falkenstein: move mail to /var

secrets: fix authentik
seafile: configure authentik
2024-11-15 05:13:10 +01:00 · 2024-05-20 12:25:13 +02:00 · 2024-05-20 12:25:02 +02:00 · 2024-05-20 12:20:28 +02:00 · 2024-05-20 12:19:05 +02:00
12 changed files with 297 additions and 17 deletions
--- a/flake.lock
+++ b/flake.lock
@ -25,6 +25,50 @@
        "type": "github"
      }
    },
+    "authentik": {
+      "inputs": {
+        "authentik-src": "authentik-src",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "flake-utils": "flake-utils",
+        "napalm": "napalm",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "poetry2nix": "poetry2nix"
+      },
+      "locked": {
+        "lastModified": 1715166702,
+        "narHash": "sha256-PJxwZoT1JWxMaKRdTLMHN55mdYlhZn2L5VpvyevKkug=",
+        "owner": "nix-community",
+        "repo": "authentik-nix",
+        "rev": "84c3ce6fe7c174ed1a53cbc5e36cf6a70f4dcc1b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "node-22",
+        "repo": "authentik-nix",
+        "type": "github"
+      }
+    },
+    "authentik-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1715092773,
+        "narHash": "sha256-B+ZLD1D/UQty1urQ0qDFo67vjsk/jtssjqIQOY0Oxq4=",
+        "owner": "goauthentik",
+        "repo": "authentik",
+        "rev": "1f5953b5b7e72c085246e8f19b94482dac946d83",
+        "type": "github"
+      },
+      "original": {
+        "owner": "goauthentik",
+        "ref": "version/2024.4.2",
+        "repo": "authentik",
+        "type": "github"
+      }
+    },
    "base16-schemes": {
      "flake": false,
      "locked": {
@ -98,7 +142,7 @@
    },
    "dns": {
      "inputs": {
-        "flake-utils": "flake-utils",
+        "flake-utils": "flake-utils_2",
        "nixpkgs": [
          "nixpkgs"
        ]
@ -118,6 +162,22 @@
      }
    },
    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1673956053,
@ -134,6 +194,24 @@
      }
    },
    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1712014858,
+        "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
      "inputs": {
        "nixpkgs-lib": [
          "lanzaboote",
@ -155,6 +233,24 @@
      }
    },
    "flake-utils": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
      "locked": {
        "lastModified": 1614513358,
        "narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=",
@ -169,9 +265,9 @@
        "type": "github"
      }
    },
-    "flake-utils_2": {
+    "flake-utils_3": {
      "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1681202837,
@ -216,11 +312,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1715486357,
-        "narHash": "sha256-4pRuzsHZOW5W4CsXI9uhKtiJeQSUoe1d2M9mWU98HC4=",
+        "lastModified": 1715930644,
+        "narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "44677a1c96810a8e8c4ffaeaad10c842402647c1",
+        "rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d",
        "type": "github"
      },
      "original": {
@ -267,9 +363,9 @@
    "lanzaboote": {
      "inputs": {
        "crane": "crane",
-        "flake-compat": "flake-compat",
-        "flake-parts": "flake-parts",
-        "flake-utils": "flake-utils_2",
+        "flake-compat": "flake-compat_2",
+        "flake-parts": "flake-parts_2",
+        "flake-utils": "flake-utils_3",
        "nixpkgs": [
          "nixpkgs"
        ],
@ -291,10 +387,35 @@
        "type": "github"
      }
    },
+    "napalm": {
+      "inputs": {
+        "flake-utils": [
+          "authentik",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "authentik",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703102458,
+        "narHash": "sha256-3pOV731qi34Q2G8e2SqjUXqnftuFrbcq+NdagEZXISo=",
+        "owner": "nix-community",
+        "repo": "napalm",
+        "rev": "edcb26c266ca37c9521f6a97f33234633cbec186",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "napalm",
+        "type": "github"
+      }
+    },
    "nix-colors": {
      "inputs": {
        "base16-schemes": "base16-schemes",
-        "nixpkgs-lib": "nixpkgs-lib"
+        "nixpkgs-lib": "nixpkgs-lib_2"
      },
      "locked": {
        "lastModified": 1707825078,
@ -310,6 +431,28 @@
        "type": "github"
      }
    },
+    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik",
+          "poetry2nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703863825,
+        "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
    "nix-index-database": {
      "inputs": {
        "nixpkgs": [
@ -346,6 +489,24 @@
      }
    },
    "nixpkgs-lib": {
+      "locked": {
+        "dir": "lib",
+        "lastModified": 1711703276,
+        "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089",
+        "type": "github"
+      },
+      "original": {
+        "dir": "lib",
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-lib_2": {
      "locked": {
        "lastModified": 1697935651,
        "narHash": "sha256-qOfWjQ2JQSQL15KLh6D7xQhx0qgZlYZTYlcEiRuAMMw=",
@ -412,6 +573,34 @@
        "type": "sourcehut"
      }
    },
+    "poetry2nix": {
+      "inputs": {
+        "flake-utils": [
+          "authentik",
+          "flake-utils"
+        ],
+        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": [
+          "authentik",
+          "nixpkgs"
+        ],
+        "systems": "systems_3",
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1715017507,
+        "narHash": "sha256-RN2Vsba56PfX02DunWcZYkMLsipp928h+LVAWMYmbZg=",
+        "owner": "nix-community",
+        "repo": "poetry2nix",
+        "rev": "e6b36523407ae6a7a4dfe29770c30b3a3563b43a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "poetry2nix",
+        "type": "github"
+      }
+    },
    "pre-commit-hooks-nix": {
      "inputs": {
        "flake-compat": [
@ -466,6 +655,7 @@
    "root": {
      "inputs": {
        "agenix": "agenix",
+        "authentik": "authentik",
        "dns": "dns",
        "home-manager": "home-manager",
        "impermanence": "impermanence",
@ -534,6 +724,57 @@
        "type": "github"
      }
    },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "id": "systems",
+        "type": "indirect"
+      }
+    },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik",
+          "poetry2nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1714058656,
+        "narHash": "sha256-Qv4RBm4LKuO4fNOfx9wl40W2rBbv5u5m+whxRYUMiaA=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "c6aaf729f34a36c445618580a9f95a48f5e4e03f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
    "trucksimulatorbot": {
      "inputs": {
        "images": "images",
--- a/flake.nix
+++ b/flake.nix
@ -28,6 +28,11 @@
    };

