diff --git a/machines/Home-Hypervisor/default.nix b/machines/Home-Hypervisor/default.nix index 190f4a1..7885d7c 100644 --- a/machines/Home-Hypervisor/default.nix +++ b/machines/Home-Hypervisor/default.nix @@ -10,6 +10,7 @@ in { nixosRoles.hypervisor nixosProfiles.acme + nixosProfiles.authentik nixosProfiles.battery-historian nixosProfiles.blocky nixosProfiles.duplicacy diff --git a/machines/Home-Hypervisor/virtualisation.nix b/machines/Home-Hypervisor/virtualisation.nix index 719ecec..0439155 100644 --- a/machines/Home-Hypervisor/virtualisation.nix +++ b/machines/Home-Hypervisor/virtualisation.nix @@ -15,7 +15,8 @@ podman = { enable = true; extraPackages = [ pkgs.zfs ]; - # defaultNetwork.settings.dns_enabled = true; + dockerSocket.enable = true; + defaultNetwork.settings.dns_enabled = true; }; containers.registries.search = [ "docker.io" "gcr.io" "quay.io" diff --git a/profiles/servers/authentik.nix b/profiles/servers/authentik.nix new file mode 100644 index 0000000..d540a49 --- /dev/null +++ b/profiles/servers/authentik.nix @@ -0,0 +1,97 @@ +{ config, lib, pkgs, ... }: +let + backend = config.virtualisation.oci-containers.backend; + data-dir = "/srv/authentik"; + pod-name = "authentik-pod"; + open-ports = [ "127.0.0.1:9000:9000/tcp" "127.0.0.1:9443:9443/tcp" ]; + owner = "1000"; +in { + secrets.authentik-env = { }; + + virtualisation.oci-containers.containers = { + authentik-postgresql = { + autoStart = true; + image = "docker.io/library/postgres:12-alpine"; + extraOptions = [ "--pod=${pod-name}" ]; + environmentFiles = [ config.secrets.authentik-env.decrypted ]; + volumes = [ + "${data-dir}/db:/var/lib/postgresql/data" + ]; + }; + authentik-redis = { + autoStart = true; + image = "docker.io/library/redis:alpine"; + cmd = [ "--save" "60" "1" "--loglevel" "warning" ]; + extraOptions = [ "--pod=${pod-name}" ]; + volumes = [ + "${data-dir}/redis:/data" + ]; + }; + authentik-server = { + autoStart = true; + dependsOn = [ "authentik-postgresql" "authentik-redis" ]; + image = "ghcr.io/goauthentik/server:2023.1.2"; + cmd = [ "server" ]; + extraOptions = [ "--pod=${pod-name}" ]; + environment = { + AUTHENTIK_REDIS__HOST = "authentik-redis"; + AUTHENTIK_POSTGRESQL__HOST = "authentik-postgresql"; + }; + environmentFiles = [ config.secrets.authentik-env.decrypted ]; + volumes = [ + "${data-dir}/media:/media" + "${data-dir}/custom-templates:/templates" + ]; + }; + authentik-worker = { + autoStart = true; + dependsOn = [ "authentik-server" ]; + image = "ghcr.io/goauthentik/server:2023.1.2"; + cmd = [ "worker" ]; + extraOptions = [ "--pod=${pod-name}" ]; + environment = { + AUTHENTIK_REDIS__HOST = "authentik-redis"; + AUTHENTIK_POSTGRESQL__HOST = "authentik-postgresql"; + }; + environmentFiles = [ config.secrets.authentik-env.decrypted ]; + # user = "root"; + volumes = [ + # "/var/run/${backend}/${backend}.sock" + "${data-dir}/media:/media" + "${data-dir}/certs:/certs" + "${data-dir}/custom-templates:/templates" + ]; + }; + }; + + systemd.services."podman-create-${pod-name}" = let + portsMapping = lib.concatMapStrings (port: " -p " + port) open-ports; + start = pkgs.writeShellScript "create-pod" '' + if [[ ! -d "${data-dir}" ]]; then + mkdir -p "${data-dir}/db" + mkdir -p "${data-dir}/redis" + mkdir -p "${data-dir}/media" && chown ${owner}:${owner} "${data-dir}/media" + mkdir -p "${data-dir}/certs" && chown ${owner}:${owner} "${data-dir}/certs" + mkdir -p "${data-dir}/custom-templates" && chown ${owner}:${owner} "${data-dir}/custom-templates" + fi + podman pod exists ${pod-name} || podman pod create -n ${pod-name} ${portsMapping} + ''; + stop = "podman pod rm -i -f ${pod-name}"; + in rec { + path = [ pkgs.coreutils config.virtualisation.podman.package ]; + before = [ + "${backend}-authentik-postgresql.service" + "${backend}-authentik-redis.service" + "${backend}-authentik-server.service" + "${backend}-authentik-worker.service" + ]; + wantedBy = before; + partOf = before; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = start; + ExecStop = stop; + }; + }; +} \ No newline at end of file diff --git a/profiles/servers/mailserver.nix b/profiles/servers/mailserver.nix index c45a81e..52f6062 100644 --- a/profiles/servers/mailserver.nix +++ b/profiles/servers/mailserver.nix @@ -13,6 +13,7 @@ in { secrets.mailserver-vaultwarden = secrets-default; secrets.mailserver-seafile = secrets-default; secrets.mailserver-gitea = secrets-default; + secrets.mailserver-authentik = secrets-default; security.acme.certs."mail.ataraxiadev.com" = { webroot = "/var/lib/acme/acme-challenge"; @@ -68,6 +69,10 @@ in { hashedPasswordFile = config.secrets.mailserver-mitin.decrypted; }; + "authentik@ataraxiadev.com" = { + aliases = [ "authentik" ]; + hashedPasswordFile = config.secrets.mailserver-authentik.decrypted; + }; "gitea@ataraxiadev.com" = { aliases = [ "gitea" ]; hashedPasswordFile = config.secrets.mailserver-gitea.decrypted; diff --git a/profiles/servers/nginx.nix b/profiles/servers/nginx.nix index 7bf2d7d..9162c79 100644 --- a/profiles/servers/nginx.nix +++ b/profiles/servers/nginx.nix @@ -32,6 +32,7 @@ "joplin.ataraxiadev.com" "api.ataraxiadev.com" "fsync.ataraxiadev.com" + "auth.ataraxiadev.com" ]; }; }; @@ -224,6 +225,12 @@ extraConfig = proxySettings; }; } // default; + "auth.ataraxiadev.com" = { + locations."/" = { + proxyPass = "http://localhost:9000"; + extraConfig = proxySettings; + }; + } // default; "api.ataraxiadev.com" = { locations."~ (\\.py|\\.sh)$" = with config.services; { alias = "/srv/http/api.ataraxiadev.com";