AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add authentik

Browse Source
This commit is contained in:
Dmitriy Kholkin 2023-01-26 04:45:14 +03:00
parent 2de238b80b
commit 6f5da5165c
5 changed files with 112 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
machines/Home-Hypervisor/default.nix
View File

@ -10,6 +10,7 @@ in {
nixosRoles.hypervisor nixosRoles.hypervisor
nixosProfiles.acme nixosProfiles.acme
nixosProfiles.authentik
nixosProfiles.battery-historian nixosProfiles.battery-historian
nixosProfiles.blocky nixosProfiles.blocky
nixosProfiles.duplicacy nixosProfiles.duplicacy

3
machines/Home-Hypervisor/virtualisation.nix
View File

@ -15,7 +15,8 @@
podman = { podman = {
enable = true; enable = true;
extraPackages = [ pkgs.zfs ]; extraPackages = [ pkgs.zfs ];
# defaultNetwork.settings.dns_enabled = true; dockerSocket.enable = true;
defaultNetwork.settings.dns_enabled = true;
}; };
containers.registries.search = [ containers.registries.search = [
"docker.io" "gcr.io" "quay.io" "docker.io" "gcr.io" "quay.io"

97
profiles/servers/authentik.nix Normal file
View File

@ -0,0 +1,97 @@
{ config, lib, pkgs, ... }:
let
backend = config.virtualisation.oci-containers.backend;
data-dir = "/srv/authentik";
pod-name = "authentik-pod";
open-ports = [ "127.0.0.1:9000:9000/tcp" "127.0.0.1:9443:9443/tcp" ];
owner = "1000";
in {
secrets.authentik-env = { };
virtualisation.oci-containers.containers = {
authentik-postgresql = {
autoStart = true;
image = "docker.io/library/postgres:12-alpine";
extraOptions = [ "--pod=${pod-name}" ];
environmentFiles = [ config.secrets.authentik-env.decrypted ];
volumes = [
"${data-dir}/db:/var/lib/postgresql/data"
];
};
authentik-redis = {
autoStart = true;
image = "docker.io/library/redis:alpine";
cmd = [ "--save" "60" "1" "--loglevel" "warning" ];
extraOptions = [ "--pod=${pod-name}" ];
volumes = [
"${data-dir}/redis:/data"
];
};
authentik-server = {
autoStart = true;
dependsOn = [ "authentik-postgresql" "authentik-redis" ];
image = "ghcr.io/goauthentik/server:2023.1.2";
cmd = [ "server" ];
extraOptions = [ "--pod=${pod-name}" ];
environment = {
AUTHENTIK_REDIS__HOST = "authentik-redis";
AUTHENTIK_POSTGRESQL__HOST = "authentik-postgresql";
};
environmentFiles = [ config.secrets.authentik-env.decrypted ];
volumes = [
"${data-dir}/media:/media"
"${data-dir}/custom-templates:/templates"
];
};
authentik-worker = {
autoStart = true;
dependsOn = [ "authentik-server" ];
image = "ghcr.io/goauthentik/server:2023.1.2";
cmd = [ "worker" ];
extraOptions = [ "--pod=${pod-name}" ];
environment = {
AUTHENTIK_REDIS__HOST = "authentik-redis";
AUTHENTIK_POSTGRESQL__HOST = "authentik-postgresql";
};
environmentFiles = [ config.secrets.authentik-env.decrypted ];
# user = "root";
volumes = [
# "/var/run/${backend}/${backend}.sock"
"${data-dir}/media:/media"
"${data-dir}/certs:/certs"
"${data-dir}/custom-templates:/templates"
];
};
};
systemd.services."podman-create-${pod-name}" = let
portsMapping = lib.concatMapStrings (port: " -p " + port) open-ports;
start = pkgs.writeShellScript "create-pod" ''
if [[ ! -d "${data-dir}" ]]; then
mkdir -p "${data-dir}/db"
mkdir -p "${data-dir}/redis"
mkdir -p "${data-dir}/media" && chown ${owner}:${owner} "${data-dir}/media"
mkdir -p "${data-dir}/certs" && chown ${owner}:${owner} "${data-dir}/certs"
mkdir -p "${data-dir}/custom-templates" && chown ${owner}:${owner} "${data-dir}/custom-templates"
fi
podman pod exists ${pod-name} || podman pod create -n ${pod-name} ${portsMapping}
'';
stop = "podman pod rm -i -f ${pod-name}";
in rec {
path = [ pkgs.coreutils config.virtualisation.podman.package ];
before = [
"${backend}-authentik-postgresql.service"
"${backend}-authentik-redis.service"
"${backend}-authentik-server.service"
"${backend}-authentik-worker.service"
];
wantedBy = before;
partOf = before;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
ExecStart = start;
ExecStop = stop;
};
};
}

5
profiles/servers/mailserver.nix
View File

@ -13,6 +13,7 @@ in {
secrets.mailserver-vaultwarden = secrets-default; secrets.mailserver-vaultwarden = secrets-default;
secrets.mailserver-seafile = secrets-default; secrets.mailserver-seafile = secrets-default;
secrets.mailserver-gitea = secrets-default; secrets.mailserver-gitea = secrets-default;
secrets.mailserver-authentik = secrets-default;
security.acme.certs."mail.ataraxiadev.com" = { security.acme.certs."mail.ataraxiadev.com" = {
webroot = "/var/lib/acme/acme-challenge"; webroot = "/var/lib/acme/acme-challenge";
@ -68,6 +69,10 @@ in {
hashedPasswordFile = config.secrets.mailserver-mitin.decrypted; hashedPasswordFile = config.secrets.mailserver-mitin.decrypted;
}; };
"authentik@ataraxiadev.com" = {
aliases = [ "authentik" ];
hashedPasswordFile = config.secrets.mailserver-authentik.decrypted;
};
"gitea@ataraxiadev.com" = { "gitea@ataraxiadev.com" = {
aliases = [ "gitea" ]; aliases = [ "gitea" ];
hashedPasswordFile = config.secrets.mailserver-gitea.decrypted; hashedPasswordFile = config.secrets.mailserver-gitea.decrypted;

7
profiles/servers/nginx.nix
View File

@ -32,6 +32,7 @@
"joplin.ataraxiadev.com" "joplin.ataraxiadev.com"
"api.ataraxiadev.com" "api.ataraxiadev.com"
"fsync.ataraxiadev.com" "fsync.ataraxiadev.com"
"auth.ataraxiadev.com"
]; ];
}; };
}; };
@ -224,6 +225,12 @@
extraConfig = proxySettings; extraConfig = proxySettings;
}; };
} // default; } // default;
"auth.ataraxiadev.com" = {
locations."/" = {
proxyPass = "http://localhost:9000";
extraConfig = proxySettings;
};
} // default;
"api.ataraxiadev.com" = { "api.ataraxiadev.com" = {
locations."~ (\\.py|\\.sh)$" = with config.services; { locations."~ (\\.py|\\.sh)$" = with config.services; {
alias = "/srv/http/api.ataraxiadev.com"; alias = "/srv/http/api.ataraxiadev.com";