From d7875217bd96805aa3068da1294d9beb8f490e6e Mon Sep 17 00:00:00 2001 From: Nathan Date: Tue, 27 Jan 2026 17:42:00 -0600 Subject: [PATCH] begin work on authentik again --- .../programs/terminal/opencode/default.nix | 2 +- .../docker/authentik/default.nix | 147 +++++++++++++++++- .../virtualization/docker/ollama/default.nix | 28 ++-- .../virtualization/docker/pihole/default.nix | 26 ++-- .../docker/portainer/default.nix | 28 ++-- .../virtualization/docker/searxng/default.nix | 26 ++-- 6 files changed, 217 insertions(+), 40 deletions(-) diff --git a/homes/nathan/home-manager/programs/terminal/opencode/default.nix b/homes/nathan/home-manager/programs/terminal/opencode/default.nix index c6a3643..30efe98 100644 --- a/homes/nathan/home-manager/programs/terminal/opencode/default.nix +++ b/homes/nathan/home-manager/programs/terminal/opencode/default.nix @@ -12,7 +12,7 @@ settings = { theme = "system"; - model = "ollama-local/llama3.2"; + model = "ollama-remote/qwen3:8b"; provider = { ollama-local = { diff --git a/system/virtualization/docker/authentik/default.nix b/system/virtualization/docker/authentik/default.nix index c157af7..8a37a28 100644 --- a/system/virtualization/docker/authentik/default.nix +++ b/system/virtualization/docker/authentik/default.nix @@ -1 +1,146 @@ -{ ... }: {} +{ config, lib, ... }: let + + hostPort = 9005; + + subdomain = "auth2"; + + name = "authentik"; + +in { + + options.sysconfig.docker.authentik.enable = with lib; mkOption { + type = with types; bool; + default = false; + }; + + config = lib.mkIf (config.sysconfig.docker.authentik.enable && config.sysconfig.docker.enable) { + + networking.firewall.interfaces = { + "ve-traefik" = { + allowedTCPPorts = [ hostPort ]; + }; + }; + +/* + system.activationScripts.setupAuthentikNet = '' + ${pkgs.docker}/bin/docker network ls | grep docker-main || + ${pkgs.docker}/bin/docker network create -d bridge docker-main \ + --attachable --subnet 192.168.102.0/24 --ip-range 192.168.102.0/24 \ + --gateway 192.168.102.1 \ + -o "com.docker.network.bridge.name"="docker-main" \ + -o "com.docker.network.bridge.trusted_host_interfaces"="wt0:ve-netbird:ve-traefik" + ''; +*/ + + sops.secrets = { + "authentik/pass" = {}; + "authentik/secret_key" = {}; + }; + + sops.templates."authentik.env" = { + content = '' + POSTGRES_DB=authentik-db + POSTGRES_USER=authentik-admin + POSTGRES_PASSWORD=${config.sops.placeholder."authentik/pass"} + AUTHENTIK_SECRET_KEY=${config.sops.placeholder."authentik/secret_key"} + AUTHENTIK_POSTGRESQL__NAME=authentik-db + AUTHENTIK_POSTGRESQL__USER=authentik-admin + AUTHENTIK_POSTGRESQL__PASSWORD=${config.sops.placeholder."authentik/pass"} + ''; + }; + + virtualisation.oci-containers.containers.authentik-server = { + image = "ghcr.io/goauthentik/server:2025.12.1"; + + # unstable, waiting for 26.05 + #pull = "newer"; + + hostname = "${subdomain}.esotericbytes.com"; + + networks = [ + "docker-main" + ]; + + labels = { + "traefik.http.routers.${name}.entrypoints" = "localsecure"; + "traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)"; + "traefik.http.routers.${name}.service" = "${name}"; + "traefik.http.routers.${name}.tls.certResolver" = "cloudflare"; + + "traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}"; + }; + + extraOptions = lib.mkIf config.sysconfig.docker.nvidia [ + "--ip=192.168.101.8" + ]; + + ports = [ + "${builtins.toString hostPort}:9000" + ]; + + volumes = [ + ]; + + environment = { + }; + + environmentFiles = [ config.sops.templates."authentik.env".path ]; + }; + + virtualisation.oci-containers.containers.authentik-worker = { + image = "ghcr.io/goauthentik/server:2025.12.1"; + + # unstable, waiting for 26.05 + #pull = "newer"; + + hostname = "${subdomain}.esotericbytes.com"; + + networks = [ + "docker-main" + ]; + + extraOptions = lib.mkIf config.sysconfig.docker.nvidia [ + "--ip=192.168.101.9" + ]; + + ports = [ + ]; + + volumes = [ + ]; + + environment = { + }; + + environmentFiles = [ config.sops.templates."authentik.env".path ]; + }; + + virtualisation.oci-containers.containers.authentik-db = { + image = "docker.io/library/postgres:16-alpine"; + + # unstable, waiting for 26.05 + #pull = "newer"; + + hostname = "${subdomain}.esotericbytes.com"; + + networks = [ + "docker-main" + ]; + + extraOptions = lib.mkIf config.sysconfig.docker.nvidia [ + "--ip=192.168.101.10" + ]; + + ports = [ + ]; + + volumes = [ + ]; + + environment = { + }; + + environmentFiles = [ config.sops.templates."authentik.env".path ]; + }; + }; +} diff --git a/system/virtualization/docker/ollama/default.nix b/system/virtualization/docker/ollama/default.nix index 1c97cf5..d79c991 100644 --- a/system/virtualization/docker/ollama/default.nix +++ b/system/virtualization/docker/ollama/default.nix @@ -1,4 +1,12 @@ -{ config, lib, pkgs, ... }: { +{ config, lib, pkgs, ... }: let + + hostPort = 11434; + + subdomain = "ollama"; + + name = "ollama"; + +in { options.sysconfig.docker.ollama.enable = with lib; mkOption { type = with types; bool; @@ -13,11 +21,11 @@ networking.firewall.interfaces = { "ve-traefik" = { - allowedTCPPorts = [ 11434 ]; + allowedTCPPorts = [ hostPort ]; }; "ve-openwebui" = { - allowedTCPPorts = [ 11434 ]; + allowedTCPPorts = [ hostPort ]; }; }; @@ -27,14 +35,14 @@ # unstable, waiting for 26.05 #pull = "newer"; - hostname = "ollama.esotericbytes.com"; + hostname = "${subdomain}.esotericbytes.com"; networks = [ "docker-main" ]; ports = [ - "11434:11434" + "${builtins.toString hostPort}:11434" ]; volumes = [ @@ -42,12 +50,12 @@ ]; labels = { - "traefik.http.routers.ollama.entrypoints" = "localsecure"; - "traefik.http.routers.ollama.rule" = "Host(`ollama.esotericbytes.com`)"; - "traefik.http.routers.ollama.service" = "ollama"; - "traefik.http.routers.ollama.tls.certResolver" = "cloudflare"; + "traefik.http.routers.${name}.entrypoints" = "localsecure"; + "traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)"; + "traefik.http.routers.${name}.service" = "${name}"; + "traefik.http.routers.${name}.tls.certResolver" = "cloudflare"; - "traefik.http.services.ollama.loadbalancer.server.url" = "http://192.168.100.10:11434"; + "traefik.http.services.ollama.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}"; }; extraOptions = lib.mkIf config.sysconfig.docker.nvidia [ diff --git a/system/virtualization/docker/pihole/default.nix b/system/virtualization/docker/pihole/default.nix index 385c91f..fee4bb5 100644 --- a/system/virtualization/docker/pihole/default.nix +++ b/system/virtualization/docker/pihole/default.nix @@ -1,4 +1,12 @@ -{ config, lib, ... }: { +{ config, lib, ... }: let + + hostPort = 9001; + + subdomain = "pihole"; + + name = "pihole"; + +in { options.sysconfig.docker.pihole.enable = with lib; mkOption { type = with types; bool; @@ -22,7 +30,7 @@ networking.firewall.interfaces = { "ve-traefik" = { - allowedTCPPorts = [ 9001 ]; + allowedTCPPorts = [ hostPort ]; }; }; @@ -32,19 +40,19 @@ # unstable, waiting for 26.05 #pull = "newer"; - hostname = "pihole.esotericbytes.com"; + hostname = "${subdomain}.esotericbytes.com"; networks = [ "docker-main" ]; labels = { - "traefik.http.routers.pihole.entrypoints" = "localsecure"; - "traefik.http.routers.pihole.rule" = "Host(`pihole.esotericbytes.com`)"; - "traefik.http.routers.pihole.service" = "pihole"; - "traefik.http.routers.pihole.tls.certResolver" = "cloudflare"; + "traefik.http.routers.${name}.entrypoints" = "localsecure"; + "traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)"; + "traefik.http.routers.