adding authentik
This commit is contained in:
@@ -16,6 +16,8 @@
|
|||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
authentik-nix.url = "github:nix-community/authentik-nix";
|
||||||
|
|
||||||
home-manager = {
|
home-manager = {
|
||||||
url = "github:nix-community/home-manager/release-24.05";
|
url = "github:nix-community/home-manager/release-24.05";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|||||||
@@ -1,7 +0,0 @@
|
|||||||
keys:
|
|
||||||
- &primary age1xkwq2edchgu3taf2tlvraajxmgymn4vxtnpvl6ywlsswtqcp5sfswv2gzt
|
|
||||||
creation_rules:
|
|
||||||
- path_regex: secrets/secrets.yaml$
|
|
||||||
key_groups:
|
|
||||||
- age:
|
|
||||||
- *primary
|
|
||||||
@@ -102,7 +102,7 @@
|
|||||||
|
|
||||||
users.users."nathan" = {
|
users.users."nathan" = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
hashedPasswordFile = config.sops.secrets.nathan_pass.path;
|
hashedPasswordFile = config.sops.secrets."nathan/pass".path;
|
||||||
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsU69CxfQk58CvItPN426h5Alnpb60SH37wet97Vb57 nathan@laptop"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsU69CxfQk58CvItPN426h5Alnpb60SH37wet97Vb57 nathan@laptop"
|
||||||
@@ -168,9 +168,12 @@
|
|||||||
defaultSopsFormat = "yaml";
|
defaultSopsFormat = "yaml";
|
||||||
|
|
||||||
secrets = {
|
secrets = {
|
||||||
nathan_pass = {
|
"nathan/pass" = {
|
||||||
neededForUsers = true;
|
neededForUsers = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"authentik/pass" = {};
|
||||||
|
"authentik/secret_key" = {};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -222,6 +225,8 @@
|
|||||||
|
|
||||||
traefik.enable = true;
|
traefik.enable = true;
|
||||||
|
|
||||||
|
authentik.enable = true;
|
||||||
|
|
||||||
gitlab.enable = false;
|
gitlab.enable = false;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -1,4 +1,8 @@
|
|||||||
nathan_pass: ENC[AES256_GCM,data:nRmwPPNwVMsDiq2ccKBUnQQ0wikcSA4rpb4lQi1NxfXWvEXhj4okvSRCOcS5vlfj6uCdYc1N5AzeOG9l9Y+bnIgvKLhoaL3drQ==,iv:McSMq7CgWYm4i6F0VcLkvsoErRhwzwvhe75mcwy5pmA=,tag:sJVLP2SrFlhAyEfHTQEHuA==,type:str]
|
nathan:
|
||||||
|
pass: ENC[AES256_GCM,data:5WAG/VcfXbfvVN9mdE3gHJXSVvHAy+2a5g4XKluhrfYTpizANZc7Sr7e6R8ZIdeBrZ7GcUuzF4LXd8msnRAz8XynppOB1REA4w==,iv:4Tze5zKi8+MMozM10fC4YH36mT68+uazUyi5gye1J3E=,tag:PHvMrXnHAtKx03e99KhzlA==,type:str]
|
||||||
|
authentik:
|
||||||
|
pass: ENC[AES256_GCM,data:uHFfToRhvBQJ099y0GX+qokb,iv:mjcxR7VEJ3QXAtDgjwCuqiHQIsvsDQJ9w+jbxYgsnOk=,tag:hLthVkVrYep4J/LMhwdFEA==,type:str]
|
||||||
|
secret_key: ENC[AES256_GCM,data:e3mDbpVYhmt83Gshw7MMf70ttosBaUkncmsUPRwkKHFVkPLUA63Xkhv6MqlFE8YT,iv:3tmucDXhXBVlgNtyATGPqvDfDqDVwVb0JZP5gr9XsiY=,tag:Nvn9JpHHPFYYYTIZbyhqww==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
@@ -14,8 +18,8 @@ sops:
|
|||||||
cCtyYlEzMm9QeHlHOWo0L0xObXp5c2MKfzoTSt0hI94QaxQsKKOpX7gQcZNtB7zd
|
cCtyYlEzMm9QeHlHOWo0L0xObXp5c2MKfzoTSt0hI94QaxQsKKOpX7gQcZNtB7zd
|
||||||
WgeBgTwOE30vcIQr/k7a9q77l2bDYe6i71R79YHsKvsFc+7i3gL46g==
|
WgeBgTwOE30vcIQr/k7a9q77l2bDYe6i71R79YHsKvsFc+7i3gL46g==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-11-02T23:33:52Z"
|
lastmodified: "2024-11-03T17:40:51Z"
|
||||||
mac: ENC[AES256_GCM,data:BxhVERYHcweBDrR20D2hX+QhTfPiyqo54CQ4YHxhXcvFzkKUTt6XKuzblV+/TGSmCAayyxzp5n8hLxd68H1eYNQGL0ByYgvfkWHbDjFGBYuUcuNWuvm4O3U+kZqVgctWUaNdZGM36ASNcPxbaWLd6A6ey22tA3+swfYfhEVvNT8=,iv:7w7XJ4GfCkQR0XehpmCJT12hBJlgNKkETR47UvWVqqI=,tag:a+p5mV20jObztCVe4rqS/w==,type:str]
