alpine: authentik service

2024-05-08 22:53:41 +01:00 · 2024-05-08 22:53:41 +01:00 · 4d2f26c98f
commit 4d2f26c98f
parent d1772cb4be
6 changed files with 190 additions and 14 deletions
--- a/flake.nix
+++ b/flake.nix
@ -9,10 +9,6 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    stylix.url = "github:danth/stylix";
-    # hyprland = {
-    #   url = "github:hyprwm/Hyprland/v0.36.0";
-    #   inputs.nixpkgs.follows = "nixpkgs";
-    # };
    sops-nix.url = "github:Mic92/sops-nix";
  };

@ -71,6 +67,7 @@
        ./nixos/services/mautrix/signal.nix
        ./nixos/services/nextcloud.nix
        ./nixos/services/ntfy.nix
+        ./nixos/services/authentik.nix
      ] [];

      vm-sway =
--- a/hardware/alpine.nix
+++ b/hardware/alpine.nix
@ -140,14 +140,6 @@ in {
        enableACME = true;
        root = "/srv/www/tristans.cloud";
      };
-      "auth.tristans.cloud" = {
-        forceSSL = true;
-        enableACME = true;
-        locations."~" = {
-          proxyPass = "http://localhost:8084";
-          proxyWebsockets = true;
-        };
-      };
    };
  };
  security.acme = {
--- a/lib/mkconf.nix
+++ b/lib/mkconf.nix
@ -15,6 +15,7 @@ in
    modules =
      modules
      ++ [
+        ../nixos/modules/podman.nix
        home-manager.nixosModules.home-manager
        sops-nix.nixosModules.sops
        {
--- a/nixos/modules/podman.nix
+++ b/nixos/modules/podman.nix
@ -0,0 +1,86 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}: let
+  inherit (lib) mkOption types;
+  mkRunCommand = name: {
+    image,
+    command ? "",
+    environment ? {},
+    ports ? [],
+    volumes ? [],
+    envFile ? null,
+    ...
+  }: ''
+    ${pkgs.podman}/bin/podman run \
+      ${toString (builtins.attrValues (builtins.mapAttrs (name: value: "-e ${name}='${value}'") environment))} \
+      ${toString (builtins.map (mapping: "-p ${mapping}") ports)} \
+      ${toString (builtins.map (mapping: "-v ${mapping}") volumes)} \
+      ${
+        if builtins.isNull envFile
+        then ""
+        else "--env-file ${toString envFile}"
+      } \
+      --detach --replace \
+      --name ${name} \
+      ${image} ${command}
+  '';
+  opts = {
+    config,
+    name,
+    ...
+  }: {
+    options = {
+      image = mkOption {
+        type = types.str;
+      };
+      command = mkOption {
+        type = types.str;
+        default = "";
+      };
+      environment = mkOption {
+        type = types.attrsOf types.str;
+        default = {};
+      };
+      ports = mkOption {
+        type = types.listOf types.str;
+        default = [];
+      };
+      volumes = mkOption {
+        type = types.listOf types.str;
+        default = [];
+      };
+      envFile = mkOption {
+        type = types.nullOr types.path;
+        default = null;
+      };
+    };
+  };
+  mkService = name: config: {
+    enable = true;
+    wants = ["network-online.target"];
+    after = ["network-online.target"];
+    wantedBy = ["default.target"];
+    unitConfig = {
