diff --git a/flake.nix b/flake.nix index 57054f3..27f321b 100644 --- a/flake.nix +++ b/flake.nix @@ -12,6 +12,7 @@ minecraft.url = "github:Infinidoge/nix-minecraft"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixvim.url = "github:EniumRaphael/nixvim"; + authentik-nix.url = "github:nix-community/authentik-nix"; zen-browser.url = "github:0xc000022070/zen-browser-flake"; catppuccin = { url = "github:catppuccin/nix"; @@ -25,6 +26,7 @@ nixpkgs, flake-utils, agenix, + authentik-nix, home-manager, hm-config, catppuccin, @@ -64,6 +66,7 @@ ./hosts/server/configuration.nix home-manager.nixosModules.home-manager agenix.nixosModules.default + authentik-nix.nixosModules.default { home-manager.sharedModules = [ catppuccin.homeModules.catppuccin ]; home-manager.useGlobalPkgs = true; diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index 87e9789..b2d08d6 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -41,6 +41,7 @@ mail = true; monitor = true; nextcloud = true; + sso = true; }; forty_two.irc = true; web.portefolio = true; diff --git a/hosts/server/secrets.nix b/hosts/server/secrets.nix index e94a8ac..6eb40fb 100644 --- a/hosts/server/secrets.nix +++ b/hosts/server/secrets.nix @@ -1,4 +1,5 @@ -{ config, pkgs, inputs, ... }: +{ inputs, ... }: + { imports = [ inputs.agenix.nixosModules.default ]; @@ -10,11 +11,30 @@ group = "root"; mode = "0400"; }; - age.secrets."mailjet-pass" = { file = ../../secrets/mailjet-pass.age; owner = "root"; group = "root"; mode = "0400"; }; + + age.secrets."authentik-env" = { + file = ../../secrets/authentik-env.age; + owner = "root"; + group = "root"; + mode = "0400"; + }; + + age.secrets."auth-grafana-id" = { + file = ../../secrets/auth-grafana-id.age; + owner = "root"; + group = "grafana"; + mode = "0440"; + }; + age.secrets."auth-grafana-secret" = { + file = ../../secrets/auth-grafana-secret.age; + owner = "root"; + group = "grafana"; + mode = "0440"; + }; } diff --git a/secrets/authentik-env.age b/secrets/authentik-env.age new file mode 100644 index 0000000..e75bd5e --- /dev/null +++ b/secrets/authentik-env.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 eRdPLg N3Qw3twIzp6k1j+P0bHMQsK3jruPyQ1glFPm3EjECFQ +WJxonlFtrzgrk+iFI+SAo/I7wG18+HcKRDti6EVRl9w +-> ssh-ed25519 KUgDMA mbkaxEH5MeHQakCD0EalLGY9EjbX3FqpCcN/APqiLSk +yQodnc7KiffYmmHbXi8Z41CkKmbBcPQQfrwZXPmrX+0 +--- RBFbw55F+eBIbdopQ1kyFcG65j0RL4jxP6d4R5nNg5U +:)zE3[raεV!A5 Nd.yL; +JӤJ[}Bg &$h9?ǔze 絞XRQxesʎCϴ¡Pߖ1Qj +󣬖ӓXf'bý4\螀 %$F0Q)R&}3T8tI25űb>@VSwb!]tmݰ vód–>Z܌X4)@8o')"}Ex/OE 3_`Rӿչk.ju1 b \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 79b58b4..84e8ee3 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,4 +1,3 @@ -{ config, pkgs, inputs, ... }: let main-server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFEEuBgdANmzr69bapLdSxu6gnsLHGUQUBatS2dQsdOU root@nixos"; systems = [ @@ -13,4 +12,7 @@ in { "mailjet-user.age".publicKeys = users ++ systems; "mailjet-pass.age".publicKeys = users ++ systems; + "authentik-env.age".publicKeys = users ++ systems; + "auth-grafana-id.age".publicKeys = users ++ systems; + "auth-grafana-secret.age".publicKeys = users ++ systems; } diff --git a/services/self_host.nix b/services/self_host.nix index 3b6b0b4..ea9336e 100644 --- a/services/self_host.nix +++ b/services/self_host.nix @@ -47,6 +47,14 @@ let lib ; }; + sso = import ./self_host/sso.nix { + inherit + inputs + config + pkgs + lib + ; + }; cfg = config.service.selfhost; in { @@ -56,6 +64,7 @@ in htop ollama monitor + sso ]; config = { @@ -89,5 +98,10 @@ in default = false; description = "Enable the nextcloud"; }; + sso = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Enable the nextcloud"; + }; }; } diff --git a/services/self_host/sso.nix b/services/self_host/sso.nix new file mode 100644 index 0000000..744ad1b --- /dev/null +++ b/services/self_host/sso.nix @@ -0,0 +1,88 @@ +{ + config, + pkgs, + lib, + ... +}: + +let + cfg = config.service.selfhost.sso; + envFile = config.age.secrets."authentik-env".path; + envDst = "/run/authentik/env"; +in + { + config = lib.mkIf cfg { + systemd.tmpfiles.rules = [ + "d /run/authentik 0750 authentik authentik - -" + ]; + + systemd.services.authentik-env = { + description = "Prepare Authentik environment file"; + before = [ + "authentik.service" + "authentik-migrate.service" + "authentik-worker.service" + ]; + wantedBy = [ + "authentik.service" + "authentik-migrate.service" + "authentik-worker.service" + ]; + after = [ + "systemd-sysusers.service" + ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.coreutils}/bin/install -D -m0400 ${envFile} ${envDst}"; + ExecStartPost = "${pkgs.coreutils}/bin/chown authentik:authentik ${envDst}"; + }; + }; + + systemd.services.authentik = { + after = [ "authentik-env.service" "postgresql.service" "redis-authentik.service" ]; + requires = [ "authentik-env.service" "postgresql.service" "redis-authentik.service" ]; + }; + + services = { + authentik = { + enable = true; + environmentFile = envDst; + settings = { + AUTHENTIK_LISTEN__HTTP = "127.0.0.1:9000"; + AUTHENTIK_POSTGRESQL__HOST = "/run/postgresql"; + AUTHENTIK_POSTGRESQL__USER = "authentik"; + AUTHENTIK_POSTGRESQL__NAME = "authentik"; + AUTHENTIK_REDIS__HOST = "127.0.0.1"; + AUTHENTIK_REDIS__DB = 0; + AUTHENTIK_REDIS__PORT = 6380; + }; + }; + redis.servers.authentik.port = lib.mkForce 6380; + postgresql = { + enable = true; + ensureDatabases = [ + "authentik" + ]; + ensureUsers = [ + { + name = "authentik"; + ensureDBOwnership = true; + } + ]; + initialScript = pkgs.writeText "init-authentik-db.sql" '' + ALTER USER authentik WITH PASSWORD '$(grep AUTHENTIK_POSTGRESQL__PASSWORD ${envFile} | cut -d= -f2)'; + ''; + }; + nginx = { + virtualHosts."auth.enium.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:9000"; + proxyWebsockets = true; + }; + }; + }; + }; + }; +}