adding authentik

2024-11-03 11:44:00 -06:00
parent e81b3a3ea6
commit d91ec72fcf
6 changed files with 78 additions and 19 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -16,6 +16,8 @@
        inputs.nixpkgs.follows = "nixpkgs";
    };
    authentik-nix.url = "github:nix-community/authentik-nix";
    home-manager = {
      url = "github:nix-community/home-manager/release-24.05";
      inputs.nixpkgs.follows = "nixpkgs";
--- a/system-config/configuration/homebox/.sops.yaml
+++ b/system-config/configuration/homebox/.sops.yaml
@@ -1,7 +0,0 @@
 keys:
  - &primary age1xkwq2edchgu3taf2tlvraajxmgymn4vxtnpvl6ywlsswtqcp5sfswv2gzt
 creation_rules:
  - path_regex: secrets/secrets.yaml$
    key_groups:
    - age:
      - *primary
--- a/system-config/configuration/homebox/default.nix
+++ b/system-config/configuration/homebox/default.nix
@@ -102,7 +102,7 @@
  users.users."nathan" = {
    isNormalUser = true;
-    hashedPasswordFile = config.sops.secrets.nathan_pass.path;
+    hashedPasswordFile = config.sops.secrets."nathan/pass".path;
    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
    openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsU69CxfQk58CvItPN426h5Alnpb60SH37wet97Vb57 nathan@laptop"
@@ -168,9 +168,12 @@
        defaultSopsFormat = "yaml";
        secrets = {
-            nathan_pass = {
+            "nathan/pass" = {
                neededForUsers = true;
            };
            "authentik/pass" = {};
            "authentik/secret_key" = {};
        };
    };
@@ -221,6 +224,8 @@
        virtualization = {
            traefik.enable = true;
            authentik.enable = true;
            gitlab.enable = false;
        };
--- a/system-config/configuration/homebox/secrets/secrets.yaml
+++ b/system-config/configuration/homebox/secrets/secrets.yaml
@@ -1,4 +1,8 @@
-nathan_pass: ENC[AES256_GCM,data:nRmwPPNwVMsDiq2ccKBUnQQ0wikcSA4rpb4lQi1NxfXWvEXhj4okvSRCOcS5vlfj6uCdYc1N5AzeOG9l9Y+bnIgvKLhoaL3drQ==,iv:McSMq7CgWYm4i6F0VcLkvsoErRhwzwvhe75mcwy5pmA=,tag:sJVLP2SrFlhAyEfHTQEHuA==,type:str]
+nathan:
    pass: ENC[AES256_GCM,data:5WAG/VcfXbfvVN9mdE3gHJXSVvHAy+2a5g4XKluhrfYTpizANZc7Sr7e6R8ZIdeBrZ7GcUuzF4LXd8msnRAz8XynppOB1REA4w==,iv:4Tze5zKi8+MMozM10fC4YH36mT68+uazUyi5gye1J3E=,tag:PHvMrXnHAtKx03e99KhzlA==,type:str]
 authentik:
    pass: ENC[AES256_GCM,data:uHFfToRhvBQJ099y0GX+qokb,iv:mjcxR7VEJ3QXAtDgjwCuqiHQIsvsDQJ9w+jbxYgsnOk=,tag:hLthVkVrYep4J/LMhwdFEA==,type:str]
    secret_key: ENC[AES256_GCM,data:e3mDbpVYhmt83Gshw7MMf70ttosBaUkncmsUPRwkKHFVkPLUA63Xkhv6MqlFE8YT,iv:3tmucDXhXBVlgNtyATGPqvDfDqDVwVb0JZP5gr9XsiY=,tag:Nvn9JpHHPFYYYTIZbyhqww==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -14,8 +18,8 @@ sops:
            cCtyYlEzMm9QeHlHOWo0L0xObXp5c2MKfzoTSt0hI94QaxQsKKOpX7gQcZNtB7zd
            WgeBgTwOE30vcIQr/k7a9q77l2bDYe6i71R79YHsKvsFc+7i3gL46g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-02T23:33:52Z"
+    lastmodified: "2024-11-03T17:40:51Z"
-    mac: ENC[AES256_GCM,data:BxhVERYHcweBDrR20D2hX+QhTfPiyqo54CQ4YHxhXcvFzkKUTt6XKuzblV+/TGSmCAayyxzp5n8hLxd68H1eYNQGL0ByYgvfkWHbDjFGBYuUcuNWuvm4O3U+kZqVgctWUaNdZGM36ASNcPxbaWLd6A6ey22tA3+swfYfhEVvNT8=,iv:7w7XJ4GfCkQR0XehpmCJT12hBJlgNKkETR47UvWVqqI=,tag:a+p5mV20jObztCVe4rqS/w==,type:str]
+    mac: ENC[AES256_GCM,data:H3Sxgme+nSymKRqNu3aTyqUiJFMNSMKSJ02e/RnhhWSKwNPjKrN1+50sd9WxeC+klUTnOqV8vfKFkFBM9XSlBiDQ1qHrqX41YoLZpm/CcKEtQy6ka/c8pxyZbIuDrTLpjZG3egSxnUbxi/Bh/NllSDMDGd7wEiCYCf3uD7vjM+c=,iv:npyXmtN617+iSpYOUD2FjbifEPobwuyKvmPB8Vu5tmU=,tag:COhuis9QbG2qAgfCDEcTfg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/system-config/services/containers/authentik/default.nix
