mirror of
https://git.lgmrszd.xyz/Lgmrszd/nix-cfg.git
synced 2024-11-10 05:48:34 +01:00
vps1: enable authentik
This commit is contained in:
parent
185dc9f3d8
commit
9e411591d8
5 changed files with 61 additions and 1 deletions
|
@ -11,6 +11,7 @@ in
|
||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./services/postgres.nix
|
./services/postgres.nix
|
||||||
|
./services/authentik.nix
|
||||||
./services/git.nix
|
./services/git.nix
|
||||||
./services/mailserver.nix
|
./services/mailserver.nix
|
||||||
./akkotest.nix
|
./akkotest.nix
|
||||||
|
|
|
@ -4,3 +4,6 @@ sshPort = 22631
|
||||||
|
|
||||||
[mailserver]
|
[mailserver]
|
||||||
subdomain = "mail"
|
subdomain = "mail"
|
||||||
|
|
||||||
|
[auth]
|
||||||
|
subdomain = "auth"
|
12
hosts/vps1/secrets/authentik.env
Normal file
12
hosts/vps1/secrets/authentik.env
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
AUTHENTIK_EMAIL__PASSWORD=ENC[AES256_GCM,data:W4xv9+30ejC+lM+t2k9H,iv:oYNnXJ+D5WAtE0lYw4QiXiDLejdaLp6VsRvBb1pvSbY=,tag:HnCl6P1z0dR2nIyFDIkgfA==,type:str]
|
||||||
|
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjVnBKYTdIblVLNzZaSWpW\nMTBJQzE0Mzc0ck5lZE04d2NMRGlVSGRzRFFVCmpVQ3RYL1NpYXBhUmtVRnRlTGxm\naWppN2l6UGg0anJIam9Zak45NHYvRGsKLS0tIDArb0ZPVHF4b2ZBUmlOVFpUL2hk\nMEFGaDVSZTRJZXIzaXlPS3RNcDk1RlUK/oJloqIBIOBPVzfKCgZr/mTCOJAPb1IB\n4/sewMvEtLkIwgnxWMH1r52HaJpafUCkc0+H6mY2RT6AC0kFR/wNwQ==\n-----END AGE ENCRYPTED FILE-----\n
|
||||||
|
sops_age__list_0__map_recipient=age1acgqxvyczgsamz53z3v0gmahzfxlg9tscwnrgcxrfndgxhsvn3vs4ss5tk
|
||||||
|
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNV0QvaUpLK3dXcjExUExa\nbHduQWxnd3o3L3hyQ25qZ29YcnFwbEt5NFZzClNsdnNFL2ZwdFhmR2FzbVBNMlBj\nVFpmNTZyY0U0ZzZNNzhjb2RNdjgySDgKLS0tIElMb2syejBKVmhqdnJmeTBiWUJ3\nVmpBRldiNzQrZFNhMFVSWE0xMEhXaTAKzTo+r7/zV4HbU/DOQj+UnpN/T01DfVr/\nn9OVSddwCwqfyVLq0GeEjYN6ejs6JjNQqeSK2fSXPpCK8zTTgIpD8w==\n-----END AGE ENCRYPTED FILE-----\n
|
||||||
|
sops_age__list_1__map_recipient=age1xrzl49tvnatuu55xu5av6xcxyhrakd7mkzl5kz30kqqaxvh2m3sqax8jeu
|
||||||
|
sops_lastmodified=2024-05-16T09:13:07Z
|
||||||
|
sops_mac=ENC[AES256_GCM,data:7Q/k+JyGY2NurJwQlNfjUAH1+V81OGaahF4ERfRDewSmFNStBHI89InHtpgycrAZ6F/y/gi2aCU4UScF2DZTo4QDfO6z4z+j14JlAVcXD0RBFSvKdDvQtCyxjyJmMpRtue7kCsBTwdi1vVlAhRaou37rvIt2BSWgDsq2u/QD21I=,iv:Qqgcp2RwtLmS00ENz2Jt9uBK3JUUdx5ZNZTxMfQRWKQ=,tag:H2c5HBuO7U2wpB/JmRXcqA==,type:str]
|
||||||
|
sops_pgp__list_0__map_created_at=2024-05-16T09:09:19Z
|
||||||
|