+      RequiresMountsFor = "/run/containers/storage";
+    };
+    serviceConfig = {
+      Environment = "PODMAN_SYSTEMD_UNIT=%n";
+      Restart = "on-failure";
+      TimeoutStopSec = 70;
+      ExecStart = mkRunCommand name config;
+      ExecStop = "${pkgs.podman}/bin/podman stop -t 10 ${name}";
+      ExecStopPost = "${pkgs.podman}/bin/podman stop -t 10 ${name}";
+      Type = "forking";
+    };
+  };
+in {
+  options.podman = mkOption {
+    type = types.attrsOf (types.submodule opts);
+  };
+  config = {
+    systemd.services = lib.mapAttrs mkService config.podman;
+  };
+}
--- a/nixos/services/authentik.nix
+++ b/nixos/services/authentik.nix
@ -0,0 +1,91 @@
+{config, ...}: let
+  inherit (config) sops;
+  inherit (sops) templates placeholder;
+  redis_port = "6380";
+  authentik_port = "8084";
+  postgres = {
+    user = "authentik";
+    db = "authentik";
+    port = "5437";
+  };
+  authentik-config = {
+    image = "ghcr.io/goauthentik/server:2023.10.7";
+    volumes = ["/home/tristan/pods/authentik/media:/media"];
+    environment = {
+      AUTHENTIK_POSTGRESQL__USER = postgres.user;
+      AUTHENTIK_POSTGRESQL__HOST = "192.168.1.2";
+      AUTHENTIK_POSTGRESQL__PORT = postgres.port;
+      AUTHENTIK_REDIS__HOST = "192.168.1.2";
+      AUTHENTIK_REDIS__PORT = redis_port;
+      AUTHENTIK_EMAIL__FROM = "Authentik <tristan@tristans.cloud>";
+      AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME = "false";
+    };
+    envFile = templates."authentik/environment".path;
+  };
+in {
+  sops.secrets = {
+    "authentik/postgres_password" = {};
+    "authentik/secret_key" = {};
+    "mail/host" = {};
+    "mail/port" = {};
+    "mail/username" = {};
+    "mail/password" = {};
+    "mail/ssl" = {};
+  };
+  sops.templates = {
+    "authentik/environment" = {
+      content = ''
+        AUTHENTIK_POSTGRESQL__PASSWORD="${placeholder."authentik/postgres_password"}"
+        AUTHENTIK_SECRET_KEY="${placeholder."authentik/secret_key"}"
+        AUTHENTIK_EMAIL__HOST="${placeholder."mail/host"}"
+        AUTHENTIK_EMAIL__PORT="${placeholder."mail/port"}"
+        AUTHENTIK_EMAIL__USERNAME="${placeholder."mail/username"}"
+        AUTHENTIK_EMAIL__PASSWORD="${placeholder."mail/password"}"
+        AUTHENTIK_EMAIL__USE_SSL="${placeholder."mail/ssl"}"
+      '';
+    };
+    "authentik/postgres_env" = {
+      content = ''
+        POSTGRES_PASSWORD="${placeholder."authentik/postgres_password"}"
+      '';
+    };
+  };
+
+  podman.authentik-redis = {
+    image = "redis:latest";
+    ports = ["${redis_port}:6379"];
+  };
+
+  podman.authentik-server =
+    authentik-config
+    // {
+      command = "server";
+      ports = ["${authentik_port}:9000" "9084:9300"];
+    };
+
+  podman.authentik-worker =
+    authentik-config
+    // {
+      command = "worker";
+    };
+
+  podman.authentik-postgres = {
+    image = "docker.io/postgres:14-alpine";
+    ports = ["${postgres.port}:5432"];
+    volumes = ["/home/tristan/pods/authentik/db:/var/lib/postgresql/data"];
