diff --git a/flake.lock b/flake.lock index 6e94d72..e471600 100644 --- a/flake.lock +++ b/flake.lock @@ -1385,11 +1385,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-swUtIf1jN3XSE4xExChj4M5rBWCSs08qqxXsJu1tZYs=", - "path": "/nix/store/gzxffjfgra88pvjlmdz85l11jblji1hz-source/home-manager", + "path": "/nix/store/6fpz9wjljss6nsip24iy9l691p2z8fs6-source/home-manager", "type": "path" }, "original": { - "path": "/nix/store/gzxffjfgra88pvjlmdz85l11jblji1hz-source/home-manager", + "path": "/nix/store/6fpz9wjljss6nsip24iy9l691p2z8fs6-source/home-manager", "type": "path" } }, @@ -2066,11 +2066,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-HAuZ9X84fuwUcit6NWUoJCjHj+29nST/YN6Rs8JQugY=", - "path": "/nix/store/wk0967i3j6a3fmh4hd07xdx6rd8248j3-source/programs", + "path": "/nix/store/g4jz9h6psl2w8p4k24mxk74dm792vgzi-source/programs", "type": "path" }, "original": { - "path": "/nix/store/wk0967i3j6a3fmh4hd07xdx6rd8248j3-source/programs", + "path": "/nix/store/g4jz9h6psl2w8p4k24mxk74dm792vgzi-source/programs", "type": "path" } }, @@ -2142,11 +2142,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-0Ztx5DVQ2I7hvCK/qjGa4XTdRgbzM8rhf19m0al8lVM=", - "path": "/nix/store/wk0967i3j6a3fmh4hd07xdx6rd8248j3-source/services/sddm", + "path": "/nix/store/g4jz9h6psl2w8p4k24mxk74dm792vgzi-source/services/sddm", "type": "path" }, "original": { - "path": "/nix/store/wk0967i3j6a3fmh4hd07xdx6rd8248j3-source/services/sddm", + "path": "/nix/store/g4jz9h6psl2w8p4k24mxk74dm792vgzi-source/services/sddm", "type": "path" } }, @@ -2213,12 +2213,12 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-Jv1KhOPLo+4WowQe291MGrHciMI2vPOAVUPZ8cDFFvM=", - "path": "/nix/store/gzxffjfgra88pvjlmdz85l11jblji1hz-source/system-config", + "narHash": "sha256-yL3oskLUrTl8bmNVmBtGOAEZgtIa5lxj+qIZlts7tuI=", + "path": "/nix/store/6fpz9wjljss6nsip24iy9l691p2z8fs6-source/system-config", "type": "path" }, "original": { - "path": "/nix/store/gzxffjfgra88pvjlmdz85l11jblji1hz-source/system-config", + "path": "/nix/store/6fpz9wjljss6nsip24iy9l691p2z8fs6-source/system-config", "type": "path" } }, diff --git a/system-config/configuration/homebox/default.nix b/system-config/configuration/homebox/default.nix index 0c48f4b..0a74a31 100644 --- a/system-config/configuration/homebox/default.nix +++ b/system-config/configuration/homebox/default.nix @@ -90,7 +90,7 @@ hostName = "homebox"; nameservers = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ]; networkmanager.enable = true; - firewall.allowedTCPPorts = [ 22 80 443 8000 ]; + firewall.allowedTCPPorts = [ 22 80 443 9000 ]; hosts = { "192.168.100.11" = [ "blunkall.us" "*.blunkall.us" "*.local.blunkall.us" ]; }; @@ -126,6 +126,11 @@ virtualisation.docker.enable = true; + environment.systemPackages = with pkgs; [ + docker + docker-compose + ]; + #virtualisation.oci-containers.backend = "podman"; boot.initrd.postDeviceCommands = lib.mkAfter '' diff --git a/system-config/services/containers/authentik/default.nix b/system-config/services/containers/authentik/default.nix index b9a0ad6..b76fe41 100644 --- a/system-config/services/containers/authentik/default.nix +++ b/system-config/services/containers/authentik/default.nix @@ -1,13 +1,10 @@ -{ pkgs, config, lib, inputs, ... }: { +{ pkgs, config, lib, ... }: { options.sysconfig.opts.virtualization.authentik.enable = lib.options.mkOption { type = lib.types.bool; default = false; }; - imports = [ - inputs.arion.nixosModules.arion - ]; config = lib.mkIf config.sysconfig.opts.virtualization.authentik.enable { @@ -22,14 +19,16 @@ path = "/ssd1/Authentik/.env"; }; - /*systemd.services.launchAuthentik = { + systemd.services.launchAuthentik = { enable = true; + wantedBy = [ "multi-user.target" ]; + script = '' - cd /home/nathan/Projects/System/system-config/services/containers/authentik - ${pkgs.docker-compose}/bin/docker-compose up -d + cd /ssd1/Authentik + ${pkgs.docker-compose}/bin/docker-compose up ''; - };*/ + }; }; } diff --git a/system-config/services/containers/traefik/default.nix b/system-config/services/containers/traefik/default.nix index 29e52f8..42275a5 100644 --- a/system-config/services/containers/traefik/default.nix +++ b/system-config/services/containers/traefik/default.nix @@ -123,6 +123,9 @@ entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`blunkall.us`)"; service = "homepage"; + middlewares = [ + "authentik" + ]; tls = { certResolver = "cloudflare"; domains = { @@ -137,6 +140,22 @@ entryPoints = [ "localsecure" "websecure" ]; rule = "Host(`www.blunkall.us`)"; service = "homepage"; + middlewares = [ + "authentik" + ]; + tls = { + certResolver = "cloudflare"; + domains = { + main = "blunkall.us"; + sans = [ "*.blunkall.us" "*.local.blunkall.us" ]; + }; + }; + }; + + auth = { + entryPoints = [ "localsecure" "websecure" ]; + rule = "Host(`auth.blunkall.us`)"; + service = "authentik"; tls = { certResolver = "cloudflare"; domains = { @@ -159,7 +178,7 @@ }; };*/ - local = { + /*local = { entryPoints = [ "localsecure" ]; rule = "Host(`traefik.local.blunkall.us`)"; service = "dashboard@internal"; @@ -170,6 +189,26 @@ sans = [ "*.blunkall.us" "*.local.blunkall.us" ]; }; }; + };*/ + }; + + middlewares = { + authentik.forwardAuth = { + address = "http://192.168.100.10:9000/outpost.goauthentik.io/auth/traefik"; + trustForwardHeader = true; + authResponseHeaders = [ + "X-authentik-username" + "X-authentik-groups" + "X-authentik-email" + "X-authentik-name" + "X-authentik-uid" + "X-authentik-jwt" + "X-authentik-meta-jwks" + "X-authentik-meta-outpost" + "X-authentik-meta-provider" + "X-authentik-meta-app" + "X-authentik-meta-version" + ]; }; }; @@ -177,6 +216,8 @@ #gitlab.loadBalancer.servers = [ { url = "http://192.168.100.12:80"; } ]; homepage.loadBalancer.servers = [ { url = "http://192.168.100.13:80"; } ]; + + authentik.loadBalancer.servers = [ { url = "http://192.168.100.10:9000"; } ]; }; }; };