From 833a21b1c190a403da1b1f3d61f780d88c1b0749 Mon Sep 17 00:00:00 2001 From: javalsai Date: Tue, 5 May 2026 00:02:34 +0200 Subject: [PATCH] draft: partially getting authentik to work needs manual systemctl start once booted for now its started at auth.tuxcord.test --- agenix/authentik.age | 20 +++ agenix/secrets.nix | 1 + flake.lock | 288 ++++++++++++++++++++++++++++++++++-- flake.nix | 7 + nixos/common.nix | 3 +- nixos/modules/authentik.nix | 17 +++ nixos/modules/default.nix | 1 + nixos/modules/nginx.nix | 4 + 8 files changed, 328 insertions(+), 13 deletions(-) create mode 100644 agenix/authentik.age create mode 100644 nixos/modules/authentik.nix diff --git a/agenix/authentik.age b/agenix/authentik.age new file mode 100644 index 0000000..0a268ed --- /dev/null +++ b/agenix/authentik.age @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-ed25519 Wl2fDA 7PqbYWjorqzuPIDZgOZGIMzZa/P89aGzvORfMAeePRU +J+gesdnj8VwqJSfD1ohDTSp7nBXdM4nEEB5/7aA1PMc +-> ssh-ed25519 zNC8SA z47u0fUlGVYiQr4/S0lLh6WEj7gyedjWsq4fUk5Z1CY +6qR4zdA1gQqpAcm5Q5AZJgn3ZnafXL4OeHfU4WJae40 +-> ssh-ed25519 EiAAKw 8mPi6HaHW+oFZHZ0Y2fJ2XISgarW3i/yLKD2QJleFGs +Mch7D28T9eiJm8hmSuI7Wm/rjjT+EzzER9vQ7T6rA3k +-> ssh-rsa eFi+Zw +d3mwAM+p4yz/UK5g4+0WyeOPyEVHQEyzGSB+pPDf6IIXxGbh613h1WD5j3AQQXdH +178Es9PhkiZcy0Y0IsQt4dyqDzuqMMwzLLvLKgsfliFsPBcdo93V5r9rWtFi3+9S +jAfhsFzVUj3KhuBY+xsgBtHpLe5CVV52NnEzXkoJw1wbdunNi62QZvyyC+0NixFV +HW1lxan6g6XXPrXWWrLbZWvpuqvPV6DoLsofzkMm0nd1DhkeHRU1WU8ucnPaETrJ +E5G3YrlfhftwRzp/QzeoSFREmdAJca7ycIJaJuG8QIszTZLOOQBUAxg7sonATGUc +Zutg1lJEfaQSe8oG1iMrJlshGspuSmBc1Ki4iQJjhQnYzvkV+Th9trG3QGq5ur9O +RYCxqjMMzbp6kR2GdJorSM7P5fpzt0sSv2mxd+nQpMoyvOVfbBjmEbiuWrKSlIl0 +tXYrI6723mRNsbtmodUdDttaDFnr2r0MWbpHPn/K6y422GEoAiKE96Z7Pcxo2+Ml + +--- ILGiZiEBKY+7nych4vWMVWgiFNhF3eP7mtCvJ/JImxM +jF%a;8l˝ Yt: # (V;[`:tS# @k7FEn!lȥۚÁ7!Y3:+mz +Z!۵S>] 8/bIbPZo ҧz"&zذ:fB[-^ \ No newline at end of file diff --git a/agenix/secrets.nix b/agenix/secrets.nix index 65bb806..3199ebc 100644 --- a/agenix/secrets.nix +++ b/agenix/secrets.nix @@ -10,6 +10,7 @@ let in { "ntfy.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys; + "authentik.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys; # tsig-keygen etc.sub.domain.tld. "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys; diff --git a/flake.lock b/flake.lock index 90bfb86..032a812 100644 --- a/flake.lock +++ b/flake.lock @@ -23,6 +23,67 @@ "type": "github" } }, + "authentik-go": { + "flake": false, + "locked": { + "lastModified": 1771856219, + "narHash": "sha256-zTEmvxe+BpfWYvAl675PnhXCH4jV4GUTFb1MrQ1Eyno=", + "owner": "goauthentik", + "repo": "client-go", + "rev": "4c1444ee54d945fbcc5ae107b4f191ca0352023d", + "type": "github" + }, + "original": { + "owner": "goauthentik", + "repo": "client-go", + "type": "github" + } + }, + "authentik-nix": { + "inputs": { + "authentik-go": "authentik-go", + "authentik-src": "authentik-src", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "napalm": "napalm", + "nixpkgs": "nixpkgs", + "pyproject-build-systems": "pyproject-build-systems", + "pyproject-nix": "pyproject-nix", + "systems": "systems_2", + "uv2nix": "uv2nix" + }, + "locked": { + "lastModified": 1776085803, + "narHash": "sha256-JvvWVbXJYSY8qOReMbAOD4lxcN2cjKV6lg/jLz8CEuY=", + "owner": "nix-community", + "repo": "authentik-nix", + "rev": "4370b561c8bafb59773ce3a518506bcf1161dbdb", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "authentik-nix", + "type": "github" + } + }, + "authentik-src": { + "flake": false, + "locked": { + "lastModified": 1775573258, + "narHash": "sha256-Xq7JGI/8ppIydIuWd9KRJKUrh7UpeniwvZ4NAtXbYJ4=", + "owner": "goauthentik", + "repo": "authentik", + "rev": "5249546862986202b901c2afd860992ec48c6ef6", + "type": "github" + }, + "original": { + "owner": "goauthentik", + "ref": "version/2026.2.2", + "repo": "authentik", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -46,6 +107,7 @@ } }, "flake-compat": { + "flake": false, "locked": { "lastModified": 1767039857, "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", @@ -61,6 +123,21 @@ } }, "flake-compat_2": { + "locked": { + "lastModified": 1767039857, + "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1767039857, @@ -80,6 +157,24 @@ "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, + "locked": { + "lastModified": 1769996383, + "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "57928607ea566b5db3ad13af0e57e921e6b12381", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_2" + }, "locked": { "lastModified": 1777678872, "narHash": "sha256-EPIFsulyon7Z1vLQq5Fk64GR8L7cQsT+IPhcsukVbgk=", @@ -94,6 +189,27 @@ "type": "github" } }, + "flake-utils": { + "inputs": { + "systems": [ + "authentik-nix", + "systems" + ] + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "git-hooks-nix": { "inputs": { "flake-compat": [ @@ -188,9 +304,35 @@ "type": "github" } }, + "napalm": { + "inputs": { + "flake-utils": [ + "authentik-nix", + "flake-utils" + ], + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1725806412, + "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=", + "owner": "willibutz", + "repo": "napalm", + "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5", + "type": "github" + }, + "original": { + "owner": "willibutz", + "ref": "avoid-foldl-stack-overflow", + "repo": "napalm", + "type": "github" + } + }, "nix-alien": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "nix-index-database": [ "nix-index-database" ], @@ -234,12 +376,12 @@ }, "nix-super": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "flake-parts": [ "flake-parts" ], "git-hooks-nix": "git-hooks-nix", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixpkgs-23-11": "nixpkgs-23-11", "nixpkgs-regression": "nixpkgs-regression" }, @@ -259,15 +401,18 @@ }, "nixpkgs": { "locked": { - "lastModified": 1771903837, - "narHash": "sha256-jEA8WggGKtMFeNeCKq3NK8cLEjJmG6/RLUElYYbBZ0E=", - "rev": "e764fc9a405871f1f6ca3d1394fb422e0a0c3951", - "type": "tarball", - "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.6495.e764fc9a4058/nixexprs.tar.xz" + "lastModified": 1771848320, + "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2fc6539b481e1d2569f25f8799236694180c0993", + "type": "github" }, "original": { - "type": "tarball", - "url": "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz" + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs-23-11": { @@ -287,6 +432,21 @@ } }, "nixpkgs-lib": { + "locked": { + "lastModified": 1769909678, + "narHash": "sha256-cBEymOf4/o3FD5AZnzC3J9hLbiZ+QDT/KDuyHXVJOpM=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "72716169fe93074c333e8d0173151350670b824c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixpkgs-lib_2": { "locked": { "lastModified": 1777168982, "narHash": "sha256-GOkGPcboWE9BmGCRMLX3worL4EMnsnG8MyKmXNeYuhQ=", @@ -318,6 +478,19 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1771903837, + "narHash": "sha256-jEA8WggGKtMFeNeCKq3NK8cLEjJmG6/RLUElYYbBZ0E=", + "rev": "e764fc9a405871f1f6ca3d1394fb422e0a0c3951", + "type": "tarball", + "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.6495.e764fc9a4058/nixexprs.tar.xz" + }, + "original": { + "type": "tarball", + "url": "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1777428379, "narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=", @@ -333,15 +506,66 @@ "type": "github" } }, + "pyproject-build-systems": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ], + "pyproject-nix": [ + "authentik-nix", + "pyproject-nix" + ], + "uv2nix": [ + "authentik-nix", + "uv2nix" + ] + }, + "locked": { + "lastModified": 1771423342, + "narHash": "sha256-7uXPiWB0YQ4HNaAqRvVndYL34FEp1ZTwVQHgZmyMtC8=", + "owner": "pyproject-nix", + "repo": "build-system-pkgs", + "rev": "04e9c186e01f0830dad3739088070e4c551191a4", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "build-system-pkgs", + "type": "github" + } + }, + "pyproject-nix": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1771518446, + "narHash": "sha256-nFJSfD89vWTu92KyuJWDoTQJuoDuddkJV3TlOl1cOic=", + "owner": "pyproject-nix", + "repo": "pyproject.nix", + "rev": "eb204c6b3335698dec6c7fc1da0ebc3c6df05937", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "pyproject.nix", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", - "flake-parts": "flake-parts", + "authentik-nix": "authentik-nix", + "flake-parts": "flake-parts_2", "impermanence": "impermanence", "nix-alien": "nix-alien", "nix-index-database": "nix-index-database", "nix-super": "nix-super", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" } }, "systems": { @@ -358,6 +582,46 @@ "repo": "default", "type": "github" } + }, + "systems_2": { + "locked": { + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", + "owner": "nix-systems", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default-linux", + "type": "github" + } + }, + "uv2nix": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ], + "pyproject-nix": [ + "authentik-nix", + "pyproject-nix" + ] + }, + "locked": { + "lastModified": 1772187362, + "narHash": "sha256-gCojeIlQ/rfWMe3adif3akyHsT95wiMkLURpxTeqmPc=", + "owner": "pyproject-nix", + "repo": "uv2nix", + "rev": "abe65de114300de41614002fe9dce2152ac2ac23", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "uv2nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index f35d2de..4e32840 100644 --- a/flake.nix +++ b/flake.nix @@ -31,6 +31,13 @@ url = "github:privatevoid-net/nix-super"; inputs.flake-parts.follows = "flake-parts"; }; + + authentik-nix = { + url = "github:nix-community/authentik-nix"; + + # inputs.nixpkgs.follows = "nixpkgs" + # inputs.flake-parts.follows = "flake-parts" + }; }; outputs = diff --git a/nixos/common.nix b/nixos/common.nix index 970fc51..8175c30 100644 --- a/nixos/common.nix +++ b/nixos/common.nix @@ -18,6 +18,7 @@ in agenix.nixosModules.default impermanence.nixosModules.default nix-index-database.nixosModules.nix-index + authentik-nix.nixosModules.default ./hardware.nix ./impermanence.nix @@ -99,7 +100,7 @@ in extraHosts = let - subdomains = [ "git" ]; + subdomains = [ "git" "auth" ]; inherit (config.networking) fqdn; hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains; diff --git a/nixos/modules/authentik.nix b/nixos/modules/authentik.nix new file mode 100644 index 0000000..59fd1fc --- /dev/null +++ b/nixos/modules/authentik.nix @@ -0,0 +1,17 @@ +{ config, self, ... }: +let + inherit (config.networking) fqdn; +in +{ + age.secrets.authentik.file = "${self}/agenix/authentik.age"; + + services.authentik = { + enable = true; + environmentFile = config.age.secrets.authentik.path; # just trust, this specifies port 3001 + # nginx = { + # enable = true; + # enableACME = true; + # host = "auth.${fqdn}"; + # }; + }; +} diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index 2593ae5..ba9af1a 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -1,6 +1,7 @@ { imports = [ ./acme.nix + ./authentik.nix ./dns.nix ./fail2ban.nix ./gitea.nix diff --git a/nixos/modules/nginx.nix b/nixos/modules/nginx.nix index cbcc4c2..a9ab151 100644 --- a/nixos/modules/nginx.nix +++ b/nixos/modules/nginx.nix @@ -60,6 +60,10 @@ in "git.${fqdn}" = mkVhost { } { "/" = mkProxy config.services.gitea.settings.server.HTTP_PORT; }; + + "auth.${fqdn}" = mkVhost { } { + "/" = mkProxy 3001; + }; }; };