mirror of
https://git.lgmrszd.xyz/Lgmrszd/nix-cfg.git
synced 2024-11-21 18:57:58 +01:00
vps1: enable authentik
This commit is contained in:
parent
185dc9f3d8
commit
9e411591d8
5 changed files with 61 additions and 1 deletions
|
@ -11,6 +11,7 @@ in
|
|||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./services/postgres.nix
|
||||
./services/authentik.nix
|
||||
./services/git.nix
|
||||
./services/mailserver.nix
|
||||
./akkotest.nix
|
||||
|
|
|
@ -4,3 +4,6 @@ sshPort = 22631
|
|||
|
||||
[mailserver]
|
||||
subdomain = "mail"
|
||||
|
||||
[auth]
|
||||
subdomain = "auth"
|
12
hosts/vps1/secrets/authentik.env
Normal file
12
hosts/vps1/secrets/authentik.env
Normal file
|
@ -0,0 +1,12 @@
|
|||
AUTHENTIK_EMAIL__PASSWORD=ENC[AES256_GCM,data:W4xv9+30ejC+lM+t2k9H,iv:oYNnXJ+D5WAtE0lYw4QiXiDLejdaLp6VsRvBb1pvSbY=,tag:HnCl6P1z0dR2nIyFDIkgfA==,type:str]
|
||||
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjVnBKYTdIblVLNzZaSWpW\nMTBJQzE0Mzc0ck5lZE04d2NMRGlVSGRzRFFVCmpVQ3RYL1NpYXBhUmtVRnRlTGxm\naWppN2l6UGg0anJIam9Zak45NHYvRGsKLS0tIDArb0ZPVHF4b2ZBUmlOVFpUL2hk\nMEFGaDVSZTRJZXIzaXlPS3RNcDk1RlUK/oJloqIBIOBPVzfKCgZr/mTCOJAPb1IB\n4/sewMvEtLkIwgnxWMH1r52HaJpafUCkc0+H6mY2RT6AC0kFR/wNwQ==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_0__map_recipient=age1acgqxvyczgsamz53z3v0gmahzfxlg9tscwnrgcxrfndgxhsvn3vs4ss5tk
|
||||
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNV0QvaUpLK3dXcjExUExa\nbHduQWxnd3o3L3hyQ25qZ29YcnFwbEt5NFZzClNsdnNFL2ZwdFhmR2FzbVBNMlBj\nVFpmNTZyY0U0ZzZNNzhjb2RNdjgySDgKLS0tIElMb2syejBKVmhqdnJmeTBiWUJ3\nVmpBRldiNzQrZFNhMFVSWE0xMEhXaTAKzTo+r7/zV4HbU/DOQj+UnpN/T01DfVr/\nn9OVSddwCwqfyVLq0GeEjYN6ejs6JjNQqeSK2fSXPpCK8zTTgIpD8w==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_1__map_recipient=age1xrzl49tvnatuu55xu5av6xcxyhrakd7mkzl5kz30kqqaxvh2m3sqax8jeu
|
||||
sops_lastmodified=2024-05-16T09:13:07Z
|
||||
sops_mac=ENC[AES256_GCM,data:7Q/k+JyGY2NurJwQlNfjUAH1+V81OGaahF4ERfRDewSmFNStBHI89InHtpgycrAZ6F/y/gi2aCU4UScF2DZTo4QDfO6z4z+j14JlAVcXD0RBFSvKdDvQtCyxjyJmMpRtue7kCsBTwdi1vVlAhRaou37rvIt2BSWgDsq2u/QD21I=,iv:Qqgcp2RwtLmS00ENz2Jt9uBK3JUUdx5ZNZTxMfQRWKQ=,tag:H2c5HBuO7U2wpB/JmRXcqA==,type:str]
|
||||
sops_pgp__list_0__map_created_at=2024-05-16T09:09:19Z
|
||||
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DrTkQq20WUVESAQdA4hxhmiuKNPdxjBYrKPozyO5pB9IojztBe+VYw4MHWGIw\nr3I0Y14WFSmO0v+VYWdFU1d+M87GW75JMwMs5e4EherX24Hf732YsOTto/wvddE7\n1GgBCQIQaLG2nRWwmyA7MDAKkxJJOFyuEZBYTLcedqIxzhxQG33U2ttyUlw80+Kf\nSNnkx/a71ytYz1bH9iRusjPIOKmbIgKmtoNfUPxOw+tBsWZu8BroPhO5SojMfT+8\nMJ35WpW5KuO4Lg==\n=Vh2J\n-----END PGP MESSAGE-----
|
||||
sops_pgp__list_0__map_fp=D3067BE844D3FC49535A47B29396B8BA6FBB14DE
|
||||
sops_unencrypted_suffix=_unencrypted
|
||||
sops_version=3.8.1
|
41
hosts/vps1/services/authentik.nix
Normal file
41
hosts/vps1/services/authentik.nix
Normal file
|
@ -0,0 +1,41 @@
|
|||
{ config, data, ...}:
|
||||
let
|
||||
inherit (data.host) rootDomain;
|
||||
inherit (data.services.auth) domain;
|
||||
mailDomain = data.services.mailserver.domain;
|
||||
|
||||
sops_opts = {
|
||||
sopsFile = ../secrets/authentik.env;
|
||||
format = "dotenv";
|
||||
# owner = "authentik";
|
||||
group = "authentik";
|
||||
};
|
||||
in
|
||||
{
|
||||
services.authentik = {
|
||||
enable = true;
|
||||
# The environmentFile needs to be on the target host!
|
||||
# Best use something like sops-nix or agenix to manage it
|
||||
environmentFile = "/run/secrets/authentik/authentik-env";
|
||||
createDatabase = true;
|
||||
nginx = {
|
||||
enable = true;
|
||||
enableACME = true;
|
||||
host = domain;
|
||||
};
|
||||
settings = {
|
||||
email = {
|
||||
host = mailDomain;
|
||||
port = 587;
|
||||
username = "authentik@${rootDomain}";
|
||||
use_tls = true;
|
||||
use_ssl = true;
|
||||
from = "authentik@${rootDomain}";
|
||||
};
|
||||
disable_startup_analytics = true;
|
||||
avatars = "initials";
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets.authentik = sops_opts;
|
||||
}
|
|
@ -39,6 +39,10 @@ in
|
|||
];
|
||||
hashedPassword = "$2b$05$IlDxRGJ6vOUjDIq0hfCd3uIVLQw0oodRU1cG8pKueO1BgaIfpUYPS";
|
||||
};
|
||||
"auth@${rootDomain}" = {
|
||||
hashedPassword = "$2b$05$vqTJCReuUY61.Z1EwcwXnOlG98Cizpt1TGIJ76/WSHaiweAxPglp6";
|
||||
sendOnly = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -46,5 +50,4 @@ in
|
|||
"postfix.service"
|
||||
"dovecot2.service"
|
||||
];
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue