AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: add authentik service

Browse Source
This commit is contained in:
Dmitriy Kholkin 2025-07-08 20:08:11 +03:00
parent 54d5d760d2
commit c2bcc51aec
Signed by: AtaraxiaDev
GPG Key ID: FD266B810DF48DF2
4 changed files with 88 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/orion/default.nix
View File

@ -104,6 +104,7 @@
ataraxia.containers.tinyproxy.enable = true;
ataraxia.security.acme.enable = true;
ataraxia.services.authentik.enable = true;
ataraxia.services.vaultwarden.enable = true;
ataraxia.virtualisation.guests = {

56
modules/nixos/services/authentik.nix Normal file
View File

@ -0,0 +1,56 @@
{
config,
lib,
inputs,
secretsDir,
...
}:
let
inherit (lib) mkEnableOption mkIf mkOption;
inherit (lib.types) str;
cfg = config.ataraxia.services.authentik;
in
{
imports = [ inputs.ataraxiasjel-nur.nixosModules.authentik ];
options.ataraxia.services.authentik = {
enable = mkEnableOption "Enable authentik service";
sopsDir = mkOption {
type = str;
default = config.networking.hostName;
description = ''
Name for sops secrets directory. Defaults to hostname.
'';
};
};
config = mkIf cfg.enable {
sops.secrets.authentik-env.sopsFile = secretsDir + /${cfg.sopsDir}/authentik.yaml;
sops.secrets.authentik-ldap.sopsFile = secretsDir + /${cfg.sopsDir}/authentik.yaml;
sops.secrets.authentik-env.restartUnits = [
"authentik-server.service"
"authentik-worker.service"
];
sops.secrets.authentik-ldap.restartUnits = [ "authentik-ldap-outpost.service" ];
backups.postgresql.authentik = { };
services.authentik = {
enable = true;
logLevel = "info";
listen.address = "127.0.0.1";
listen.http = 9000;
listen.https = 9443;
environmentFile = config.sops.secrets.authentik-env.path;
outposts.ldap = {
enable = true;
host = "https://auth.ataraxiadev.com";
environmentFile = config.sops.secrets.authentik-ldap.path;
listen.address = "127.0.0.1";
listen.ldap = 3389;
listen.ldaps = 6636;
};
};
};
}

5
overlays/default.nix
View File

@ -9,9 +9,8 @@ let
};
in
{
# attic-client = inputs.attic.packages.${system}.attic;
# attic-server = inputs.attic.packages.${system}.attic-server;
# cassowary-py = inputs.cassowary.packages.${system}.cassowary;
authentik = unstable.authentik;
authentik-outposts = unstable.authentik-outposts;
hyprlandUnstable = unstable.hyprland;
hyprlandPortalUnstable = unstable.xdg-desktop-portal-hyprland;
intel-vaapi-driver = prev.intel-vaapi-driver.override { enableHybridCodec = true; };