|
mac: ENC[AES256_GCM,data:H3Sxgme+nSymKRqNu3aTyqUiJFMNSMKSJ02e/RnhhWSKwNPjKrN1+50sd9WxeC+klUTnOqV8vfKFkFBM9XSlBiDQ1qHrqX41YoLZpm/CcKEtQy6ka/c8pxyZbIuDrTLpjZG3egSxnUbxi/Bh/NllSDMDGd7wEiCYCf3uD7vjM+c=,iv:npyXmtN617+iSpYOUD2FjbifEPobwuyKvmPB8Vu5tmU=,tag:COhuis9QbG2qAgfCDEcTfg==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.8.1
|
||||||
|
|||||||
55
system-config/services/containers/authentik/default.nix
Normal file
55
system-config/services/containers/authentik/default.nix
Normal file
@@ -0,0 +1,55 @@
|
|||||||
|
{ config, lib, inputs, ... }: {
|
||||||
|
|
||||||
|
options.sysconfig.virtualization.authentik.enable = lib.options.mkOption {
|
||||||
|
type = lib.types.bool;
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
inputs.authentik-nix.nixosModules.default
|
||||||
|
];
|
||||||
|
|
||||||
|
config = lib.mkIf config.sysconfig.virtualization.authentik.enable {
|
||||||
|
|
||||||
|
sops.templates."authentik.env" = {
|
||||||
|
content = ''
|
||||||
|
AUTHENTIK_EMAIL__PASSWORD=${config.sops.placeholder."authentik/pass"}
|
||||||
|
AUTHENTIK_SECRET_KEY=${config.sops.placeholder."authentik/secret_key"}
|
||||||
|
'';
|
||||||
|
|
||||||
|
path = "/ssd1/Authentik/data/authentik.env";
|
||||||
|
};
|
||||||
|
|
||||||
|
containers.authentik = {
|
||||||
|
|
||||||
|
autostart = true;
|
||||||
|
privateNetwork = true;
|
||||||
|
hostAddress = "192.168.100.10";
|
||||||
|
localAddress = "192.168.100.13";
|
||||||
|
|
||||||
|
bindMounts = {
|
||||||
|
"/root/data" = {
|
||||||
|
hostPath = "/ssd1/Authentik/data";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
|
||||||
|
services.authentik = {
|
||||||
|
|
||||||
|
enable = true;
|
||||||
|
environmentFile = "/root/data/authentik.env";
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
#disable_startup_analytics = true;
|
||||||
|
avatars = "initials";
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.enable = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -146,9 +146,9 @@
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
gitlab = {
|
/*gitlab = {
|
||||||
entryPoints = [ "localsecure" "websecure" ];
|
entryPoints = [ "localsecure" "websecure" ];
|
||||||
rule = "Host()";
|
rule = "Host(`gitlab.blunkall.us`)";
|
||||||
service = "gitlab";
|
service = "gitlab";
|
||||||
tls = {
|
tls = {
|
||||||
certResolver = "cloudflare";
|
certResolver = "cloudflare";
|
||||||
@@ -157,7 +157,7 @@
|
|||||||
sans = [ "*.blunkall.us" "*.local.blunkall.us" ];
|
sans = [ "*.blunkall.us" "*.local.blunkall.us" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};*/
|
||||||
|
|
||||||
local = {
|
local = {
|
||||||
entryPoints = [ "localsecure" ];
|
entryPoints = [ "localsecure" ];
|
||||||
@@ -174,7 +174,7 @@
|
|||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
gitlab.loadBalancer.servers = [ { url = "http://192.168.100.12:80"; } ];
|
#gitlab.loadBalancer.servers = [ { url = "http://192.168.100.12:80"; } ];
|
||||||
|
|
||||||
homepage.loadBalancer.servers = [ { url = "http://192.168.100.10:8000"; } ];
|
homepage.loadBalancer.servers = [ { url = "http://192.168.100.10:8000"; } ];
|
||||||
};
|
};
|
||||||
|
|||||||
Reference in New Issue
Block a user