diff --git a/flake.lock b/flake.lock index 942e58a..cd47d02 100644 --- a/flake.lock +++ b/flake.lock @@ -1384,12 +1384,12 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-oZvEsOQ8vT4Gq/IyMfDxZlv2ntum+qC+48boiOPam0Q=", - "path": "/nix/store/s073llq4dcg4xbk4n1xxl2nfymn7l1qy-source/home-manager", + "narHash": "sha256-swUtIf1jN3XSE4xExChj4M5rBWCSs08qqxXsJu1tZYs=", + "path": "/nix/store/ca6vv8mcphf40q3c4gbasl5fasz8yfrp-source/home-manager", "type": "path" }, "original": { - "path": "/nix/store/s073llq4dcg4xbk4n1xxl2nfymn7l1qy-source/home-manager", + "path": "/nix/store/ca6vv8mcphf40q3c4gbasl5fasz8yfrp-source/home-manager", "type": "path" } }, @@ -1947,11 +1947,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-c5NG8DPgBUepMNi5yxYaIBPVUpgWseGBgfbIsdZtuD4=", - "path": "/nix/store/00kzxvzpbc1dj1l79zzzlbbqs3lr66yc-source/packages", + "path": "/nix/store/kxnjw6wlqhd0hx55p09q934dss8kibqy-source/packages", "type": "path" }, "original": { - "path": "/nix/store/00kzxvzpbc1dj1l79zzzlbbqs3lr66yc-source/packages", + "path": "/nix/store/kxnjw6wlqhd0hx55p09q934dss8kibqy-source/packages", "type": "path" } }, @@ -2051,11 +2051,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-5gepalTSnDyC1WW11Gp75FAPeex5V9M0xOUn9amViyw=", - "path": "/nix/store/00kzxvzpbc1dj1l79zzzlbbqs3lr66yc-source/programs", + "path": "/nix/store/kxnjw6wlqhd0hx55p09q934dss8kibqy-source/programs", "type": "path" }, "original": { - "path": "/nix/store/00kzxvzpbc1dj1l79zzzlbbqs3lr66yc-source/programs", + "path": "/nix/store/kxnjw6wlqhd0hx55p09q934dss8kibqy-source/programs", "type": "path" } }, @@ -2066,11 +2066,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-HAuZ9X84fuwUcit6NWUoJCjHj+29nST/YN6Rs8JQugY=", - "path": "/nix/store/lzi0acc70g9dvd7005816byna5gz6dba-source/programs", + "path": "/nix/store/as370h2x0j2sc1kblpczxnz12y331vvp-source/programs", "type": "path" }, "original": { - "path": "/nix/store/lzi0acc70g9dvd7005816byna5gz6dba-source/programs", + "path": "/nix/store/as370h2x0j2sc1kblpczxnz12y331vvp-source/programs", "type": "path" } }, @@ -2142,11 +2142,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-0Ztx5DVQ2I7hvCK/qjGa4XTdRgbzM8rhf19m0al8lVM=", - "path": "/nix/store/lzi0acc70g9dvd7005816byna5gz6dba-source/services/sddm", + "path": "/nix/store/as370h2x0j2sc1kblpczxnz12y331vvp-source/services/sddm", "type": "path" }, "original": { - "path": "/nix/store/lzi0acc70g9dvd7005816byna5gz6dba-source/services/sddm", + "path": "/nix/store/as370h2x0j2sc1kblpczxnz12y331vvp-source/services/sddm", "type": "path" } }, @@ -2213,12 +2213,12 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-MWV/+CgMGyRUh1JT91p9icCSq/pwO77epMiVjog4N9w=", - "path": "/nix/store/s073llq4dcg4xbk4n1xxl2nfymn7l1qy-source/system-config", + "narHash": "sha256-xgFoEnuvAfEBKtdlx2ktqdbLy2jlQTTtRgowMz5yLZc=", + "path": "/nix/store/ca6vv8mcphf40q3c4gbasl5fasz8yfrp-source/system-config", "type": "path" }, "original": { - "path": "/nix/store/s073llq4dcg4xbk4n1xxl2nfymn7l1qy-source/system-config", + "path": "/nix/store/ca6vv8mcphf40q3c4gbasl5fasz8yfrp-source/system-config", "type": "path" } }, diff --git a/home-manager/impermanence/default.nix b/home-manager/impermanence/default.nix index ac9a9a7..f54524e 100644 --- a/home-manager/impermanence/default.nix +++ b/home-manager/impermanence/default.nix @@ -14,10 +14,10 @@ "Videos" ".ssh" ".local/share/zoxide" + ".config/sops" ]; files = [ ".zsh_history" - ".config/sops/age/keys.txt" ]; allowOther = true; }; diff --git a/system-config/configuration/homebox/default.nix b/system-config/configuration/homebox/default.nix index 9f3bb03..8c616c9 100644 --- a/system-config/configuration/homebox/default.nix +++ b/system-config/configuration/homebox/default.nix @@ -19,7 +19,7 @@ ]; boot = { - kernelPackages = pkgs.linuxKernel.packages.linux_6_6; + #kernelPackages = pkgs.linuxKernel.packages.linux_6_6; loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; @@ -177,7 +177,6 @@ "/var/lib/nixos" "/var/lib/systemd/coredump" "/etc/NetworkManager/system-connections" - { directory = "/var/lib/sops"; user = "root"; group = "root"; mode = "u=rwx,g=,o="; } ]; files = [ "/etc/machine-id" @@ -189,7 +188,7 @@ }; sops = { - age.keyFile = "/var/lib/sops/age/keys.txt"; + age.keyFile = "/home/nathan/.config/sops/age/keys.txt"; defaultSopsFile = ./secrets/secrets.yaml; defaultSopsFormat = "yaml"; diff --git a/system-config/configuration/homebox/secrets/secrets.yaml b/system-config/configuration/homebox/secrets/secrets.yaml index 78f6a01..6d29a10 100644 --- a/system-config/configuration/homebox/secrets/secrets.yaml +++ b/system-config/configuration/homebox/secrets/secrets.yaml @@ -1,8 +1,8 @@ nathan: - pass: ENC[AES256_GCM,data:5WAG/VcfXbfvVN9mdE3gHJXSVvHAy+2a5g4XKluhrfYTpizANZc7Sr7e6R8ZIdeBrZ7GcUuzF4LXd8msnRAz8XynppOB1REA4w==,iv:4Tze5zKi8+MMozM10fC4YH36mT68+uazUyi5gye1J3E=,tag:PHvMrXnHAtKx03e99KhzlA==,type:str] + pass: ENC[AES256_GCM,data:fgq/Pg==,iv:7tPeflj275zSmu0SL0Hs6dUNOn1VnbwCnkEjGhvc4WI=,tag:qFHlS2+79OD6hXXre8MStA==,type:int] authentik: - pass: ENC[AES256_GCM,data:uHFfToRhvBQJ099y0GX+qokb,iv:mjcxR7VEJ3QXAtDgjwCuqiHQIsvsDQJ9w+jbxYgsnOk=,tag:hLthVkVrYep4J/LMhwdFEA==,type:str] - secret_key: ENC[AES256_GCM,data:e3mDbpVYhmt83Gshw7MMf70ttosBaUkncmsUPRwkKHFVkPLUA63Xkhv6MqlFE8YT,iv:3tmucDXhXBVlgNtyATGPqvDfDqDVwVb0JZP5gr9XsiY=,tag:Nvn9JpHHPFYYYTIZbyhqww==,type:str] + pass: ENC[AES256_GCM,data:/BrPbw==,iv:YSn7RT4MVuNr58fQklnB4D0wul1/wzTrOMC3EpTLUe8=,tag:+0nSzvvOMaL91U0gPxMKVA==,type:int] + secret_key: ENC[AES256_GCM,data:WQyWXA==,iv:zNK/PP/PrGFLzhgKp6TSI5jmi7jPub1V57QAwDPXpYc=,tag:9rwrPht6rMV2ArBEiahdeA==,type:int] sops: kms: [] gcp_kms: [] @@ -12,14 +12,14 @@ sops: - recipient: age1xkwq2edchgu3taf2tlvraajxmgymn4vxtnpvl6ywlsswtqcp5sfswv2gzt enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZitXYWtDM1BXTk9nZjg4 - ejk2T3YvM0lCMFExekZzWFppZjQ4SWQ0M3kwCi9ZODdsSkJtSkNjdVlUOVJONkRs - Ym03WEVyUXVwWFpVcGcvZTRNc011bFEKLS0tIE43NG1oRFVNSmxhbUhXZ2hRdE9S - cCtyYlEzMm9QeHlHOWo0L0xObXp5c2MKfzoTSt0hI94QaxQsKKOpX7gQcZNtB7zd - WgeBgTwOE30vcIQr/k7a9q77l2bDYe6i71R79YHsKvsFc+7i3gL46g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxWHRKZzFwVVAxLy9abXRp + bVdhWHAwMWJHc1JCYjZYSHVBdElrNm5LdGc0Cmd1bkRyNmJ2ajErY1NMdy9jbWU1 + Yk9aTGcvWG95S3RObnJLK29pNjc2cWcKLS0tIGFxUmJHTlI1NnE3ME9xSG1MR0RM + RUFKOFg4K3E1U0N1anB2T0xwVjZFWE0KUd1r5UEfU65BQC+CQluv4bEVJtvyInbC + 4md91ioGG2teo/Pspu0jPS/tWKuxF5hhOuPC89lc8g6mXd2E7bNOrA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-03T17:40:51Z" - mac: ENC[AES256_GCM,data:H3Sxgme+nSymKRqNu3aTyqUiJFMNSMKSJ02e/RnhhWSKwNPjKrN1+50sd9WxeC+klUTnOqV8vfKFkFBM9XSlBiDQ1qHrqX41YoLZpm/CcKEtQy6ka/c8pxyZbIuDrTLpjZG3egSxnUbxi/Bh/NllSDMDGd7wEiCYCf3uD7vjM+c=,iv:npyXmtN617+iSpYOUD2FjbifEPobwuyKvmPB8Vu5tmU=,tag:COhuis9QbG2qAgfCDEcTfg==,type:str] + lastmodified: "2024-11-10T04:22:11Z" + mac: ENC[AES256_GCM,data:XYiWRH//uZ+pLrZFT4CV9PKmkYcGheJf2rWmXVWpXv4pNBkkopnpq3uZNQIPLzstF0x/VzIJJIXywUCyd/6AIneNztg7yqDmLW/2vy6q65PPfse0qQoEREXDpmt3B8J5g/f85QiV4fttzO0LtF1Dj77ynvHupoh/Sag5CDLYhWE=,iv:fUr4RSqpvm8TCaAeHlo0nJ9CqbIHK2FkDlTAafkxf20=,tag:FBZrvWD7hXifKx6Be1m04g==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/system-config/services/containers/authentik/arion-compose.nix b/system-config/services/containers/authentik/arion-compose.nix index f58573e..e3a4d0c 100644 --- a/system-config/services/containers/authentik/arion-compose.nix +++ b/system-config/services/containers/authentik/arion-compose.nix @@ -2,46 +2,96 @@ project.name = "authentik"; - services = { + services = let + authentik_img = "ghcr.io/goauthentik/server:2024.2.2"; + in { - postgres.service = { - image = ""; - restart = ""; - command = ""; - volumes = []; - healthcheck = {}; - user = ""; - env_file = ""; + postgresql.service = { + image = "docker.io/library/postgres:12-alpine"; + restart = "unless-stopped"; + #command = ""; + volumes = [ + "/ssd1/Authentik/data/postgres:/var/lib/postgresql/data" + "/ssd1/Authentik/data/postgres.env:/etc/postgres/postgres.env" + ]; + healthcheck = { + test = [ "CMD-SHELL" "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" ]; + start_period = "20s"; + interval = "30s"; + retries = 5; + timeout = "5s"; + }; + environment = [ + "POSTGRES_PASSWORD=$${POSTGRES_PASSWORD}" + "POSTGRES_USER=$${POSTGRES_USER}" + "POSTGRES_DB=$${POSTGRES_DB}" + ]; + env_file = "/etc/postgres/postgres.env"; + networks = [ "backend" ]; }; redis.service = { - image = ""; - restart = ""; - command = ""; - volumes = []; - healthcheck = {}; - user = ""; - env_file = ""; + image = "docker.io/library/redis:alpine"; + restart = "unless-stopped"; + command = "--save 60 1 --loglevel warning"; + volumes = [ + "/ssd1/Authentik/data/redis:/data" + ]; + healthcheck = { + test = [ "CMD-SHELL" "redis-cli ping | grep PONG" ]; + start_period = "20s"; + interval = "30s"; + retries = 5; + timeout = "3s"; + }; + #user = "authentik"; + #env_file = ""; + networks = [ "backend" ]; }; server.service = { - image = ""; - restart = ""; - command = ""; - volumes = []; - healthcheck = {}; - user = ""; - env_file = ""; + image = authentik_img; + restart = "unless-stopped"; + command = "server"; + volumes = [ + "/ssd1/Authentik/data/authentik.env:/etc/authentik/authentik.env" + ]; + environment = [ + "AUTHENTIK_REDIS__HOST=redis" + "AUTHENTIK_POSTGRESQL__HOST=postgresql" + "AUTHENTIK_POSTGRESQL__USER=$${POSTGRES_USER}" + "AUTHENTIK_POSTGRESQL__NAME=$${POSTGRES_DB}" + "AUTHENTIK_POSTGRESQL__PASSWORD=$${POSTGRES_PASSWORD}" + "AUTHENTIK_ERROR_REPORTING__ENABLED=true" + "AUTHENTIK_SECRET_KEY=$${AUTHENTIK_SECRET_KEY}" + ]; + depends_on = [ "postgresql" "redis" ]; + #user = ""; + env_file = "/etc/authentik/authentik.env"; + networks = [ "backend" "frontend" ]; }; worker.service = { - image = ""; - restart = ""; - command = ""; - volumes = []; + image = authentik_img; + restart = "unless-stopped"; + command = "worker"; + volumes = [ + "/ssd1/Authentik/data/authentik.env:/root/authentik.env" + ]; + depends_on = [ "postgresql" "redis" ]; healthcheck = {}; - user = ""; - env_file = ""; + user = "root"; + env_file = "/root/authentik.env"; + networks = [ "backend" ]; + }; + }; + + networks = { + backend = { + name = "backend"; + }; + frontend = { + name = "frontend"; }; }; }