29
secrets/orion/authentik.yaml Normal file
View File

@ -0,0 +1,29 @@
authentik-docker-env: ENC[AES256_GCM,data:gQgij38e/InGVurVfXNkLTWuydSKu0InOXBooltqu7hpctm1noSGFXtfT2dgXcmftTXPzDx3Mah5zqAHXeygv4gWqnTaCXIw9IKmsz4V0VeycfUVzdtli2oo5Dyf1lyJHzSrxWVuatdQYafVQomIHswKHqSMIGg0LE7HR1HHDoPm57v8JMEbMGaw4PQ7cIasRPYwTQyzqiLAlohXpyovYlVd7yUZZQNWSozlD8mFwVaKPDEmnSfzEBxYMwnzY3d8MtHaI+S/kGKWcKBDQ58WXuLysjuIu7bgRiHnvbz/aUlKiF7r4deaIX4tWZsOarjYliSTBraZEHbFqO00viRISX1IBP4BVD7N1QsuczMk9MILWy5NZzUVT73MK2Y9WY4A3TYofdxjjSBnhXQnwfZlm3IY5cJxAVLjVXIUqMaQ+GHiJsnxdl9qVvvsJ/hadYgTpf+JZ9G4X6hE84/2vFrXItY/5VRyh1Hv4Z43wsCALw6pzWJcp8HbzkbyAJpROFXD9XPm28ocAEmc92mu0X4a3vevJq2cfvHTAYb5Gwyo868G/DZdgIq9MPpK3ZBGUtJnacIS5jtYowf9TncGpRSkxC0iUCwbl/aY02o9cfEuYhJK57e7o0N3oVxKhP3aelgrpq5sdy6QBNAc4IgTJwUucwTpqFSj4z7TDSIjtLA4BTlSEfwTRFVuF7VAakhoeSkW8YvHRaZB+Dq/2P3nLpFbPAjqW7XthlDypQ5ADRWBFfj9BzMbf+Kcd4rtO9bTtnyZPzpkbsbuWkF/I0NWeAlc7ozW3O37+n4Flt42fuHg2Vh0ncV7MSk6vETVBvtV04JSr65bBqhuKhBrGV7UHTHQAov3gyML3Gica0ZCcJvK9lKGaX+hEYaB0nb9qmtCQc4JKxGwboG5Lo59tIYGN3yPNf0QtiAMFWzZ8sTL1b2pV1NKIgoMtrx7l5dga2Mng4bhUIkLii0H/bqeY6qD/a2PV2B7zU3EInoK9UjieOGM6DaGJXcbj/JPJKMg23ZR/wbNM2LE59U8IomuXeJ+vRlRpZvxn9148qwJcF+DlgZlVFdGBnyUucLHZMZogtmcfe48QGYv5oKdBk2ZOVnvSxodiw1jPWgLmRATnWK4zaqBXlnMsoNZGyp57pYpTpaklulXy1kUwooMGyJo7TEOQj4zzgEjII5mrA6xb73Sg1qGIbSHyqMvg2f+CWgWPgwrlwug+6IepQHgPeIaukSIuDzhq5SJLZpBig+b4qNuVwUqtuWeoW1V2H/iaNojLsizcGVgiIlTnOU16mpn40G5tbpmsZLjSJnDhrPScz2kn1kA6mDjNmZ7s4s7ouAGxFpL3A==,iv:RoNU+sz4ibBnCZEwhrZOCZ8L2f4AKlA2HDkjGOd75HU=,tag:GmXqPgen7ZJ/hVqQhO+DbQ==,type:str]
authentik-docker-ldap: ENC[AES256_GCM,data:Ex6g0F9krdKj1Zn4V6oafV7PXrkdIHYsh6z287yEDkJdUUsz73QXKYjMIyF6AhoDFtOCPqmEB7J6qFxCzQjJsHYDbDT/pDHjJMpmnA==,iv:DrifVWgEak8Pd7V50UOnEs6lVH3+LhSNDmZ6z4QMS14=,tag:snAy/ebpo1yyHGmy9l12Ww==,type:str]
authentik-env: ENC[AES256_GCM,data:G2/zs34u73Iyob0ZBV2xRh6sAbr9LgvXeupfQeg7UhafEfFe9Izki7ig8ZzFwaoWMeewWvF2/LOlegK5n05D6CnDL0hMBCbRiGEd2df3zHLT0lbN5jbZ9mNw+p13+qT5lm3paV26PCsvERGQNQLJ8+SHrgB6S847fHqWANmQJRoiA2LFPWNj2VJfn2By1ZyH/JtQPERNuLGZJCz6PgecC4qM88+Rubqw3Jj9ebw3xvQFqAt1rhD08xSO6yFSBQRG0SxDmhX2L7dI2mm4CQl9LIA5dTF3tw/nqlVby5j2TqrfICoP87eunifcus16TNRHjDdpfKpWBpFuROoiBdzCRakkORcNzDegyNb9UI0hsklnT9c01b9vC75Jrmv6fcZFRbw7diwcs85Ty6aHKZAANhShYHx5TmO+SFIR2lZpXPpXQgJuXNz8EDYyflZfIBagwpD5G7NawDeGFrnqd7ioJqO/yoAQNaF5b8z5Fdw6xpwWCCmJ7MHUkIioHE8/82egi5d2lBPM+BHiMvTyi0jC1AwrL0cD+efdG19/vkEk2Vdvx4EQb+JaAzQeSYpcl4r78s9IWTEberibWi6dfu9bf+Wf4RZ3XA9x7ij2fK2VP+C1rbwsx35SWFME+XouBMYdnfZINKl4lEqawfilbTjfqNBrZMVarWBEnQ579q9MPuXWH1TAIoWXZnZkFJIZRmotXzO84/NSNSkcyeMZPqmASD2Wi5oS+szb+iPf5w1N1LLmj407lEo8zcQrc63Du77d4KRl+ClrHCGIkcE4wENn1PZO8pBtqke+d/OGJ2xf4n2FTa7ShwBWG6vfwD3JFswv/uFrIjlcwviRVakK3taRFdPrWacMACyDLlOVFWsXUJRE+QZUvcF+F6NgKI2OoEObg0TpIepBFafg09P+9t8iHhFB1/7JUdefLUQrP6mNecUoJdJHV12r5DGN0GfeFiUijXCXAwRQvskYMEHxCaL+a3WL4zVoKhxiE+c+N8rQeneypnSvOFgQZLe3GpzrGpuyT2scw89WbEkequ54xbKnKOjNQiNcXuIvofTn4l8sWaK6JPLltZzvbCH3L3NLOIcadkvLxH2Mprp0FKUb,iv:/fR2FJan/QRCKLKBaPdagcfMD4xsaezZAXHIYmwZ484=,tag:1u/EXA+4KdsVrchKUMY41A==,type:str]
authentik-ldap: ENC[AES256_GCM,data:trkAbd1/delgSdV2nvPjbDV4fK0Eeu0X3c8xGYFIotHhPrYqZeBlgh9m6W1dEBeH/DOqPDlc6hqwGCE7D39Ael/WV5dgQepzB+7eYQ==,iv:dNGa2YW2nm21lLuX0efxYO8TLyi6Or4IOID0Zvl3neQ=,tag:wBDWNxeuahiNw+vupGNPqw==,type:str]
sops:
shamir_threshold: 1
age:
- recipient: age13phpsegg6vu7a34ydtfa9s904dfpgzqhzru7epnky7glezk0xvkst9qh6h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cnFSMTlTbnBucXVsN2Zv
Nms5RklOaGgrZjlJMmlNTkRvV3o4NVZPb21FCmdNdGJKangxanlOczRZam5DMTVN
ZGdqbVJhNGRVMDVYcmhpNTBxSmJQdmsKLS0tIE1tRnNONVM2UXBJUyt6bWE5NmpK
MkpvTjFpQ0JLK3ZUaUJGdWpZRFNsUXMKn8ImvsqI9EiVxTx34VTp8l4zJp2pawGy
817OEdp9spuDG6AyoxrDjpsbZ0R/9kQ1W/Y9nJNNRrvMuIijw1FO0g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m5msm7rgqye2q9zesgedg0emga4ntehlr629786lrxs3rhk0squq0ly9je
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbTErSzVzYlRadkRFT05V
ZXNRY1JIN2t2dGFIQ3lDV0hVYmdBWEYvazFFCmlid3ZGTzV4Y2NhOU5IVTF2QUFY
MTFWV1pGSk9DRDg5K1lCVVRaUUlEa3MKLS0tIGFhSjdieEtCQXRCVVpTekNISXR4
MW9UdVRKWUF6S3BZLzJ0QkhHbUpSc0kK3M8rkSRq1zo3TvlTf7erJc3RjamW+81D
GIKKOybcRBCJQ+SqFoyF97aaa3QVlDXEU1rvpoP+p88NAt7ERJXvsw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-24T16:13:04Z"
mac: ENC[AES256_GCM,data:OKANPvWhQCG/iFwc2zWVnaQ2799ai8l40styj60kpWB1Id7ccLomPCvzMMtZS/tCrp9HxrbYkN/9GgRnMrMoNvp2QtL19c4pmN2V9VKrEklm77UMeN5KEOemk5Iiqnjk6LF3mPuRa5nFTSwoLSsYPZ1v+vX7oob7WlhR57WAb+g=,iv:2waLQWzcqXT/9NN1rkaoc1Ym2qziGVOgRhc2nvDtMCI=,tag:ayzPdyGxts/02kIyayDPpQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.8.1