diff --git a/flake.nix b/flake.nix index 97f0588..12d466d 100755 --- a/flake.nix +++ b/flake.nix @@ -16,6 +16,10 @@ vscode-server.url = "github:nix-community/nixos-vscode-server"; notenrechner.url = "git+https://git.ifsr.de/frieder.hannenheim/notenrechner.git"; notenrechner.inputs.nixpkgs.follows = "nixpkgs"; + authentik = { + url = "github:nix-community/authentik-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; course-management = { diff --git a/modules/authentik/default.nix b/modules/authentik/default.nix new file mode 100644 index 0000000..4267f28 --- /dev/null +++ b/modules/authentik/default.nix @@ -0,0 +1,20 @@ +{ config, ... }: +let + domain = "idm.${config.networking.domain}"; +in +{ + age.secrets.authentik-core = { + file = ../../../../secrets/nuc/authentik/core.age; + }; + sops.secrets."authentik/env" = { }; + services.authentik = { + enable = true; + nginx = { + enable = true; + host = domain; + enableACME = true; + }; + environmentFile = config.sops.secrets."authentik/env".path; + }; + +} diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml index f975849..108a8ea 100644 --- a/secrets/quitte.yaml +++ b/secrets/quitte.yaml @@ -13,6 +13,8 @@ sssd: env: ENC[AES256_GCM,data:ng189+ulH79xCZKOn9N5kN3KqED9dWqLM8dErukJH3a3ivxhUjyy3Tpa+uSnJDh8tAyOesT1j71mlTgKQKb3phylVEdL,iv:i8NEGR+eQ42q5be4gJdNMf/9DCCcjr3gwkEW/+hrgxs=,tag:16EvtkTu+0M5bIlgxC2j9Q==,type:str] dovecot_ldap_search: ENC[AES256_GCM,data:xip5KREy8oqH+58DOtw9QLcVdDlO5Nr0IHki8X0i9J1rrI/BreH2tVPC8aRTDHFPRgpBxiL6,iv:98PSXajEis7sSJ4+IkPuBC05y8w7/XRYQVFH1cripEU=,tag:LcId5rlzz3JjjZIHwoh+AA==,type:str] rspamd-password: ENC[AES256_GCM,data:Dd6lTyDh3FFqOTeipY0o5uJz5/Mh6FsVahbI5M1njn5S690avzQ4+8YISrwkuA==,iv:OAuA+t2KzGDvURng2RWFAoMNfw+RNLtM1hLEniuzz9c=,tag:RBN41BmsrvgXKEOa8gCDfw==,type:str] +authentik: + env: ENC[AES256_GCM,data:7Mcqe2/ny5oghO8kfV1b5LksxxmNGTn6u0LCDH1Q8kwkidOD6MXyMbyzN9LRU4ovDXwXy+ztwnNHBZPvGSGMKUMczIn5hhiA5ri93kk9G8Wy4rGjjt+0Z+JKsZV33rlrYgIr6eGy6Ps=,iv:gkzjx9yQQj31g5fBdAVKzAslpTUjPp1yWnOWQyotYy4=,tag:uOSU653xBYUai6DOF1ddYA==,type:str] grafana: oidc_secret: ENC[AES256_GCM,data:oH+VCL4e4wve6RyVwlTXPSmirbf+STD5FxUj9OjGDLs=,iv:PhVVCy5JyRa+fOrYAsnjDL+97zYASmKcBzB8t9ZVWIU=,tag:JzGO/FeKem4vd7ApvZ2Zcg==,type:str] mediawiki: @@ -32,10 +34,6 @@ bacula: zammad_secret: ENC[AES256_GCM,data:Ok01cE+lgNaN0+wLZuBD6k2gsyTWDFVXEPprEvdwlIAQvwqYu2nou0GiCEcm/NF2cgsxERH2rYxxS/lPXIQxXjvHHLfovLSMH+Kd1F/T+qWZioDz7tzDV3GBom52c92kZ4XO2F3udku8IQLGsR7J6eA/xY7yj1g2CF7Vt37BMkg=,iv:5cdEBtgjXoJCve8PJDUcLQvXwe7sn/mgZIOUhzJtr/c=,tag:4fLmvfG6Ujcb5J3YGjP7Hg==,type:str] hyperilo_htaccess: ENC[AES256_GCM,data:FuHR9S6FhVyraJ6w9j6RTUryCqgVrhpfQg9y2OdnaqMFNcIR239OBmvqn+WlgFxcMqJtpIKe8ixBZq67pjxbSl2p,iv:zKMyhEJ160MN3+54csuurMXvIAFfWG95bv/cIH3hqJo=,tag:Nr0G7qx8cdpNoW3t5P1CBA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1x76ajqw8w4l5vlkwt5s3flz5a5jq5qlxv7uppmnf8ckj9egh9ekqjclzt6 enc: | @@ -55,8 +53,8 @@ sops: MWM0M3FvbjUzL3p3ZU1zUG94ckV3ZTAKUOAkZ8nlvT36cyPy5USyDzoIG569N818 tMM5aQsEQ9vTOaUoK4gtBEXBva7VerMprdcTRYLcSJ/9L1vXdlVT/g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-07T23:08:25Z" - mac: ENC[AES256_GCM,data:Pe0ACk6wVrMMoB7moMt+A8RPaiy8RZdH0gINpphQr1XGzfYOD6tMoS/YK/6JfTKagWzMpkOVnbpSpKVzdeBu1nzMM5DrOyeP5WBnkuBtBHjXBlis7khCKGEOxATEoM6lev31vjKDGFFP4HpwOrIAj6UaQ2RGSY/3FJ/SHk83eYY=,iv:6/sJcpY4XoEHHBV/W9BZAva/2gZiL4T/+6O55thuX1M=,tag:lpvyC44VIUMk3/KZZO+tmA==,type:str] + lastmodified: "2025-04-15T12:57:41Z" + mac: ENC[AES256_GCM,data:NKpGBhz9WFt9xbcbIZ+S8fkgbhfOk4g+5vhXSYPz5tVF/uLDjI4+T1nzy1yKVJA+9MGgQ5OHXgQ7kszrXHgn8fm+sG++MUEXJILcX840Poo9wRBhvDxtNL/oLFbSHsQ0FDe9oCcx+/T8Rmg7vYWARlokKDsXZ7wsTYjF9GkBivQ=,iv:SKVBvdyT3cRTfXuenLDEgk0yJJltwIBShZOkrDfnI10=,tag:58eNQ5k5hTUBTr/nwJULug==,type:str] pgp: - created_at: "2025-03-07T23:03:16Z" enc: |- @@ -172,4 +170,4 @@ sops: -----END PGP MESSAGE----- fp: FBBFAC260D9283D1EF2397DD3CA65E9DD6EB319D unencrypted_suffix: _unencrypted - version: 3.9.4 + version: 3.10.1