feat(self_host/sso): changing from authentik and kanidm

2025-12-16 11:55:17 +01:00 · 2025-12-16 11:55:17 +01:00 · ddb3f8d218
commit ddb3f8d218
parent 245b9773fc
1 changed files with 48 additions and 85 deletions
--- a/services/self_host/sso.nix
+++ b/services/self_host/sso.nix
@ -7,101 +7,64 @@
 let
  cfg = config.service.selfhost.sso;
-  envFile = config.age.secrets."authentik-env".path;
+  kanidm-admin = config.age.secrets."kanidm-admin".path;
  envDst = "/run/authentik/env";
 in
  {
  config = lib.mkIf cfg {
    users = {
-      users.authentik = {
+      groups.kanidm = {};
      users.kanidm = {
        isSystemUser = true;
-        description = "Authentik service user";
+        group = "kanidm";
-        group = "authentik";
+        extraGroups = [ "nginx" ];
        home = "/var/lib/authentik";
      };
      groups.authentik = {};
    };
    systemd.tmpfiles.rules = [
      "d /run/authentik 0750 authentik authentik - -"
    ];
    systemd.services.authentik-env = {
      description = "Prepare Authentik environment file";
      before = [
        "authentik.service"
        "authentik-migrate.service"
        "authentik-worker.service"
      ];
      wantedBy = [
        "authentik.service"
        "authentik-migrate.service"
        "authentik-worker.service"
      ];
      after = [
        "systemd-sysusers.service"
      ];
      serviceConfig = {
        Type = "oneshot";
        ExecStart = "${pkgs.coreutils}/bin/install -D -m0400 ${envFile} ${envDst}";
        ExecStartPost = "${pkgs.coreutils}/bin/chown authentik:authentik ${envDst}";
      };
    };
-
+    security.acme.certs."auth.enium.eu".group = "nginx";
    systemd.services.authentik = {
      after = [
        "authentik-env.service"
        "postgresql.service"
        "redis-authentik.service"
      ];
      requires = [
        "authentik-env.service"
        "postgresql.service"
        "redis-authentik.service"
      ];
    };
    services = {
-      authentik = {
+      kanidm = {
-        enable = true;
+        package = pkgs.kanidm_1_8;
-        environmentFile = envDst;
+        provision = {
-        settings = {
+          idmAdminPasswordFile = kanidm-admin;
-          AUTHENTIK_LISTEN__HTTP = "127.0.0.1:9000";
+          persons = {
-          AUTHENTIK_POSTGRESQL__HOST = "/run/postgresql";
+            raphael = {
-          AUTHENTIK_POSTGRESQL__USER = "authentik";
+              legalName = "Raphael Parodi";
-          AUTHENTIK_POSTGRESQL__NAME = "authentik";
+              displayName = "Raphael";
-          AUTHENTIK_REDIS__HOST = "127.0.0.1";
+              mailAddresses = [
-          AUTHENTIK_REDIS__DB = 0;
+                "raphael@enium.eu"
-          AUTHENTIK_REDIS__PORT = 6380;
+              ];
              groups = [
                "users"
                "idm_admins"
              ];
            };
          };
        };
        enableClient = true;
        clientSettings.uri = "https://auth.enium.eu";
        enableServer = true;
        serverSettings = {
          role = "WriteReplica";
          domain = "enium.eu";
          origin = "https://auth.enium.eu";
          bindaddress = "127.0.0.1:9000";
          tls_chain = "/var/lib/acme/auth.enium.eu/fullchain.pem";
          tls_key = "/var/lib/acme/auth.enium.eu/key.pem";
        };
      };
-      redis.servers."authentik" = {
+      nginx.virtualHosts."auth.enium.eu" = {
-        enable = true;
+        enableACME = true;
-        bind = "127.0.0.1";
+        forceSSL = true;
-        port = lib.mkForce 6380;
+        locations."/" = {
-      };
+          proxyPass = "https://127.0.0.1:9000";
-      postgresql = {
+          proxyWebsockets = true;
-        enable = true;
+
-        ensureDatabases = [
+          extraConfig = ''
-          "authentik"
+            proxy_ssl_verify off;
-        ];
+            proxy_set_header Host $host;
-        ensureUsers = [
+            proxy_set_header X-Real-IP $remote_addr;
-          {
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            name = "authentik";
+            proxy_set_header X-Forwarded-Proto https;
-            ensureDBOwnership = true;
+          '';
          }
        ];
        initialScript = pkgs.writeText "init-authentik-db.sql" ''
          ALTER USER authentik WITH PASSWORD '$(grep AUTHENTIK_POSTGRESQL__PASSWORD ${envFile} | cut -d= -f2)';
        '';
      };
      nginx = {
        virtualHosts."auth.enium.eu" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:9000";
            proxyWebsockets = true;
          };
        };
      };
    };