${name}.service" = "${name}"; + "traefik.http.routers.${name}.tls.certResolver" = "cloudflare"; - "traefik.http.services.pihole.loadbalancer.server.url" = "http://192.168.100.10:9001"; + "traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}"; }; extraOptions = lib.mkIf config.sysconfig.docker.nvidia [ @@ -52,7 +60,7 @@ ]; ports = [ - "9001:80" + "${builtins.toString hostPort}:80" "127.0.0.1:53:53/tcp" "127.0.0.1:53:53/udp" ]; diff --git a/system/virtualization/docker/portainer/default.nix b/system/virtualization/docker/portainer/default.nix index 3c28844..253ece2 100644 --- a/system/virtualization/docker/portainer/default.nix +++ b/system/virtualization/docker/portainer/default.nix @@ -1,4 +1,12 @@ -{ config, lib, ... }: { +{ config, lib, ... }: let + + hostPort = 9000; + + subdomain = "portainer"; + + name = "portainer"; + +in { options.sysconfig.docker.portainer.enable = with lib; mkOption { type = with types; bool; @@ -9,7 +17,7 @@ networking.firewall.interfaces = { "ve-traefik" = { - allowedTCPPorts = [ 9000 ]; + allowedTCPPorts = [ hostPort ]; }; }; @@ -19,28 +27,28 @@ # unstable, waiting for 26.05 #pull = "newer"; - hostname = "portainer.esotericbytes.com"; + hostname = "${subdomain}.esotericbytes.com"; networks = [ "docker-main" ]; labels = { - "traefik.http.routers.portainer.entrypoints" = "localsecure"; - "traefik.http.routers.portainer.rule" = "Host(`prtnr.esotericbytes.com`)"; - "traefik.http.routers.portainer.service" = "portainer"; - "traefik.http.routers.portainer.tls.certResolver" = "cloudflare"; + "traefik.http.routers.${name}.entrypoints" = "localsecure"; + "traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)"; + "traefik.http.routers.${name}.service" = "${name}"; + "traefik.http.routers.${name}.tls.certResolver" = "cloudflare"; - "traefik.http.services.portainer.loadbalancer.server.url" = "http://192.168.100.10:9000"; + "traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}"; }; - + extraOptions = lib.mkIf config.sysconfig.docker.nvidia [ "--ip=192.168.101.2" ]; ports = [ "127.0.0.1:8000:8000" - "9000:9000" + "${builtins.toString hostPort}:9000" ]; volumes = [ diff --git a/system/virtualization/docker/searxng/default.nix b/system/virtualization/docker/searxng/default.nix index cda4c3f..32eaaf5 100644 --- a/system/virtualization/docker/searxng/default.nix +++ b/system/virtualization/docker/searxng/default.nix @@ -1,4 +1,12 @@ -{ config, lib, ... }: { +{ config, lib, ... }: let + + hostPort = 9002; + + subdomain = "searxng"; + + name = "searxng"; + +in { options.sysconfig.docker.searxng.enable = with lib; mkOption { type = with types; bool; @@ -9,7 +17,7 @@ networking.firewall.interfaces = { "ve-traefik" = { - allowedTCPPorts = [ 9002 ]; + allowedTCPPorts = [ hostPort ]; }; }; @@ -21,19 +29,19 @@ # unstable, waiting for 26.05 #pull = "newer"; - hostname = "searxng.esotericbytes.com"; + hostname = "${subdomain}.esotericbytes.com"; networks = [ "docker-main" ]; labels = { - "traefik.http.routers.searxng.entrypoints" = "localsecure"; - "traefik.http.routers.searxng.rule" = "Host(`searxng.esotericbytes.com`)"; - "traefik.http.routers.searxng.service" = "searxng"; - "traefik.http.routers.searxng.tls.certResolver" = "cloudflare"; + "traefik.http.routers.${name}.entrypoints" = "localsecure"; + "traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)"; + "traefik.http.routers.${name}.service" = "${name}"; + "traefik.http.routers.${name}.tls.certResolver" = "cloudflare"; - "traefik.http.services.searxng.loadbalancer.server.url" = "http://192.168.100.10:9002"; + "traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}"; }; extraOptions = lib.mkIf config.sysconfig.docker.nvidia [ @@ -41,7 +49,7 @@ ]; ports = [ - "9002:8080" + "${builtins.toString hostPort}:8080" ]; volumes = [