diff --git a/flake.nix b/flake.nix index 4b0d9cc..ad14487 100644 --- a/flake.nix +++ b/flake.nix @@ -16,6 +16,8 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + authentik-nix.url = "github:nix-community/authentik-nix"; + home-manager = { url = "github:nix-community/home-manager/release-24.05"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/system-config/configuration/homebox/.sops.yaml b/system-config/configuration/homebox/.sops.yaml deleted file mode 100644 index 74a5721..0000000 --- a/system-config/configuration/homebox/.sops.yaml +++ /dev/null @@ -1,7 +0,0 @@ -keys: - - &primary age1xkwq2edchgu3taf2tlvraajxmgymn4vxtnpvl6ywlsswtqcp5sfswv2gzt -creation_rules: - - path_regex: secrets/secrets.yaml$ - key_groups: - - age: - - *primary diff --git a/system-config/configuration/homebox/default.nix b/system-config/configuration/homebox/default.nix index a654ead..674ff8f 100644 --- a/system-config/configuration/homebox/default.nix +++ b/system-config/configuration/homebox/default.nix @@ -102,7 +102,7 @@ users.users."nathan" = { isNormalUser = true; - hashedPasswordFile = config.sops.secrets.nathan_pass.path; + hashedPasswordFile = config.sops.secrets."nathan/pass".path; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsU69CxfQk58CvItPN426h5Alnpb60SH37wet97Vb57 nathan@laptop" @@ -168,9 +168,12 @@ defaultSopsFormat = "yaml"; secrets = { - nathan_pass = { + "nathan/pass" = { neededForUsers = true; }; + + "authentik/pass" = {}; + "authentik/secret_key" = {}; }; }; @@ -221,6 +224,8 @@ virtualization = { traefik.enable = true; + + authentik.enable = true; gitlab.enable = false; }; diff --git a/system-config/configuration/homebox/secrets/secrets.yaml b/system-config/configuration/homebox/secrets/secrets.yaml index e00929d..78f6a01 100644 --- a/system-config/configuration/homebox/secrets/secrets.yaml +++ b/system-config/configuration/homebox/secrets/secrets.yaml @@ -1,4 +1,8 @@ -nathan_pass: ENC[AES256_GCM,data:nRmwPPNwVMsDiq2ccKBUnQQ0wikcSA4rpb4lQi1NxfXWvEXhj4okvSRCOcS5vlfj6uCdYc1N5AzeOG9l9Y+bnIgvKLhoaL3drQ==,iv:McSMq7CgWYm4i6F0VcLkvsoErRhwzwvhe75mcwy5pmA=,tag:sJVLP2SrFlhAyEfHTQEHuA==,type:str] +nathan: + pass: ENC[AES256_GCM,data:5WAG/VcfXbfvVN9mdE3gHJXSVvHAy+2a5g4XKluhrfYTpizANZc7Sr7e6R8ZIdeBrZ7GcUuzF4LXd8msnRAz8XynppOB1REA4w==,iv:4Tze5zKi8+MMozM10fC4YH36mT68+uazUyi5gye1J3E=,tag:PHvMrXnHAtKx03e99KhzlA==,type:str] +authentik: + pass: ENC[AES256_GCM,data:uHFfToRhvBQJ099y0GX+qokb,iv:mjcxR7VEJ3QXAtDgjwCuqiHQIsvsDQJ9w+jbxYgsnOk=,tag:hLthVkVrYep4J/LMhwdFEA==,type:str] + secret_key: ENC[AES256_GCM,data:e3mDbpVYhmt83Gshw7MMf70ttosBaUkncmsUPRwkKHFVkPLUA63Xkhv6MqlFE8YT,iv:3tmucDXhXBVlgNtyATGPqvDfDqDVwVb0JZP5gr9XsiY=,tag:Nvn9JpHHPFYYYTIZbyhqww==,type:str] sops: kms: [] gcp_kms: [] @@ -14,8 +18,8 @@ sops: cCtyYlEzMm9QeHlHOWo0L0xObXp5c2MKfzoTSt0hI94QaxQsKKOpX7gQcZNtB7zd WgeBgTwOE30vcIQr/k7a9q77l2bDYe6i71R79YHsKvsFc+7i3gL46g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-02T23:33:52Z" - mac: