about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--flake.lock261
-rw-r--r--flake.nix3
-rw-r--r--modules/services/authentik.nix69
3 files changed, 331 insertions, 2 deletions
diff --git a/flake.lock b/flake.lock
index d1457c9..abdd148 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,49 @@
 {
   "nodes": {
+    "authentik-nix": {
+      "inputs": {
+        "authentik-src": "authentik-src",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "flake-utils": "flake-utils",
+        "napalm": "napalm",
+        "nixpkgs": [
+          "unstable"
+        ],
+        "nixpkgs-23-05": "nixpkgs-23-05",
+        "poetry2nix": "poetry2nix"
+      },
+      "locked": {
+        "lastModified": 1704822856,
+        "narHash": "sha256-LHng0EWMNh/1pRIitisMzu4XVHswjDZpfAa5cfRO6kE=",
+        "owner": "nix-community",
+        "repo": "authentik-nix",
+        "rev": "8ff62523708d1a3e9cf99891aaa7692dafd445a5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "authentik-nix",
+        "type": "github"
+      }
+    },
+    "authentik-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1704822648,
+        "narHash": "sha256-N6FeNUlenbBQPAAUSqC+2GWFfte3G+Zfu5KGVJOqNZQ=",
+        "owner": "goauthentik",
+        "repo": "authentik",
+        "rev": "1cd000dfe204b9605c85e6cebc051586a0329604",
+        "type": "github"
+      },
+      "original": {
+        "owner": "goauthentik",
+        "ref": "version/2023.10.6",
+        "repo": "authentik",
+        "type": "github"
+      }
+    },
     "blobs": {
       "flake": false,
       "locked": {
@@ -19,6 +63,22 @@
     "flake-compat": {
       "flake": false,
       "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
         "lastModified": 1668681692,
         "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
         "owner": "edolstra",
@@ -32,7 +92,43 @@
         "type": "github"
       }
     },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1701473968,
+        "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
     "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
       "locked": {
         "lastModified": 1667395993,
         "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
@@ -62,10 +158,57 @@
         "type": "github"
       }
     },
+    "napalm": {
+      "inputs": {
+        "flake-utils": [
+          "authentik-nix",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703102458,
+        "narHash": "sha256-3pOV731qi34Q2G8e2SqjUXqnftuFrbcq+NdagEZXISo=",
+        "owner": "nix-community",
+        "repo": "napalm",
+        "rev": "edcb26c266ca37c9521f6a97f33234633cbec186",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "napalm",
+        "type": "github"
+      }
+    },
+    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "poetry2nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1698974481,
+        "narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=",
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "rev": "4bb5e752616262457bc7ca5882192a564c0472d2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
     "nixos-mailserver": {
       "inputs": {
         "blobs": "blobs",
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
         "nixpkgs": [
           "unstable"
         ],
@@ -134,6 +277,22 @@
         "type": "indirect"
       }
     },
+    "nixpkgs-23-05": {
+      "locked": {
+        "lastModified": 1701615100,
+        "narHash": "sha256-7VI84NGBvlCTduw2aHLVB62NvCiZUlALLqBe5v684Aw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e9f06adb793d1cca5384907b3b8a4071d5d7cb19",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-23_05": {
       "locked": {
         "lastModified": 1684782344,
@@ -149,6 +308,24 @@
         "type": "indirect"
       }
     },
+    "nixpkgs-lib": {
+      "locked": {
+        "dir": "lib",
+        "lastModified": 1701253981,
+        "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
+        "type": "github"
+      },
+      "original": {
+        "dir": "lib",
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
         "lastModified": 1704290814,
@@ -165,8 +342,37 @@
         "type": "github"
       }
     },
+    "poetry2nix": {
+      "inputs": {
+        "flake-utils": [
+          "authentik-nix",
+          "flake-utils"
+        ],
+        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ],
+        "systems": "systems_2",
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1701861752,
+        "narHash": "sha256-QfrE05P66856b1SMan69NPhjc9e82VtLxBKg3yiQGW8=",
+        "owner": "nix-community",
+        "repo": "poetry2nix",
+        "rev": "9fc487b32a68473da4bf9573f85b388043c5ecda",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "poetry2nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
+        "authentik-nix": "authentik-nix",
         "impermanence": "impermanence",
         "nixos-mailserver": "nixos-mailserver",
         "nixpkgs-2111": "nixpkgs-2111",
@@ -178,7 +384,7 @@
     },
     "sefidel-web": {
       "inputs": {
-        "flake-utils": "flake-utils",
+        "flake-utils": "flake-utils_2",
         "nixpkgs": "nixpkgs"
       },
       "locked": {
@@ -216,6 +422,57 @@
         "type": "github"
       }
     },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "id": "systems",
+        "type": "indirect"
+      }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "poetry2nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1699786194,
+        "narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
     "unstable": {
       "locked": {
         "lastModified": 1704722960,
diff --git a/flake.nix b/flake.nix
index 40bd39d..c0da437 100644
--- a/flake.nix
+++ b/flake.nix
@@ -8,6 +8,9 @@
 
     impermanence.url = "github:nix-community/impermanence";
 
+    authentik-nix.url = "github:nix-community/authentik-nix";
+    authentik-nix.inputs.nixpkgs.follows = "unstable";
+
     sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "unstable";
 
diff --git a/modules/services/authentik.nix b/modules/services/authentik.nix
new file mode 100644
index 0000000..10241b9
--- /dev/null
+++ b/modules/services/authentik.nix
@@ -0,0 +1,69 @@
+{ inputs, config, lib, ... }:
+
+with lib;
+let
+  cfg = config.modules.services.authentik;
+in
+{
+  imports = [ inputs.authentik-nix.nixosModules.default ];
+
+  options.modules.services.authentik = {
+    enable = mkEnableOption "Authentik - Identity Provider";
+    domain = mkOption { type = types.str; };
+    realHost = mkOption { type = types.str; default = "authentik.${cfg.domain}"; };
+    email = {
+      host = mkOption { type = types.str; default = "smtp.${cfg.domain}"; };
+      username = mkOption { type = types.str; default = "authentik@${cfg.domain}"; };
+      from = mkOption { type = types.str; default = cfg.email.username; };
+    };
+    secrets = {
+       authentik-envs = mkOption { type = types.path; description = "path to the environment file"; };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.authentik = {
+      enable = true;
+
+      environmentFile = cfg.secrets.authentik-envs;
+
+      settings = {
+        email = {
+          host = cfg.email.host;
+          port = 587;
+          username = cfg.email.username;
+          use_tls = true;
+          use_ssl = false;
+          from = cfg.email.from;
+        };
+
+        cert_discovery_dir = "env://CREDENTIALS_DIRECTORY";
+      };
+      nginx = {
+        # This is configured manually since authentik-nix doesn't support
+        # cases where cert domain != nginx host
+        enable = false;
+        enableACME = false;
+        # host = cfg.realHost;
+      };
+    };
+
+    modules.persistence.directories = [
+      "/var/lib/private/authentik"
+    ];
+
+    systemd.services.authentik-worker.serviceConfig.LoadCredential = [
+      "${cfg.domain}.pem:${config.security.acme.certs.${cfg.domain}.directory}/fullchain.pem"
+      "${cfg.domain}.key:${config.security.acme.certs.${cfg.domain}.directory}/key.pem"
+    ];
+
+    services.nginx.virtualHosts.${cfg.realHost} = {
+      useACMEHost = cfg.domain;
+      forceSSL = true;
+      locations."/" = {
+        proxyWebsockets = true;
+        proxyPass = "https://localhost:9443";
+      };
+    };
+  };
+}