+    environment = {
+      POSTGRES_USER = postgres.user;
+      POSTGRES_DB = postgres.db;
+    };
+    envFile = templates."authentik/postgres_env".path;
+  };
+
+  services.nginx.virtualHosts."auth.tristans.cloud" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."~" = {
+      proxyPass = "http://localhost:${authentik_port}";
+      proxyWebsockets = true;
+    };
+  };
+}
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -19,6 +19,15 @@ mautrix-signal:
 mautrix-instagram:
    as_token: ENC[AES256_GCM,data:pNO76BcGejQdCc5X4f/UvSsBIPU6QZCCQTJvwVIXRf3rnb9ewWNMEtYXlqj886yh3g5SgqQ4Uhqby/7vrMxREA==,iv:uYU7ACk4wEPzqUCpt5KBt5Y8LoVIdAlNvdWj5Jm94qM=,tag:vJHOhwJBPlgUPu1SFqI4ew==,type:str]
    hs_token: ENC[AES256_GCM,data:m1CK8Ae6QyJKgDZm904xMpZ1KgKxEUpmQ1jdKOkjexgwAWjjtYF+RVximtcXwxPg/0jkbK/LMlxA89ic+zajiA==,iv:YLed92mS+2Cpud2f8Gq+zlpSVyPo7RVNGOUPCIRDi94=,tag:rRwhYn88ZZwm5sDI1etR2g==,type:str]
+authentik:
+    postgres_password: ENC[AES256_GCM,data:mdUFP92PQEsvXpgES/iG+zmse0AKJ2c1KdMQDWDWWzWAOn3YSAYJX/N0IIljoGNC,iv:UxFDFYWNBQospGoHlrvLQJyypIszPqpkeJy1IGr6/7I=,tag:99LWrGMaYpfTl0PM4AQaKg==,type:str]
+    secret_key: ENC[AES256_GCM,data:JWcHd5FLhFt7gitVyv0l5Fc/sVrBlro026CPKrECPRGQHwjWQWsXTbKisM0vCKdB,iv:WN/LXUNrd+DbxfxwotedlYnyzE2D1c6C2e0UgCXUWX8=,tag:CAo6tX5RGdg67giMWa459g==,type:str]
+mail:
+    host: ENC[AES256_GCM,data:TpJCxb8/qtGHA7ZQNFxRfzY0jz82,iv:+hjhL2jbMP9NWYub/etBhFXxAfzoIEneepRw5uHL8bs=,tag:J5Rb6BiFKqgqxZPFSGtXhA==,type:str]
+    port: ENC[AES256_GCM,data:1DfD,iv:I3dK4v/h5nFLNk4yihQxkJiyAir9MLDAQIeGbSn3j+I=,tag:Xu8E6PN7u9YRVnFMWq85DQ==,type:str]
+    username: ENC[AES256_GCM,data:yF3a6yJbvscUM8HRL9/Df5ZU4j5a3g==,iv:LkZh8eaBZ+Z3+bjpyB3MkWTRpjtk3/bszseT9KCfDmM=,tag:sdAp283HiwYWlVLc7c4waw==,type:str]
+    password: ENC[AES256_GCM,data:queuYRYekTyynd6fxK4RNImMzQeR7xfNg9u96Fr+1tw=,iv:Rn30tJAoahkMr2ISDbyHClHDdjSF41MqtTwlSGUQELw=,tag:/sfAJXvFwvv3AMxTCONmkg==,type:str]
+    ssl: ENC[AES256_GCM,data:K2pczQ==,iv:Us4kZfQ2wIx/qJXDaPDuUNvGU2F+U8EtV21SPbTebe8=,tag:lUY9pGQ7dtxIJqOOtIMA8Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -34,8 +43,8 @@ sops:
            NUFIN3NPU2pTZ0NZRXdQY0xhWlI5T3cKd5XCj1aNsD+7+MfiAPGb1iAW9AgzyagG
            A7cwF9kQwWWLud9z4v6epuDkqGF+7uIy7N/CwBaEgi8+AS8o27wo4g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-23T23:24:16Z"
-    mac: ENC[AES256_GCM,data:bs8t7nH5BdIz4uQd33M2pt+AVhqfBEJy9l8AFl8p80GLAMg5zKlDWxtVCPrWk8viJvfMkhvwEovBizoy3m7gt8iWLf+dtznBjALtUXVAc/+dmACUS8E9JHHKcvOHxT/cYCuU3t6pDJWlbfnpBtKSSHH8Z/YblYMlkeoNeNOoAwU=,iv:9fKO44c5TNMBgHqcuV6Fu+GW8TjND+32KDEerawpZL4=,tag:Ps8kelq+8iY88mdqugRTMg==,type:str]
+    lastmodified: "2024-05-08T21:41:24Z"
+    mac: ENC[AES256_GCM,data:BMM/NP/ls0VdkL1jOqPeEmfxwoQR1Yi5DM2xb1p+Z3u9oo61Tkc2v2G7G9jWMfa2UwVlqYOGIZlwNj2ONhWhDDZBVTd3tTEbssbizNTUWGX7cQBfQm9K0/Mk+qXdug7AfjKnVXZlEbD7QLfqhz7sl/tDaPS9sstnivJENi2sIYI=,iv:nOoc+kiSbf89qJMtGYLURVToh6bCnEjg7zVQivzate4=,tag:ogEOMkRafxKLFX0N9hbOSw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1