From 05cf38543e0f3c66fbf069d26656fe53871883d2 Mon Sep 17 00:00:00 2001 From: sefidel Date: Sun, 14 Jan 2024 19:41:07 +0900 Subject: feat(modules/authentik): init --- flake.lock | 261 ++++++++++++++++++++++++++++++++++++++++- flake.nix | 3 + modules/services/authentik.nix | 69 +++++++++++ 3 files changed, 331 insertions(+), 2 deletions(-) create mode 100644 modules/services/authentik.nix diff --git a/flake.lock b/flake.lock index d1457c9..abdd148 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,49 @@ { "nodes": { + "authentik-nix": { + "inputs": { + "authentik-src": "authentik-src", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "napalm": "napalm", + "nixpkgs": [ + "unstable" + ], + "nixpkgs-23-05": "nixpkgs-23-05", + "poetry2nix": "poetry2nix" + }, + "locked": { + "lastModified": 1704822856, + "narHash": "sha256-LHng0EWMNh/1pRIitisMzu4XVHswjDZpfAa5cfRO6kE=", + "owner": "nix-community", + "repo": "authentik-nix", + "rev": "8ff62523708d1a3e9cf99891aaa7692dafd445a5", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "authentik-nix", + "type": "github" + } + }, + "authentik-src": { + "flake": false, + "locked": { + "lastModified": 1704822648, + "narHash": "sha256-N6FeNUlenbBQPAAUSqC+2GWFfte3G+Zfu5KGVJOqNZQ=", + "owner": "goauthentik", + "repo": "authentik", + "rev": "1cd000dfe204b9605c85e6cebc051586a0329604", + "type": "github" + }, + "original": { + "owner": "goauthentik", + "ref": "version/2023.10.6", + "repo": "authentik", + "type": "github" + } + }, "blobs": { "flake": false, "locked": { @@ -17,6 +61,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1668681692, @@ -32,7 +92,43 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1701473968, + "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { "locked": { "lastModified": 1667395993, "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", @@ -62,10 +158,57 @@ "type": "github" } }, + "napalm": { + "inputs": { + "flake-utils": [ + "authentik-nix", + "flake-utils" + ], + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703102458, + "narHash": "sha256-3pOV731qi34Q2G8e2SqjUXqnftuFrbcq+NdagEZXISo=", + "owner": "nix-community", + "repo": "napalm", + "rev": "edcb26c266ca37c9521f6a97f33234633cbec186", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "napalm", + "type": "github" + } + }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1698974481, + "narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "4bb5e752616262457bc7ca5882192a564c0472d2", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, "nixos-mailserver": { "inputs": { "blobs": "blobs", - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "nixpkgs": [ "unstable" ], @@ -134,6 +277,22 @@ "type": "indirect" } }, + "nixpkgs-23-05": { + "locked": { + "lastModified": 1701615100, + "narHash": "sha256-7VI84NGBvlCTduw2aHLVB62NvCiZUlALLqBe5v684Aw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e9f06adb793d1cca5384907b3b8a4071d5d7cb19", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-23_05": { "locked": { "lastModified": 1684782344, @@ -149,6 +308,24 @@ "type": "indirect" } }, + "nixpkgs-lib": { + "locked": { + "dir": "lib", + "lastModified": 1701253981, + "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1704290814, @@ -165,8 +342,37 @@ "type": "github" } }, + "poetry2nix": { + "inputs": { + "flake-utils": [ + "authentik-nix", + "flake-utils" + ], + "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ], + "systems": "systems_2", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1701861752, + "narHash": "sha256-QfrE05P66856b1SMan69NPhjc9e82VtLxBKg3yiQGW8=", + "owner": "nix-community", + "repo": "poetry2nix", + "rev": "9fc487b32a68473da4bf9573f85b388043c5ecda", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "poetry2nix", + "type": "github" + } + }, "root": { "inputs": { + "authentik-nix": "authentik-nix", "impermanence": "impermanence", "nixos-mailserver": "nixos-mailserver", "nixpkgs-2111": "nixpkgs-2111", @@ -178,7 +384,7 @@ }, "sefidel-web": { "inputs": { - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nixpkgs": "nixpkgs" }, "locked": { @@ -216,6 +422,57 @@ "type": "github" } }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "id": "systems", + "type": "indirect" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1699786194, + "narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, "unstable": { "locked": { "lastModified": 1704722960, diff --git a/flake.nix b/flake.nix index 40bd39d..c0da437 100644 --- a/flake.nix +++ b/flake.nix @@ -8,6 +8,9 @@ impermanence.url = "github:nix-community/impermanence"; + authentik-nix.url = "github:nix-community/authentik-nix"; + authentik-nix.inputs.nixpkgs.follows = "unstable"; + sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "unstable"; diff --git a/modules/services/authentik.nix b/modules/services/authentik.nix new file mode 100644 index 0000000..10241b9 --- /dev/null +++ b/modules/services/authentik.nix @@ -0,0 +1,69 @@ +{ inputs, config, lib, ... }: + +with lib; +let + cfg = config.modules.services.authentik; +in +{ + imports = [ inputs.authentik-nix.nixosModules.default ]; + + options.modules.services.authentik = { + enable = mkEnableOption "Authentik - Identity Provider"; + domain = mkOption { type = types.str; }; + realHost = mkOption { type = types.str; default = "authentik.${cfg.domain}"; }; + email = { + host = mkOption { type = types.str; default = "smtp.${cfg.domain}"; }; + username = mkOption { type = types.str; default = "authentik@${cfg.domain}"; }; + from = mkOption { type = types.str; default = cfg.email.username; }; + }; + secrets = { + authentik-envs = mkOption { type = types.path; description = "path to the environment file"; }; + }; + }; + + config = mkIf cfg.enable { + services.authentik = { + enable = true; + + environmentFile = cfg.secrets.authentik-envs; + + settings = { + email = { + host = cfg.email.host; + port = 587; + username = cfg.email.username; + use_tls = true; + use_ssl = false; + from = cfg.email.from; + }; + + cert_discovery_dir = "env://CREDENTIALS_DIRECTORY"; + }; + nginx = { + # This is configured manually since authentik-nix doesn't support + # cases where cert domain != nginx host + enable = false; + enableACME = false; + # host = cfg.realHost; + }; + }; + + modules.persistence.directories = [ + "/var/lib/private/authentik" + ]; + + systemd.services.authentik-worker.serviceConfig.LoadCredential = [ + "${cfg.domain}.pem:${config.security.acme.certs.${cfg.domain}.directory}/fullchain.pem" + "${cfg.domain}.key:${config.security.acme.certs.${cfg.domain}.directory}/key.pem" + ]; + + services.nginx.virtualHosts.${cfg.realHost} = { + useACMEHost = cfg.domain; + forceSSL = true; + locations."/" = { + proxyWebsockets = true; + proxyPass = "https://localhost:9443"; + }; + }; + }; +} -- cgit 1.4.1