    nix-colors.url = "github:Misterio77/nix-colors";
+    authentik = {
+      # branch to fix https://github.com/nix-community/authentik-nix/issues/24
+      url = "github:nix-community/authentik-nix/node-22";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };

    purge = {
      url = "sourcehut:~rouven/purge";
@ -56,6 +61,7 @@
    , dns
    , nix-index-database
    , agenix
+    , authentik
    , impermanence
    , nix-colors
    , lanzaboote
@ -112,6 +118,7 @@
            nix-index-database.nixosModules.nix-index
            impermanence.nixosModules.impermanence
            agenix.nixosModules.default
+            authentik.nixosModules.default
            ./hosts/nuc
            ./shared
            {
--- a/hosts/falkenstein/modules/backup/default.nix
+++ b/hosts/falkenstein/modules/backup/default.nix
@ -10,6 +10,8 @@
      source_directories = [
        "/var/lib"
        "/var/log"
+        "/var/mail"
+        "/var/sieve"
        "/root"
      ];

--- a/hosts/falkenstein/modules/mail/dovecot2.nix
+++ b/hosts/falkenstein/modules/mail/dovecot2.nix
@ -13,7 +13,7 @@ in
      enableImap = true;
      enableQuota = false;
      enableLmtp = true;
-      mailLocation = "maildir:~/Maildir";
+      mailLocation = "maildir:/var/mail/%n";
      sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem";
      sslServerKey = "/var/lib/acme/${hostname}/key.pem";
      protocols = [ "imap" "sieve" ];
@ -114,6 +114,9 @@ in
          }
          client_limit = 1
        }
+        plugin {
+          sieve = file:/var/sieve/%u;active=/var/sieve/%u.sieve
+        }
      '';
    };
  };
--- a/hosts/falkenstein/modules/mail/postfix.nix
+++ b/hosts/falkenstein/modules/mail/postfix.nix
@ -36,7 +36,7 @@ in
      sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
      sslKey = "/var/lib/acme/${hostname}/key.pem";
      config = {
-        home_mailbox = "Maildir/";
+        # home_mailbox = "Maildir/";
        smtp_helo_name = config.networking.fqdn;
        smtpd_banner = "${config.networking.fqdn} ESMTP $mail_name";
        smtp_use_tls = true;
--- a/hosts/nuc/default.nix
+++ b/hosts/nuc/default.nix
@ -4,10 +4,11 @@
    [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
+      ./modules/authentik
      ./modules/networks
      ./modules/adguard
      ./modules/backup
-      ./modules/keycloak
+      # ./modules/keycloak
      ./modules/jellyfin
      ./modules/cache
      ./modules/matrix
--- a/hosts/nuc/modules/authentik/default.nix
+++ b/hosts/nuc/modules/authentik/default.nix
@ -0,0 +1,18 @@
+{ config, ... }:
+let
+  domain = "auth.${config.networking.domain}";
+in
+{
+  age.secrets.authentik = {
+    file = ../../../../secrets/nuc/authentik.age;
+  };
+  services.authentik = {
+    enable = true;
+    environmentFile = config.age.secrets.authentik.path;
+    nginx = {
+      enable = true;
+      enableACME = true;
+      host = domain;
+    };
+  };
+}
--- a/hosts/nuc/modules/seafile/default.nix
+++ b/hosts/nuc/modules/seafile/default.nix
@ -20,9 +20,9 @@ in
      OAUTH_REDIRECT_URL = 'https://seafile.rfive.de/oauth/callback/'
 
