raphael/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(self_host/sso): changing from authentik and kanidm

Browse source
This commit is contained in:
Raphael 2025-12-16 11:55:17 +01:00
parent 245b9773fc
commit ddb3f8d218
No known key found for this signature in database
1 changed files with 48 additions and 85 deletions
Download patch file Download diff file Expand all files Collapse all files

131
services/self_host/sso.nix
View file

@ -7,102 +7,65 @@
let let
cfg = config.service.selfhost.sso; cfg = config.service.selfhost.sso;
envFile = config.age.secrets."authentik-env".path; kanidm-admin = config.age.secrets."kanidm-admin".path;
envDst = "/run/authentik/env";
in in
{ {
config = lib.mkIf cfg { config = lib.mkIf cfg {
users = { users = {
users.authentik = { groups.kanidm = {};
users.kanidm = {
isSystemUser = true; isSystemUser = true;
description = "Authentik service user"; group = "kanidm";
group = "authentik"; extraGroups = [ "nginx" ];
home = "/var/lib/authentik";
};
groups.authentik = {};
};
systemd.tmpfiles.rules = [
"d /run/authentik 0750 authentik authentik - -"
];
systemd.services.authentik-env = {
description = "Prepare Authentik environment file";
before = [
"authentik.service"
"authentik-migrate.service"
"authentik-worker.service"
];
wantedBy = [
"authentik.service"
"authentik-migrate.service"
"authentik-worker.service"
];
after = [
"systemd-sysusers.service"
];
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.coreutils}/bin/install -D -m0400 ${envFile} ${envDst}";
ExecStartPost = "${pkgs.coreutils}/bin/chown authentik:authentik ${envDst}";
}; };
}; };
security.acme.certs."auth.enium.eu".group = "nginx";
systemd.services.authentik = {
after = [
"authentik-env.service"
"postgresql.service"
"redis-authentik.service"
];
requires = [
"authentik-env.service"
"postgresql.service"
"redis-authentik.service"
];
};
services = { services = {
authentik = { kanidm = {
enable = true; package = pkgs.kanidm_1_8;
environmentFile = envDst; provision = {
settings = { idmAdminPasswordFile = kanidm-admin;
AUTHENTIK_LISTEN__HTTP = "127.0.0.1:9000"; persons = {
AUTHENTIK_POSTGRESQL__HOST = "/run/postgresql"; raphael = {
AUTHENTIK_POSTGRESQL__USER = "authentik"; legalName = "Raphael Parodi";
AUTHENTIK_POSTGRESQL__NAME = "authentik"; displayName = "Raphael";
AUTHENTIK_REDIS__HOST = "127.0.0.1"; mailAddresses = [
AUTHENTIK_REDIS__DB = 0; "raphael@enium.eu"
AUTHENTIK_REDIS__PORT = 6380;
};
};
redis.servers."authentik" = {
enable = true;
bind = "127.0.0.1";
port = lib.mkForce 6380;
};
postgresql = {
enable = true;
ensureDatabases = [
"authentik"
]; ];
ensureUsers = [ groups = [
{ "users"
name = "authentik"; "idm_admins"
ensureDBOwnership = true;
}
]; ];
initialScript = pkgs.writeText "init-authentik-db.sql" '' };
ALTER USER authentik WITH PASSWORD '$(grep AUTHENTIK_POSTGRESQL__PASSWORD ${envFile} | cut -d= -f2)'; };
};
enableClient = true;
clientSettings.uri = "https://auth.enium.eu";
enableServer = true;
serverSettings = {
role = "WriteReplica";
domain = "enium.eu";
origin = "https://auth.enium.eu";
bindaddress = "127.0.0.1:9000";
tls_chain = "/var/lib/acme/auth.enium.eu/fullchain.pem";
tls_key = "/var/lib/acme/auth.enium.eu/key.pem";
};
};
nginx.virtualHosts."auth.enium.eu" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "https://127.0.0.1:9000";
proxyWebsockets = true;
extraConfig = ''
proxy_ssl_verify off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
''; '';
}; };
nginx = {
virtualHosts."auth.enium.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:9000";
proxyWebsockets = true;
};
};
}; };
}; };
}; };