From 21da78256ca24e0f565a00483be46fc2d16f104f Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Mon, 20 May 2024 12:19:05 +0200 Subject: [PATCH] nuc: configure authentik --- flake.lock | 261 +++++++++++++++++++++++- flake.nix | 7 + hosts/nuc/default.nix | 3 +- hosts/nuc/modules/authentik/default.nix | 18 ++ hosts/thinkpad/modules/networks/uni.nix | 2 +- secrets.nix | 1 + secrets/nuc/authentik.age | 7 + 7 files changed, 287 insertions(+), 12 deletions(-) create mode 100644 hosts/nuc/modules/authentik/default.nix create mode 100644 secrets/nuc/authentik.age diff --git a/flake.lock b/flake.lock index 1ab41db..e4b8d04 100644 --- a/flake.lock +++ b/flake.lock @@ -25,6 +25,50 @@ "type": "github" } }, + "authentik": { + "inputs": { + "authentik-src": "authentik-src", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "napalm": "napalm", + "nixpkgs": [ + "nixpkgs" + ], + "poetry2nix": "poetry2nix" + }, + "locked": { + "lastModified": 1715166702, + "narHash": "sha256-PJxwZoT1JWxMaKRdTLMHN55mdYlhZn2L5VpvyevKkug=", + "owner": "nix-community", + "repo": "authentik-nix", + "rev": "84c3ce6fe7c174ed1a53cbc5e36cf6a70f4dcc1b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "node-22", + "repo": "authentik-nix", + "type": "github" + } + }, + "authentik-src": { + "flake": false, + "locked": { + "lastModified": 1715092773, + "narHash": "sha256-B+ZLD1D/UQty1urQ0qDFo67vjsk/jtssjqIQOY0Oxq4=", + "owner": "goauthentik", + "repo": "authentik", + "rev": "1f5953b5b7e72c085246e8f19b94482dac946d83", + "type": "github" + }, + "original": { + "owner": "goauthentik", + "ref": "version/2024.4.2", + "repo": "authentik", + "type": "github" + } + }, "base16-schemes": { "flake": false, "locked": { @@ -98,7 +142,7 @@ }, "dns": { "inputs": { - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" ] @@ -118,6 +162,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1673956053, @@ -134,6 +194,24 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "lanzaboote", @@ -155,6 +233,24 @@ } }, "flake-utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { "locked": { "lastModified": 1614513358, "narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=", @@ -169,9 +265,9 @@ "type": "github" } }, - "flake-utils_2": { + "flake-utils_3": { "inputs": { - "systems": "systems_2" + "systems": "systems_4" }, "locked": { "lastModified": 1681202837, @@ -216,11 +312,11 @@ ] }, "locked": { - "lastModified": 1715486357, - "narHash": "sha256-4pRuzsHZOW5W4CsXI9uhKtiJeQSUoe1d2M9mWU98HC4=", + "lastModified": 1715930644, + "narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=", "owner": "nix-community", "repo": "home-manager", - "rev": "44677a1c96810a8e8c4ffaeaad10c842402647c1", + "rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d", "type": "github" }, "original": { @@ -267,9 +363,9 @@ "lanzaboote": { "inputs": { "crane": "crane", - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", - "flake-utils": "flake-utils_2", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts_2", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs" ], @@ -291,10 +387,35 @@ "type": "github" } }, + "napalm": { + "inputs": { + "flake-utils": [ + "authentik", + "flake-utils" + ], + "nixpkgs": [ + "authentik", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703102458, + "narHash": "sha256-3pOV731qi34Q2G8e2SqjUXqnftuFrbcq+NdagEZXISo=", + "owner": "nix-community", + "repo": "napalm", + "rev": "edcb26c266ca37c9521f6a97f33234633cbec186", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "napalm", + "type": "github" + } + }, "nix-colors": { "inputs": { "base16-schemes": "base16-schemes", - "nixpkgs-lib": "nixpkgs-lib" + "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { "lastModified": 1707825078, @@ -310,6 +431,28 @@ "type": "github" } }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "authentik", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703863825, + "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, "nix-index-database": { "inputs": { "nixpkgs": [ @@ -346,6 +489,24 @@ } }, "nixpkgs-lib": { + "locked": { + "dir": "lib", + "lastModified": 1711703276, + "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib_2": { "locked": { "lastModified": 1697935651, "narHash": "sha256-qOfWjQ2JQSQL15KLh6D7xQhx0qgZlYZTYlcEiRuAMMw=", @@ -412,6 +573,34 @@ "type": "sourcehut" } }, + "poetry2nix": { + "inputs": { + "flake-utils": [ + "authentik", + "flake-utils" + ], + "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "authentik", + "nixpkgs" + ], + "systems": "systems_3", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1715017507, + "narHash": "sha256-RN2Vsba56PfX02DunWcZYkMLsipp928h+LVAWMYmbZg=", + "owner": "nix-community", + "repo": "poetry2nix", + "rev": "e6b36523407ae6a7a4dfe29770c30b3a3563b43a", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "poetry2nix", + "type": "github" + } + }, "pre-commit-hooks-nix": { "inputs": { "flake-compat": [ @@ -466,6 +655,7 @@ "root": { "inputs": { "agenix": "agenix", + "authentik": "authentik", "dns": "dns", "home-manager": "home-manager", "impermanence": "impermanence", @@ -534,6 +724,57 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "id": "systems", + "type": "indirect" + } + }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "authentik", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1714058656, + "narHash": "sha256-Qv4RBm4LKuO4fNOfx9wl40W2rBbv5u5m+whxRYUMiaA=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "c6aaf729f34a36c445618580a9f95a48f5e4e03f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, "trucksimulatorbot": { "inputs": { "images": "images", diff --git a/flake.nix b/flake.nix index 22d4107..833a3e0 100644 --- a/flake.nix +++ b/flake.nix @@ -28,6 +28,11 @@ }; nix-colors.url = "github:Misterio77/nix-colors"; + authentik = { + # branch to fix https://github.com/nix-community/authentik-nix/issues/24 + url = "github:nix-community/authentik-nix/node-22"; + inputs.nixpkgs.follows = "nixpkgs"; + }; purge = { url = "sourcehut:~rouven/purge"; @@ -56,6 +61,7 @@ , dns , nix-index-database , agenix + , authentik , impermanence , nix-colors , lanzaboote @@ -112,6 +118,7 @@ nix-index-database.nixosModules.nix-index impermanence.nixosModules.impermanence agenix.nixosModules.default + authentik.nixosModules.default ./hosts/nuc ./shared { diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix index fca901e..c6f8ffc 100644 --- a/hosts/nuc/default.nix +++ b/hosts/nuc/default.nix @@ -4,10 +4,11 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix + ./modules/authentik ./modules/networks ./modules/adguard ./modules/backup - ./modules/keycloak + # ./modules/keycloak ./modules/jellyfin ./modules/cache ./modules/matrix diff --git a/hosts/nuc/modules/authentik/default.nix b/hosts/nuc/modules/authentik/default.nix new file mode 100644 index 0000000..6001fb9 --- /dev/null +++ b/hosts/nuc/modules/authentik/default.nix @@ -0,0 +1,18 @@ +{ config, ... }: +let + domain = "auth.${config.networking.domain}"; +in +{ + age.secrets.authentik = { + file = ../../../../secrets/nuc/authentik.age; + }; + services.authentik = { + enable = true; + environmentFile = config.age.secrets.authentik.path; + nginx = { + enable = true; + enableACME = true; + host = domain; + }; + }; +} diff --git a/hosts/thinkpad/modules/networks/uni.nix b/hosts/thinkpad/modules/networks/uni.nix index 8fe1cbd..a832e5d 100644 --- a/hosts/thinkpad/modules/networks/uni.nix +++ b/hosts/thinkpad/modules/networks/uni.nix @@ -23,7 +23,7 @@ identity="rose159e@tu-dresden.de" password="@EDUROAM_AUTH@" phase2="auth=PAP" - bssid_ignore=7c:5a:1c:02:3d:ef 82:5a:1c:02:3d:ef + bssid_ignore=7c:5a:1c:02:3d:ef 82:5a:1c:02:3d:ef 82:5a:1c:02:3d:db ''; extraConfig = '' scan_ssid=1 diff --git a/secrets.nix b/secrets.nix index 3c5a63c..e255c53 100644 --- a/secrets.nix +++ b/secrets.nix @@ -22,6 +22,7 @@ in "secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ]; "secrets/nuc/mullvad.age".publicKeys = [ rouven nuc ]; "secrets/nuc/keycloak/db.age".publicKeys = [ rouven nuc ]; + "secrets/nuc/authentik.age".publicKeys = [ rouven nuc ]; "secrets/nuc/cache.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ]; diff --git a/secrets/nuc/authentik.age b/secrets/nuc/authentik.age new file mode 100644 index 0000000..64c4510 --- /dev/null +++ b/secrets/nuc/authentik.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 uWbAHQ Ugn0lJVRoXJXjny2pI00ucIUmUpAySNhOr2hELEjDDE +1yYbV4zXfF/+XxumG/Nolrjzt8Mha8z2hjqhDpeTYR8 +-> ssh-ed25519 2TRdXg Ojx2JribTuqz8xz/ji6JQ++IFHUfkMnCOggv9/iaYFQ +RDrII1dvf3xpHMxbQupUMoQF23bS19oEeG1IGtC8VqE +--- wt+26KqMhqizDdV2YxvJ81GbFd8eM+92RgUA6V4nQXU ++(E@=v5z&R͊%ҕ+(T:7˭rBQDڞBbz1_+\aIE@!-! \ No newline at end of file