vps1: enable authentik

hosts/vps1/configuration.nix

@@ -11,6 +11,7 @@ in
   imports = [
     ./hardware-configuration.nix
     ./services/postgres.nix
+    ./services/authentik.nix
     ./services/git.nix
     ./services/mailserver.nix
     ./akkotest.nix

hosts/vps1/data/services.toml

@@ -4,3 +4,6 @@ sshPort = 22631
 
 [mailserver]
 subdomain = "mail"
+
+[auth]
+subdomain = "auth"

hosts/vps1/secrets/authentik.env

@@ -0,0 +1,12 @@
+AUTHENTIK_EMAIL__PASSWORD=ENC[AES256_GCM,data:W4xv9+30ejC+lM+t2k9H,iv:oYNnXJ+D5WAtE0lYw4QiXiDLejdaLp6VsRvBb1pvSbY=,tag:HnCl6P1z0dR2nIyFDIkgfA==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjVnBKYTdIblVLNzZaSWpW\nMTBJQzE0Mzc0ck5lZE04d2NMRGlVSGRzRFFVCmpVQ3RYL1NpYXBhUmtVRnRlTGxm\naWppN2l6UGg0anJIam9Zak45NHYvRGsKLS0tIDArb0ZPVHF4b2ZBUmlOVFpUL2hk\nMEFGaDVSZTRJZXIzaXlPS3RNcDk1RlUK/oJloqIBIOBPVzfKCgZr/mTCOJAPb1IB\n4/sewMvEtLkIwgnxWMH1r52HaJpafUCkc0+H6mY2RT6AC0kFR/wNwQ==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1acgqxvyczgsamz53z3v0gmahzfxlg9tscwnrgcxrfndgxhsvn3vs4ss5tk
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNV0QvaUpLK3dXcjExUExa\nbHduQWxnd3o3L3hyQ25qZ29YcnFwbEt5NFZzClNsdnNFL2ZwdFhmR2FzbVBNMlBj\nVFpmNTZyY0U0ZzZNNzhjb2RNdjgySDgKLS0tIElMb2syejBKVmhqdnJmeTBiWUJ3\nVmpBRldiNzQrZFNhMFVSWE0xMEhXaTAKzTo+r7/zV4HbU/DOQj+UnpN/T01DfVr/\nn9OVSddwCwqfyVLq0GeEjYN6ejs6JjNQqeSK2fSXPpCK8zTTgIpD8w==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1xrzl49tvnatuu55xu5av6xcxyhrakd7mkzl5kz30kqqaxvh2m3sqax8jeu
+sops_lastmodified=2024-05-16T09:13:07Z
+sops_mac=ENC[AES256_GCM,data:7Q/k+JyGY2NurJwQlNfjUAH1+V81OGaahF4ERfRDewSmFNStBHI89InHtpgycrAZ6F/y/gi2aCU4UScF2DZTo4QDfO6z4z+j14JlAVcXD0RBFSvKdDvQtCyxjyJmMpRtue7kCsBTwdi1vVlAhRaou37rvIt2BSWgDsq2u/QD21I=,iv:Qqgcp2RwtLmS00ENz2Jt9uBK3JUUdx5ZNZTxMfQRWKQ=,tag:H2c5HBuO7U2wpB/JmRXcqA==,type:str]
+sops_pgp__list_0__map_created_at=2024-05-16T09:09:19Z
+sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DrTkQq20WUVESAQdA4hxhmiuKNPdxjBYrKPozyO5pB9IojztBe+VYw4MHWGIw\nr3I0Y14WFSmO0v+VYWdFU1d+M87GW75JMwMs5e4EherX24Hf732YsOTto/wvddE7\n1GgBCQIQaLG2nRWwmyA7MDAKkxJJOFyuEZBYTLcedqIxzhxQG33U2ttyUlw80+Kf\nSNnkx/a71ytYz1bH9iRusjPIOKmbIgKmtoNfUPxOw+tBsWZu8BroPhO5SojMfT+8\nMJ35WpW5KuO4Lg==\n=Vh2J\n-----END PGP MESSAGE-----
+sops_pgp__list_0__map_fp=D3067BE844D3FC49535A47B29396B8BA6FBB14DE
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.8.1

hosts/vps1/services/authentik.nix

@@ -0,0 +1,41 @@
+{ config, data, ...}:
+let
+  inherit (data.host) rootDomain;
+  inherit (data.services.auth) domain;
+  mailDomain = data.services.mailserver.domain;
+
+  sops_opts = {
+    sopsFile = ../secrets/authentik.env;
+    format = "dotenv";
+    # owner = "authentik";
+    group = "authentik";
+  };
+in
+{
+  services.authentik = {
+    enable = true;
+    # The environmentFile needs to be on the target host!
+    # Best use something like sops-nix or agenix to manage it
+    environmentFile = "/run/secrets/authentik/authentik-env";
+    createDatabase = true;
+    nginx = {
+      enable = true;
+      enableACME = true;
+      host = domain;
+    };
+    settings = {
+      email = {
+        host = mailDomain;
+        port = 587;
+        username = "authentik@${rootDomain}";
+        use_tls = true;
+        use_ssl = true;
+        from = "authentik@${rootDomain}";
+      };
+      disable_startup_analytics = true;
+      avatars = "initials";
+    };
+  };
+
+  sops.secrets.authentik = sops_opts;
+}

hosts/vps1/services/mailserver.nix

@@ -39,6 +39,10 @@ in
         ];
         hashedPassword = "$2b$05$IlDxRGJ6vOUjDIq0hfCd3uIVLQw0oodRU1cG8pKueO1BgaIfpUYPS";
       };
+      "auth@${rootDomain}" = {
+        hashedPassword = "$2b$05$vqTJCReuUY61.Z1EwcwXnOlG98Cizpt1TGIJ76/WSHaiweAxPglp6";
+        sendOnly = true;
+      };
     };
   };
 
@@ -46,5 +50,4 @@ in
     "postfix.service"
     "dovecot2.service"
   ];
-
 }