vps1: enable authentik

This commit is contained in:
Lgmrszd 2024-05-16 16:44:08 +03:00
parent 185dc9f3d8
commit 9e411591d8
No known key found for this signature in database
GPG key ID: 9396B8BA6FBB14DE
5 changed files with 61 additions and 1 deletions

View file

@ -11,6 +11,7 @@ in
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./services/postgres.nix ./services/postgres.nix
./services/authentik.nix
./services/git.nix ./services/git.nix
./services/mailserver.nix ./services/mailserver.nix
./akkotest.nix ./akkotest.nix

View file

@ -4,3 +4,6 @@ sshPort = 22631
[mailserver] [mailserver]
subdomain = "mail" subdomain = "mail"
[auth]
subdomain = "auth"

View file

@ -0,0 +1,12 @@
AUTHENTIK_EMAIL__PASSWORD=ENC[AES256_GCM,data:W4xv9+30ejC+lM+t2k9H,iv:oYNnXJ+D5WAtE0lYw4QiXiDLejdaLp6VsRvBb1pvSbY=,tag:HnCl6P1z0dR2nIyFDIkgfA==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjVnBKYTdIblVLNzZaSWpW\nMTBJQzE0Mzc0ck5lZE04d2NMRGlVSGRzRFFVCmpVQ3RYL1NpYXBhUmtVRnRlTGxm\naWppN2l6UGg0anJIam9Zak45NHYvRGsKLS0tIDArb0ZPVHF4b2ZBUmlOVFpUL2hk\nMEFGaDVSZTRJZXIzaXlPS3RNcDk1RlUK/oJloqIBIOBPVzfKCgZr/mTCOJAPb1IB\n4/sewMvEtLkIwgnxWMH1r52HaJpafUCkc0+H6mY2RT6AC0kFR/wNwQ==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age1acgqxvyczgsamz53z3v0gmahzfxlg9tscwnrgcxrfndgxhsvn3vs4ss5tk
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNV0QvaUpLK3dXcjExUExa\nbHduQWxnd3o3L3hyQ25qZ29YcnFwbEt5NFZzClNsdnNFL2ZwdFhmR2FzbVBNMlBj\nVFpmNTZyY0U0ZzZNNzhjb2RNdjgySDgKLS0tIElMb2syejBKVmhqdnJmeTBiWUJ3\nVmpBRldiNzQrZFNhMFVSWE0xMEhXaTAKzTo+r7/zV4HbU/DOQj+UnpN/T01DfVr/\nn9OVSddwCwqfyVLq0GeEjYN6ejs6JjNQqeSK2fSXPpCK8zTTgIpD8w==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_1__map_recipient=age1xrzl49tvnatuu55xu5av6xcxyhrakd7mkzl5kz30kqqaxvh2m3sqax8jeu
sops_lastmodified=2024-05-16T09:13:07Z
sops_mac=ENC[AES256_GCM,data:7Q/k+JyGY2NurJwQlNfjUAH1+V81OGaahF4ERfRDewSmFNStBHI89InHtpgycrAZ6F/y/gi2aCU4UScF2DZTo4QDfO6z4z+j14JlAVcXD0RBFSvKdDvQtCyxjyJmMpRtue7kCsBTwdi1vVlAhRaou37rvIt2BSWgDsq2u/QD21I=,iv:Qqgcp2RwtLmS00ENz2Jt9uBK3JUUdx5ZNZTxMfQRWKQ=,tag:H2c5HBuO7U2wpB/JmRXcqA==,type:str]
sops_pgp__list_0__map_created_at=2024-05-16T09:09:19Z
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DrTkQq20WUVESAQdA4hxhmiuKNPdxjBYrKPozyO5pB9IojztBe+VYw4MHWGIw\nr3I0Y14WFSmO0v+VYWdFU1d+M87GW75JMwMs5e4EherX24Hf732YsOTto/wvddE7\n1GgBCQIQaLG2nRWwmyA7MDAKkxJJOFyuEZBYTLcedqIxzhxQG33U2ttyUlw80+Kf\nSNnkx/a71ytYz1bH9iRusjPIOKmbIgKmtoNfUPxOw+tBsWZu8BroPhO5SojMfT+8\nMJ35WpW5KuO4Lg==\n=Vh2J\n-----END PGP MESSAGE-----
sops_pgp__list_0__map_fp=D3067BE844D3FC49535A47B29396B8BA6FBB14DE
sops_unencrypted_suffix=_unencrypted
sops_version=3.8.1

View file

@ -0,0 +1,41 @@
{ config, data, ...}:
let
inherit (data.host) rootDomain;
inherit (data.services.auth) domain;
mailDomain = data.services.mailserver.domain;
sops_opts = {
sopsFile = ../secrets/authentik.env;
format = "dotenv";
# owner = "authentik";
group = "authentik";
};
in
{
services.authentik = {
enable = true;
# The environmentFile needs to be on the target host!
# Best use something like sops-nix or agenix to manage it
environmentFile = "/run/secrets/authentik/authentik-env";
createDatabase = true;
nginx = {
enable = true;
enableACME = true;
host = domain;
};
settings = {
email = {
host = mailDomain;
port = 587;
username = "authentik@${rootDomain}";
use_tls = true;
use_ssl = true;
from = "authentik@${rootDomain}";
};
disable_startup_analytics = true;
avatars = "initials";
};
};
sops.secrets.authentik = sops_opts;
}

View file

@ -39,6 +39,10 @@ in
]; ];
hashedPassword = "$2b$05$IlDxRGJ6vOUjDIq0hfCd3uIVLQw0oodRU1cG8pKueO1BgaIfpUYPS"; hashedPassword = "$2b$05$IlDxRGJ6vOUjDIq0hfCd3uIVLQw0oodRU1cG8pKueO1BgaIfpUYPS";
}; };
"auth@${rootDomain}" = {
hashedPassword = "$2b$05$vqTJCReuUY61.Z1EwcwXnOlG98Cizpt1TGIJ76/WSHaiweAxPglp6";
sendOnly = true;
};
}; };
}; };
@ -46,5 +50,4 @@ in
"postfix.service" "postfix.service"
"dovecot2.service" "dovecot2.service"
]; ];
} }