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DrTkQq20WUVESAQdA4hxhmiuKNPdxjBYrKPozyO5pB9IojztBe+VYw4MHWGIw\nr3I0Y14WFSmO0v+VYWdFU1d+M87GW75JMwMs5e4EherX24Hf732YsOTto/wvddE7\n1GgBCQIQaLG2nRWwmyA7MDAKkxJJOFyuEZBYTLcedqIxzhxQG33U2ttyUlw80+Kf\nSNnkx/a71ytYz1bH9iRusjPIOKmbIgKmtoNfUPxOw+tBsWZu8BroPhO5SojMfT+8\nMJ35WpW5KuO4Lg==\n=Vh2J\n-----END PGP MESSAGE-----
|
||||||
|
sops_pgp__list_0__map_fp=D3067BE844D3FC49535A47B29396B8BA6FBB14DE
|
||||||
|
sops_unencrypted_suffix=_unencrypted
|
||||||
|
sops_version=3.8.1
|
41
hosts/vps1/services/authentik.nix
Normal file
41
hosts/vps1/services/authentik.nix
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
{ config, data, ...}:
|
||||||
|
let
|
||||||
|
inherit (data.host) rootDomain;
|
||||||
|
inherit (data.services.auth) domain;
|
||||||
|
mailDomain = data.services.mailserver.domain;
|
||||||
|
|
||||||
|
sops_opts = {
|
||||||
|
sopsFile = ../secrets/authentik.env;
|
||||||
|
format = "dotenv";
|
||||||
|
# owner = "authentik";
|
||||||
|
group = "authentik";
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services.authentik = {
|
||||||
|
enable = true;
|
||||||
|
# The environmentFile needs to be on the target host!
|
||||||
|
# Best use something like sops-nix or agenix to manage it
|
||||||
|
environmentFile = "/run/secrets/authentik/authentik-env";
|
||||||
|
createDatabase = true;
|
||||||
|
nginx = {
|
||||||
|
enable = true;
|
||||||
|
enableACME = true;
|
||||||
|
host = domain;
|
||||||
|
};
|
||||||
|
settings = {
|
||||||
|
email = {
|
||||||
|
host = mailDomain;
|
||||||
|
port = 587;
|
||||||
|
username = "authentik@${rootDomain}";
|
||||||
|
use_tls = true;
|
||||||
|
use_ssl = true;
|
||||||
|
from = "authentik@${rootDomain}";
|
||||||
|
};
|
||||||
|
disable_startup_analytics = true;
|
||||||
|
avatars = "initials";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.secrets.authentik = sops_opts;
|
||||||
|
}
|
|
@ -39,6 +39,10 @@ in
|
||||||
];
|
];
|
||||||
hashedPassword = "$2b$05$IlDxRGJ6vOUjDIq0hfCd3uIVLQw0oodRU1cG8pKueO1BgaIfpUYPS";
|
hashedPassword = "$2b$05$IlDxRGJ6vOUjDIq0hfCd3uIVLQw0oodRU1cG8pKueO1BgaIfpUYPS";
|
||||||
};
|
};
|
||||||
|
"auth@${rootDomain}" = {
|
||||||
|
hashedPassword = "$2b$05$vqTJCReuUY61.Z1EwcwXnOlG98Cizpt1TGIJ76/WSHaiweAxPglp6";
|
||||||
|
sendOnly = true;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -46,5 +50,4 @@ in
|
||||||
"postfix.service"
|
"postfix.service"
|
||||||
"dovecot2.service"
|
"dovecot2.service"
|
||||||
];
|
];
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue