vps1: enable authentik

2025-12-14 23:58:20 +01:00 · 2024-05-16 16:44:08 +03:00 · 2024-05-16 16:44:08 +03:00 · 9e411591d8
commit 9e411591d8
parent 185dc9f3d8
5 changed files with 61 additions and 1 deletions
--- a/hosts/vps1/services/authentik.nix
+++ b/hosts/vps1/services/authentik.nix
@ -0,0 +1,41 @@
+{ config, data, ...}:
+let
+  inherit (data.host) rootDomain;
+  inherit (data.services.auth) domain;
+  mailDomain = data.services.mailserver.domain;
+
+  sops_opts = {
+    sopsFile = ../secrets/authentik.env;
+    format = "dotenv";
+    # owner = "authentik";
+    group = "authentik";
+  };
+in
+{
+  services.authentik = {
+    enable = true;
+    # The environmentFile needs to be on the target host!
+    # Best use something like sops-nix or agenix to manage it
+    environmentFile = "/run/secrets/authentik/authentik-env";
+    createDatabase = true;
+    nginx = {
+      enable = true;
+      enableACME = true;
+      host = domain;
+    };
+    settings = {
+      email = {
+        host = mailDomain;
+        port = 587;
+        username = "authentik@${rootDomain}";
+        use_tls = true;
+        use_ssl = true;
+        from = "authentik@${rootDomain}";
+      };
+      disable_startup_analytics = true;
+      avatars = "initials";
+    };
+  };
+
+  sops.secrets.authentik = sops_opts;
+}
--- a/hosts/vps1/services/mailserver.nix
+++ b/hosts/vps1/services/mailserver.nix
@ -39,6 +39,10 @@ in
        ];
        hashedPassword = "$2b$05$IlDxRGJ6vOUjDIq0hfCd3uIVLQw0oodRU1cG8pKueO1BgaIfpUYPS";
      };
+      "auth@${rootDomain}" = {
+        hashedPassword = "$2b$05$vqTJCReuUY61.Z1EwcwXnOlG98Cizpt1TGIJ76/WSHaiweAxPglp6";
+        sendOnly = true;
+      };
    };
  };

@ -46,5 +50,4 @@ in
    "postfix.service"
    "dovecot2.service"
  ];
-
 }