25519 IbXxfw txO+WpNIfkk0D+z+ExISJrmNr7AfnHrUuJism/I1kVg
BAKQgC3NkUZXFEkW8P2sBUs5NhGSWmUpsHYi2t7jzug
-> ssh-ed25519 ugHWWw VFs9ucrZskgkmsM51E6ji4m5bpAYUxPMa81Bt9dJGT0
ThqJfhsgWZC50MbWLKJQWoHZWOq0oy3XiPmhAhm6IBY
-> ssh-ed25519 UU9RSA i7l1OvugJOKcOWOah4Zv08YRsXRNZu86IYmHGTd8i3A
KzPQDuUTiXhew37g3xWDER+P79GdBAOT/L9UXdXEqOE
-> ssh-ed25519 RJI3BA OBT8HWpEFpfQmhhg7kTDcKjILDcHhjGk5fGKzK3MbBM
ohZ5ROo4V2dJeAR0H+NPYxU35bUPHV71hsVu/JVWOEI
-> ssh-ed25519 XnvJKw PJS/Mj/o704VbaZsOHiW92oMZ151VFxckP5eTAb8KHo
uSyDrXJfTAcVEPpG/Ao8hT/xB71SvY3PC7d8kTWRpD0
-> ssh-ed25519 7NL5Ng OwMY1YoDoLeCGGUueglr8x+iFzqddP8uWBJ4jiYxKjQ
YZk840SivxItTgQf22pePBDAkYv2bwlua9s7SObjmS4
-> ssh-ed25519 5Sll2Q 2ddDno8EIqDDZyvPBglkU4OOipXJ5QfMgfc7xtSpB24
IKe1VvtzE44syNORvI/CoO+xaZiHAIc+lOsAJVlG7Eg
--- SqJy9Y9Fhd/PDUEmvC2c40Ln+VdKEq/o+qu6WWcRO4Y
IÑÞ´<>œôµ3ëéÏ#±kc×áët"”DÝsßë÷W qe¿™”ªÃ/ ÛI1\½¥Æq¾KØ.ͪÀõ»Ýlt­ßGïô6 „sÙ\唶O<C2B6>Ì,k0è1ü[ÛÑ×z„øàNðVGm¸ÊB
µ±õ/x.v qeZ»Q=üb´j 6ÈÇ«´—TW»LU‰"Îœ›'còè<35>&aÀîý©ÞÛÅ¥¦?뵆ÇbY¨J¸þòþY¥uÂYÐ~¬éF_¦„ZÉ*°É*ÉŽào X2¥<¦°T“e2[þ#tÆtCH'£çÔopi±ì¢çùÄ¥–ã.Ck¢

1
secrets/secrets.nix
View file

@ -20,6 +20,7 @@ in
"ds9DynDns.age".publicKeys = pubkeys.ragon.host "ds9"; "ds9DynDns.age".publicKeys = pubkeys.ragon.host "ds9";
"ds9PostgresEnv.age".publicKeys = pubkeys.ragon.host "ds9"; "ds9PostgresEnv.age".publicKeys = pubkeys.ragon.host "ds9";
"ds9ImmichEnv.age".publicKeys = pubkeys.ragon.host "ds9"; "ds9ImmichEnv.age".publicKeys = pubkeys.ragon.host "ds9";
"ds9AuthentikEnv.age".publicKeys = pubkeys.ragon.host "ds9";
"gatebridgeHostKeys.age".publicKeys = pubkeys.ragon.server; "gatebridgeHostKeys.age".publicKeys = pubkeys.ragon.server;
"plausibleAdminPw.age".publicKeys = pubkeys.ragon.host "picard"; "plausibleAdminPw.age".publicKeys = pubkeys.ragon.host "picard";
"plausibleGoogleClientId.age".publicKeys = pubkeys.ragon.host "picard"; "plausibleGoogleClientId.age".publicKeys = pubkeys.ragon.host "picard";