From c2bcc51aecfead11b321d454399c5961ae22fb61 Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Tue, 8 Jul 2025 20:08:11 +0300 Subject: [PATCH] feat: add authentik service --- hosts/orion/default.nix | 1 + modules/nixos/services/authentik.nix | 56 ++++++++++++++++++++++++++++ overlays/default.nix | 5 +-- secrets/orion/authentik.yaml | 29 ++++++++++++++ 4 files changed, 88 insertions(+), 3 deletions(-) create mode 100644 modules/nixos/services/authentik.nix create mode 100644 secrets/orion/authentik.yaml diff --git a/hosts/orion/default.nix b/hosts/orion/default.nix index d906c65..23f09f0 100644 --- a/hosts/orion/default.nix +++ b/hosts/orion/default.nix @@ -104,6 +104,7 @@ ataraxia.containers.tinyproxy.enable = true; ataraxia.security.acme.enable = true; + ataraxia.services.authentik.enable = true; ataraxia.services.vaultwarden.enable = true; ataraxia.virtualisation.guests = { diff --git a/modules/nixos/services/authentik.nix b/modules/nixos/services/authentik.nix new file mode 100644 index 0000000..527b02e --- /dev/null +++ b/modules/nixos/services/authentik.nix @@ -0,0 +1,56 @@ +{ + config, + lib, + inputs, + secretsDir, + ... +}: +let + inherit (lib) mkEnableOption mkIf mkOption; + inherit (lib.types) str; + + cfg = config.ataraxia.services.authentik; +in +{ + imports = [ inputs.ataraxiasjel-nur.nixosModules.authentik ]; + + options.ataraxia.services.authentik = { + enable = mkEnableOption "Enable authentik service"; + sopsDir = mkOption { + type = str; + default = config.networking.hostName; + description = '' + Name for sops secrets directory. Defaults to hostname. + ''; + }; + }; + + config = mkIf cfg.enable { + sops.secrets.authentik-env.sopsFile = secretsDir + /${cfg.sopsDir}/authentik.yaml; + sops.secrets.authentik-ldap.sopsFile = secretsDir + /${cfg.sopsDir}/authentik.yaml; + sops.secrets.authentik-env.restartUnits = [ + "authentik-server.service" + "authentik-worker.service" + ]; + sops.secrets.authentik-ldap.restartUnits = [ "authentik-ldap-outpost.service" ]; + + backups.postgresql.authentik = { }; + + services.authentik = { + enable = true; + logLevel = "info"; + listen.address = "127.0.0.1"; + listen.http = 9000; + listen.https = 9443; + environmentFile = config.sops.secrets.authentik-env.path; + outposts.ldap = { + enable = true; + host = "https://auth.ataraxiadev.com"; + environmentFile = config.sops.secrets.authentik-ldap.path; + listen.address = "127.0.0.1"; + listen.ldap = 3389; + listen.ldaps = 6636; + }; + }; + }; +} diff --git a/overlays/default.nix b/overlays/default.nix index 39972d3..7df5c03 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -9,9 +9,8 @@ let }; in { - # attic-client = inputs.attic.packages.${system}.attic; - # attic-server = inputs.attic.packages.${system}.attic-server; - # cassowary-py = inputs.cassowary.packages.${system}.cassowary; + authentik = unstable.authentik; + authentik-outposts = unstable.authentik-outposts; hyprlandUnstable = unstable.hyprland; hyprlandPortalUnstable = unstable.xdg-desktop-portal-hyprland; intel-vaapi-driver = prev.intel-vaapi-driver.override { enableHybridCodec = true; }; diff --git a/secrets/orion/authentik.yaml b/secrets/orion/authentik.yaml new file mode 100644 index 0000000..54a5e10 --- /dev/null +++ b/secrets/orion/authentik.yaml @@ -0,0 +1,29 @@ +authentik-docker-env: ENC[AES256_GCM,data:gQgij38e/InGVurVfXNkLTWuydSKu0InOXBooltqu7hpctm1noSGFXtfT2dgXcmftTXPzDx3Mah5zqAHXeygv4gWqnTaCXIw9IKmsz4V0VeycfUVzdtli2oo5Dyf1lyJHzSrxWVuatdQYafVQomIHswKHqSMIGg0LE7HR1HHDoPm57v8JMEbMGaw4PQ7cIasRPYwTQyzqiLAlohXpyovYlVd7yUZZQNWSozlD8mFwVaKPDEmnSfzEBxYMwnzY3d8MtHaI+S/kGKWcKBDQ58WXuLysjuIu7bgRiHnvbz/aUlKiF7r4deaIX4tWZsOarjYliSTBraZEHbFqO00viRISX1IBP4BVD7N1QsuczMk9MILWy5NZzUVT73MK2Y9WY4A3TYofdxjjSBnhXQnwfZlm3IY5cJxAVLjVXIUqMaQ+GHiJsnxdl9qVvvsJ/hadYgTpf+JZ9G4X6hE84/2vFrXItY/5VRyh1Hv4Z43wsCALw6pzWJcp8HbzkbyAJpROFXD9XPm28ocAEmc92mu0X4a3vevJq2cfvHTAYb5Gwyo868G/DZdgIq9MPpK3ZBGUtJnacIS5jtYowf9TncGpRSkxC0iUCwbl/aY02o9cfEuYhJK57e7o0N3oVxKhP3aelgrpq5sdy6QBNAc4IgTJwUucwTpqFSj4z7TDSIjtLA4BTlSEfwTRFVuF7VAakhoeSkW8YvHRaZB+Dq/2P3nLpFbPAjqW7XthlDypQ5ADRWBFfj9BzMbf+Kcd4rtO9bTtnyZPzpkbsbuWkF/I0NWeAlc7ozW3O37+n4Flt42fuHg2Vh0ncV7MSk6vETVBvtV04JSr65bBqhuKhBrGV7UHTHQAov3gyML3Gica0ZCcJvK9lKGaX+hEYaB0nb9qmtCQc4JKxGwboG5Lo59tIYGN3yPNf0QtiAMFWzZ8sTL1b2pV1NKIgoMtrx7l5dga2Mng4bhUIkLii0H/bqeY6qD/a2PV2B7zU3EInoK9UjieOGM6DaGJXcbj/JPJKMg23ZR/wbNM2LE59U8IomuXeJ+vRlRpZvxn9148qwJcF+DlgZlVFdGBnyUucLHZMZogtmcfe48QGYv5oKdBk2ZOVnvSxodiw1jPWgLmRATnWK4zaqBXlnMsoNZGyp57pYpTpaklulXy1kUwooMGyJo7TEOQj4zzgEjII5mrA6xb73Sg1qGIbSHyqMvg2f+CWgWPgwrlwug+6IepQHgPeIaukSIuDzhq5SJLZpBig+b4qNuVwUqtuWeoW1V2H/iaNojLsizcGVgiIlTnOU16mpn40G5tbpmsZLjSJnDhrPScz2kn1kA6mDjNmZ7s4s7ouAGxFpL3A==,iv:RoNU+sz4ibBnCZEwhrZOCZ8L2f4AKlA2HDkjGOd75HU=,tag:GmXqPgen7ZJ/hVqQhO+DbQ==,type:str] +authentik-docker-ldap: ENC[AES256_GCM,data:Ex6g0F9krdKj1Zn4V6oafV7PXrkdIHYsh6z287yEDkJdUUsz73QXKYjMIyF6AhoDFtOCPqmEB7J6qFxCzQjJsHYDbDT/pDHjJMpmnA==,iv:DrifVWgEak8Pd7V50UOnEs6lVH3+LhSNDmZ6z4QMS14=,tag:snAy/ebpo1yyHGmy9l12Ww==,type:str] +authentik-env: ENC[AES256_GCM,data:G2/zs34u73Iyob0ZBV2xRh6sAbr9LgvXeupfQeg7UhafEfFe9Izki7ig8ZzFwaoWMeewWvF2/LOlegK5n05D6CnDL0hMBCbRiGEd2df3zHLT0lbN5jbZ9mNw+p13+qT5lm3paV26PCsvERGQNQLJ8+SHrgB6S847fHqWANmQJRoiA2LFPWNj2VJfn2By1ZyH/JtQPERNuLGZJCz6PgecC4qM88+Rubqw3Jj9ebw3xvQFqAt1rhD08xSO6yFSBQRG0SxDmhX2L7dI2mm4CQl9LIA5dTF3tw/nqlVby5j2TqrfICoP87eunifcus16TNRHjDdpfKpWBpFuROoiBdzCRakkORcNzDegyNb9UI0hsklnT9c01b9vC75Jrmv6fcZFRbw7diwcs85Ty6aHKZAANhShYHx5TmO+SFIR2lZpXPpXQgJuXNz8EDYyflZfIBagwpD5G7NawDeGFrnqd7ioJqO/yoAQNaF5b8z5Fdw6xpwWCCmJ7MHUkIioHE8/82egi5d2lBPM+BHiMvTyi0jC1AwrL0cD+efdG19/vkEk2Vdvx4EQb+JaAzQeSYpcl4r78s9IWTEberibWi6dfu9bf+Wf4RZ3XA9x7ij2fK2VP+C1rbwsx35SWFME+XouBMYdnfZINKl4lEqawfilbTjfqNBrZMVarWBEnQ579q9MPuXWH1TAIoWXZnZkFJIZRmotXzO84/NSNSkcyeMZPqmASD2Wi5oS+szb+iPf5w1N1LLmj407lEo8zcQrc63Du77d4KRl+ClrHCGIkcE4wENn1PZO8pBtqke+d/OGJ2xf4n2FTa7ShwBWG6vfwD3JFswv/uFrIjlcwviRVakK3taRFdPrWacMACyDLlOVFWsXUJRE+QZUvcF+F6NgKI2OoEObg0TpIepBFafg09P+9t8iHhFB1/7JUdefLUQrP6mNecUoJdJHV12r5DGN0GfeFiUijXCXAwRQvskYMEHxCaL+a3WL4zVoKhxiE+c+N8rQeneypnSvOFgQZLe3GpzrGpuyT2scw89WbEkequ54xbKnKOjNQiNcXuIvofTn4l8sWaK6JPLltZzvbCH3L3NLOIcadkvLxH2Mprp0FKUb,iv:/fR2FJan/QRCKLKBaPdagcfMD4xsaezZAXHIYmwZ484=,tag:1u/EXA+4KdsVrchKUMY41A==,type:str] +authentik-ldap: ENC[AES256_GCM,data:trkAbd1/delgSdV2nvPjbDV4fK0Eeu0X3c8xGYFIotHhPrYqZeBlgh9m6W1dEBeH/DOqPDlc6hqwGCE7D39Ael/WV5dgQepzB+7eYQ==,iv:dNGa2YW2nm21lLuX0efxYO8TLyi6Or4IOID0Zvl3neQ=,tag:wBDWNxeuahiNw+vupGNPqw==,type:str] +sops: + shamir_threshold: 1 + age: + - recipient: age13phpsegg6vu7a34ydtfa9s904dfpgzqhzru7epnky7glezk0xvkst9qh6h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cnFSMTlTbnBucXVsN2Zv + Nms5RklOaGgrZjlJMmlNTkRvV3o4NVZPb21FCmdNdGJKangxanlOczRZam5DMTVN + ZGdqbVJhNGRVMDVYcmhpNTBxSmJQdmsKLS0tIE1tRnNONVM2UXBJUyt6bWE5NmpK + MkpvTjFpQ0JLK3ZUaUJGdWpZRFNsUXMKn8ImvsqI9EiVxTx34VTp8l4zJp2pawGy + 817OEdp9spuDG6AyoxrDjpsbZ0R/9kQ1W/Y9nJNNRrvMuIijw1FO0g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m5msm7rgqye2q9zesgedg0emga4ntehlr629786lrxs3rhk0squq0ly9je + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbTErSzVzYlRadkRFT05V + ZXNRY1JIN2t2dGFIQ3lDV0hVYmdBWEYvazFFCmlid3ZGTzV4Y2NhOU5IVTF2QUFY + MTFWV1pGSk9DRDg5K1lCVVRaUUlEa3MKLS0tIGFhSjdieEtCQXRCVVpTekNISXR4 + MW9UdVRKWUF6S3BZLzJ0QkhHbUpSc0kK3M8rkSRq1zo3TvlTf7erJc3RjamW+81D + GIKKOybcRBCJQ+SqFoyF97aaa3QVlDXEU1rvpoP+p88NAt7ERJXvsw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-24T16:13:04Z" + mac: ENC[AES256_GCM,data:OKANPvWhQCG/iFwc2zWVnaQ2799ai8l40styj60kpWB1Id7ccLomPCvzMMtZS/tCrp9HxrbYkN/9GgRnMrMoNvp2QtL19c4pmN2V9VKrEklm77UMeN5KEOemk5Iiqnjk6LF3mPuRa5nFTSwoLSsYPZ1v+vX7oob7WlhR57WAb+g=,iv:2waLQWzcqXT/9NN1rkaoc1Ym2qziGVOgRhc2nvDtMCI=,tag:ayzPdyGxts/02kIyayDPpQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.8.1