ENC[AES256_GCM,data:BxhVERYHcweBDrR20D2hX+QhTfPiyqo54CQ4YHxhXcvFzkKUTt6XKuzblV+/TGSmCAayyxzp5n8hLxd68H1eYNQGL0ByYgvfkWHbDjFGBYuUcuNWuvm4O3U+kZqVgctWUaNdZGM36ASNcPxbaWLd6A6ey22tA3+swfYfhEVvNT8=,iv:7w7XJ4GfCkQR0XehpmCJT12hBJlgNKkETR47UvWVqqI=,tag:a+p5mV20jObztCVe4rqS/w==,type:str] + lastmodified: "2024-11-03T17:40:51Z" + mac: ENC[AES256_GCM,data:H3Sxgme+nSymKRqNu3aTyqUiJFMNSMKSJ02e/RnhhWSKwNPjKrN1+50sd9WxeC+klUTnOqV8vfKFkFBM9XSlBiDQ1qHrqX41YoLZpm/CcKEtQy6ka/c8pxyZbIuDrTLpjZG3egSxnUbxi/Bh/NllSDMDGd7wEiCYCf3uD7vjM+c=,iv:npyXmtN617+iSpYOUD2FjbifEPobwuyKvmPB8Vu5tmU=,tag:COhuis9QbG2qAgfCDEcTfg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/system-config/services/containers/authentik/default.nix b/system-config/services/containers/authentik/default.nix new file mode 100644 index 0000000..2bae68b --- /dev/null +++ b/system-config/services/containers/authentik/default.nix @@ -0,0 +1,55 @@ +{ config, lib, inputs, ... }: { + + options.sysconfig.virtualization.authentik.enable = lib.options.mkOption { + type = lib.types.bool; + default = false; + }; + + imports = [ + inputs.authentik-nix.nixosModules.default + ]; + + config = lib.mkIf config.sysconfig.virtualization.authentik.enable { + + sops.templates."authentik.env" = { + content = '' + AUTHENTIK_EMAIL__PASSWORD=${config.sops.placeholder."authentik/pass"} + AUTHENTIK_SECRET_KEY=${config.sops.placeholder."authentik/secret_key"} + ''; + + path = "/ssd1/Authentik/data/authentik.env"; + }; + + containers.authentik = { + + autostart = true; + privateNetwork = true; + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.13"; + + bindMounts = { + "/root/data" = { + hostPath = "/ssd1/Authentik/data"; + }; + }; + + config = { + + services.authentik = { + + enable = true; + environmentFile = "/root/data/authentik.env"; + + settings = { + #disable_startup_analytics = true; + avatars = "initials"; + }; + + }; + + networking.firewall.enable = false; + }; + + }; + }; +} diff --git a/system-config/services/containers/traefik/default.nix b/system-config/services/containers/traefik/default.nix index 20361a6..1699bb9 100644 --- a/system-config/services/containers/traefik/default.nix +++ b/system-config/services/containers/traefik/default.nix @@ -14,9 +14,9 @@ hostAddress = "192.168.100.10"; localAddress = "192.168.100.11"; forwardPorts = [ - { - containerPort = 80; - hostPort = 80; + { + containerPort = 80; + hostPort = 80; } { containerPort = 443; @@ -146,9 +146,9 @@ }; }; - gitlab = { + /*gitlab = { entryPoints = [ "localsecure" "websecure" ]; - rule = "Host()"; + rule = "Host(`gitlab.blunkall.us`)"; service = "gitlab"; tls = { certResolver = "cloudflare"; @@ -157,7 +157,7 @@ sans = [ "*.blunkall.us" "*.local.blunkall.us" ]; }; }; - }; + };*/ local = { entryPoints = [ "localsecure" ]; @@ -174,7 +174,7 @@ }; services = { - gitlab.loadBalancer.servers = [ { url = "http://192.168.100.12:80"; } ]; + #gitlab.loadBalancer.servers = [ { url = "http://192.168.100.12:80"; } ]; homepage.loadBalancer.servers = [ { url = "http://192.168.100.10:8000"; } ]; };