+++ b/system-config/services/containers/authentik/default.nix
@@ -0,0 +1,55 @@
 { config, lib, inputs, ... }: {
    options.sysconfig.virtualization.authentik.enable = lib.options.mkOption {
        type = lib.types.bool;
        default = false;
    };
    imports = [
        inputs.authentik-nix.nixosModules.default
    ];
    config = lib.mkIf config.sysconfig.virtualization.authentik.enable {
        sops.templates."authentik.env" = {
            content = ''
                AUTHENTIK_EMAIL__PASSWORD=${config.sops.placeholder."authentik/pass"}
                AUTHENTIK_SECRET_KEY=${config.sops.placeholder."authentik/secret_key"}
            '';
            path = "/ssd1/Authentik/data/authentik.env";
        };
        containers.authentik = {
            autostart = true;
            privateNetwork = true;
            hostAddress = "192.168.100.10";
            localAddress = "192.168.100.13";
            bindMounts = {
                "/root/data" = {
                    hostPath = "/ssd1/Authentik/data";
                };
            };
            config = {
                services.authentik = {
                    enable = true;
                    environmentFile = "/root/data/authentik.env";
                    settings = {
                        #disable_startup_analytics = true;
                        avatars = "initials";
                    };
                };
                networking.firewall.enable = false;
            };
        };
    };
 }
--- a/system-config/services/containers/traefik/default.nix
+++ b/system-config/services/containers/traefik/default.nix
@@ -14,9 +14,9 @@
            hostAddress = "192.168.100.10";
            localAddress = "192.168.100.11";
            forwardPorts = [
-                {
+            {
-                    containerPort = 80;
+            containerPort = 80;
-                    hostPort = 80;
+            hostPort = 80;
                }
                {
                    containerPort = 443;
@@ -146,9 +146,9 @@
                                    };
                                };
-                                gitlab = {
+                                /*gitlab = {
                                    entryPoints = [ "localsecure" "websecure" ];
-                                    rule = "Host()";
+                                    rule = "Host(`gitlab.blunkall.us`)";
                                    service = "gitlab";
                                    tls = {
                                        certResolver = "cloudflare";
@@ -157,7 +157,7 @@
                                            sans = [ "*.blunkall.us" "*.local.blunkall.us" ];
                                        };
                                    };
-                                };
+                                };*/
                                local = {
                                    entryPoints = [ "localsecure" ];
@@ -174,7 +174,7 @@
                            };
                            services = {
-                                gitlab.loadBalancer.servers = [ { url = "http://192.168.100.12:80"; } ];
+                                #gitlab.loadBalancer.servers = [ { url = "http://192.168.100.12:80"; } ];
                                homepage.loadBalancer.servers = [ { url = "http://192.168.100.10:8000"; } ];
                            };