      OAUTH_PROVIDER_DOMAIN   = 'seafile.rfive.de'
-      OAUTH_AUTHORIZATION_URL = 'https://auth.rfive.de/realms/master/protocol/openid-connect/auth'
-      OAUTH_TOKEN_URL         = 'https://auth.rfive.de/realms/master/protocol/openid-connect/token'
-      OAUTH_USER_INFO_URL     = 'https://auth.rfive.de/realms/master/protocol/openid-connect/userinfo'
+      OAUTH_AUTHORIZATION_URL = 'https://auth.rfive.de/application/o/authorize/'
+      OAUTH_TOKEN_URL         = 'https://auth.rfive.de/application/o/token/'
+      OAUTH_USER_INFO_URL     = 'https://auth.rfive.de/application/o/userinfo/'
      OAUTH_SCOPE = [ "openid", "profile", "email"]
      OAUTH_ATTRIBUTE_MAP = {
          "id":    (False, "not used"),
--- a/hosts/thinkpad/modules/networks/uni.nix
+++ b/hosts/thinkpad/modules/networks/uni.nix
@ -23,7 +23,7 @@
          identity="rose159e@tu-dresden.de"
          password="@EDUROAM_AUTH@"
          phase2="auth=PAP"
-          bssid_ignore=7c:5a:1c:02:3d:ef 82:5a:1c:02:3d:ef
+          bssid_ignore=7c:5a:1c:02:3d:ef 82:5a:1c:02:3d:ef 82:5a:1c:02:3d:db
        '';
        extraConfig = ''
          scan_ssid=1
--- a/secrets.nix
+++ b/secrets.nix
@ -22,6 +22,7 @@ in
  "secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ];
  "secrets/nuc/mullvad.age".publicKeys = [ rouven nuc ];
  "secrets/nuc/keycloak/db.age".publicKeys = [ rouven nuc ];
+  "secrets/nuc/authentik.age".publicKeys = [ rouven nuc ];
  "secrets/nuc/cache.age".publicKeys = [ rouven nuc ];
  "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ];
  "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ];
--- a/secrets/nuc/authentik.age
+++ b/secrets/nuc/authentik.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 uWbAHQ P8lLfyQJTLD48yjbIo4r2f9nDxhyYEwdyKtI8YV6Pmo
+tBUvWgD29fC/fTmNkhxmCEMUpNtToLprkjcO1r5ZKvo
+-> ssh-ed25519 2TRdXg vF2wlEgZccEAiCsGo3Ui1WhvqBba9n+ahObUlJjip00
+2jnqkxGTajSAYXzuRKXNEhEzCLqZFjbKNmzFlgwMZxk
+--- Di6ktfCRqwE0fYflVF6xGQOnKbNZdaUr8fhWNE0qvBM
+»ŸC’Ò® „ÅÂAU+gÆšAÞ¡ð¨åb•«—Êèƒ‰µÇcratC/êžÇþ<C387>ß±Õll"ªÙ7¬ŠžŒ{\=<3D>ÍÍX#ÞoÜ{)ÞÑWþØÖlÏù³ºÏ{‚ô›
--- a/secrets/thinkpad/wireless.age
+++ b/secrets/thinkpad/wireless.age
Author	SHA1	Message	Date
Rouven Seifert	f0647c2356	falkenstein: move mail to /var	2024-05-20 12:25:13 +02:00
Rouven Seifert	f1faf050b7	secrets: fix authentik	2024-05-20 12:25:02 +02:00
Rouven Seifert	98c4891023	seafile: configure authentik	2024-05-20 12:20:28 +02:00
Rouven Seifert	21da78256c	nuc: configure authentik	2024-05-20 12:19:05 +02:00