authentik: init

flake.nix

@@ -16,6 +16,10 @@
     vscode-server.url = "github:nix-community/nixos-vscode-server";
     notenrechner.url = "git+https://git.ifsr.de/frieder.hannenheim/notenrechner.git";
     notenrechner.inputs.nixpkgs.follows = "nixpkgs";
+    authentik = {
+      url = "github:nix-community/authentik-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
 
     course-management = {

modules/authentik/default.nix

@@ -0,0 +1,20 @@
+{ config, ... }:
+let
+  domain = "idm.${config.networking.domain}";
+in
+{
+  age.secrets.authentik-core = {
+    file = ../../../../secrets/nuc/authentik/core.age;
+  };
+  sops.secrets."authentik/env" = { };
+  services.authentik = {
+    enable = true;
+    nginx = {
+      enable = true;
+      host = domain;
+      enableACME = true;
+    };
+    environmentFile = config.sops.secrets."authentik/env".path;
+  };
+
+}

secrets/quitte.yaml

@@ -13,6 +13,8 @@ sssd:
     env: ENC[AES256_GCM,data:ng189+ulH79xCZKOn9N5kN3KqED9dWqLM8dErukJH3a3ivxhUjyy3Tpa+uSnJDh8tAyOesT1j71mlTgKQKb3phylVEdL,iv:i8NEGR+eQ42q5be4gJdNMf/9DCCcjr3gwkEW/+hrgxs=,tag:16EvtkTu+0M5bIlgxC2j9Q==,type:str]
 dovecot_ldap_search: ENC[AES256_GCM,data:xip5KREy8oqH+58DOtw9QLcVdDlO5Nr0IHki8X0i9J1rrI/BreH2tVPC8aRTDHFPRgpBxiL6,iv:98PSXajEis7sSJ4+IkPuBC05y8w7/XRYQVFH1cripEU=,tag:LcId5rlzz3JjjZIHwoh+AA==,type:str]
 rspamd-password: ENC[AES256_GCM,data:Dd6lTyDh3FFqOTeipY0o5uJz5/Mh6FsVahbI5M1njn5S690avzQ4+8YISrwkuA==,iv:OAuA+t2KzGDvURng2RWFAoMNfw+RNLtM1hLEniuzz9c=,tag:RBN41BmsrvgXKEOa8gCDfw==,type:str]
+authentik:
+    env: ENC[AES256_GCM,data:7Mcqe2/ny5oghO8kfV1b5LksxxmNGTn6u0LCDH1Q8kwkidOD6MXyMbyzN9LRU4ovDXwXy+ztwnNHBZPvGSGMKUMczIn5hhiA5ri93kk9G8Wy4rGjjt+0Z+JKsZV33rlrYgIr6eGy6Ps=,iv:gkzjx9yQQj31g5fBdAVKzAslpTUjPp1yWnOWQyotYy4=,tag:uOSU653xBYUai6DOF1ddYA==,type:str]
 grafana:
     oidc_secret: ENC[AES256_GCM,data:oH+VCL4e4wve6RyVwlTXPSmirbf+STD5FxUj9OjGDLs=,iv:PhVVCy5JyRa+fOrYAsnjDL+97zYASmKcBzB8t9ZVWIU=,tag:JzGO/FeKem4vd7ApvZ2Zcg==,type:str]
 mediawiki:
@@ -32,10 +34,6 @@ bacula:
 zammad_secret: ENC[AES256_GCM,data:Ok01cE+lgNaN0+wLZuBD6k2gsyTWDFVXEPprEvdwlIAQvwqYu2nou0GiCEcm/NF2cgsxERH2rYxxS/lPXIQxXjvHHLfovLSMH+Kd1F/T+qWZioDz7tzDV3GBom52c92kZ4XO2F3udku8IQLGsR7J6eA/xY7yj1g2CF7Vt37BMkg=,iv:5cdEBtgjXoJCve8PJDUcLQvXwe7sn/mgZIOUhzJtr/c=,tag:4fLmvfG6Ujcb5J3YGjP7Hg==,type:str]
 hyperilo_htaccess: ENC[AES256_GCM,data:FuHR9S6FhVyraJ6w9j6RTUryCqgVrhpfQg9y2OdnaqMFNcIR239OBmvqn+WlgFxcMqJtpIKe8ixBZq67pjxbSl2p,iv:zKMyhEJ160MN3+54csuurMXvIAFfWG95bv/cIH3hqJo=,tag:Nr0G7qx8cdpNoW3t5P1CBA==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1x76ajqw8w4l5vlkwt5s3flz5a5jq5qlxv7uppmnf8ckj9egh9ekqjclzt6
           enc: |
@@ -55,8 +53,8 @@ sops:
             MWM0M3FvbjUzL3p3ZU1zUG94ckV3ZTAKUOAkZ8nlvT36cyPy5USyDzoIG569N818
             tMM5aQsEQ9vTOaUoK4gtBEXBva7VerMprdcTRYLcSJ/9L1vXdlVT/g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-07T23:08:25Z"
-    mac: ENC[AES256_GCM,data:Pe0ACk6wVrMMoB7moMt+A8RPaiy8RZdH0gINpphQr1XGzfYOD6tMoS/YK/6JfTKagWzMpkOVnbpSpKVzdeBu1nzMM5DrOyeP5WBnkuBtBHjXBlis7khCKGEOxATEoM6lev31vjKDGFFP4HpwOrIAj6UaQ2RGSY/3FJ/SHk83eYY=,iv:6/sJcpY4XoEHHBV/W9BZAva/2gZiL4T/+6O55thuX1M=,tag:lpvyC44VIUMk3/KZZO+tmA==,type:str]
+    lastmodified: "2025-04-15T12:57:41Z"
+    mac: ENC[AES256_GCM,data:NKpGBhz9WFt9xbcbIZ+S8fkgbhfOk4g+5vhXSYPz5tVF/uLDjI4+T1nzy1yKVJA+9MGgQ5OHXgQ7kszrXHgn8fm+sG++MUEXJILcX840Poo9wRBhvDxtNL/oLFbSHsQ0FDe9oCcx+/T8Rmg7vYWARlokKDsXZ7wsTYjF9GkBivQ=,iv:SKVBvdyT3cRTfXuenLDEgk0yJJltwIBShZOkrDfnI10=,tag:58eNQ5k5hTUBTr/nwJULug==,type:str]
     pgp:
         - created_at: "2025-03-07T23:03:16Z"
           enc: |-
@@ -172,4 +170,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: FBBFAC260D9283D1EF2397DD3CA65E9DD6EB319D
     unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.1