From eb1bfcf1f13c5cfef8c89cddb1699ade0c45022f Mon Sep 17 00:00:00 2001
From: Infinidoge <infinidoge@inx.moe>
Date: Wed, 15 Jan 2025 23:25:36 -0500
Subject: [PATCH] Infini-DL360/authentik: init with ldap

---
 flake.nix                        |  10 ++++++
 hosts/Infini-DL360/authentik.nix |  50 ++++++++++++++++++++++++++++
 hosts/Infini-DL360/default.nix   |   1 +
 secrets/authentik-ldap.age       |  55 +++++++++++++++++++++++++++++++
 secrets/authentik.age            | Bin 0 -> 3131 bytes
 secrets/default.nix              |   3 ++
 secrets/secrets.nix              |   2 ++
 7 files changed, 121 insertions(+)
 create mode 100644 hosts/Infini-DL360/authentik.nix
 create mode 100644 secrets/authentik-ldap.age
 create mode 100644 secrets/authentik.age

diff --git a/flake.nix b/flake.nix
index 5387c19..6a003cc 100644
--- a/flake.nix
+++ b/flake.nix
@@ -60,6 +60,9 @@
     ## Qtile
     qtile.url = "github:qtile/qtile";
 
+    ## Authentik
+    authentik-nix.url = "github:nix-community/authentik-nix";
+
     ### Cleanup ###
     ## Common
     blank.url = "github:divnix/blank";
@@ -72,6 +75,12 @@
     agenix.inputs.home-manager.follows = "home-manager";
     agenix.inputs.nixpkgs.follows = "nixpkgs";
     agenix.inputs.systems.follows = "systems";
+    authentik-nix.inputs.flake-compat.follows = "blank";
+    authentik-nix.inputs.flake-parts.follows = "flake-parts";
+    authentik-nix.inputs.flake-utils.follows = "flake-utils";
+    authentik-nix.inputs.nixpkgs.follows = "nixpkgs";
+    authentik-nix.inputs.poetry2nix.inputs.treefmt-nix.follows = "treefmt-nix";
+    authentik-nix.inputs.systems.follows = "systems";
     conduwuit.inputs.attic.follows = "blank";
     conduwuit.inputs.cachix.follows = "blank";
     conduwuit.inputs.flake-compat.follows = "blank";
@@ -206,6 +215,7 @@
               inputs.nixos-wsl.nixosModules.wsl
 
               # --- Domain-Specific Modules ---
+              inputs.authentik-nix.nixosModules.default
               inputs.lix-module.nixosModules.default
               inputs.hydra.nixosModules.overlayNixpkgsForThisHydra
               inputs.nix-minecraft.nixosModules.minecraft-servers
diff --git a/hosts/Infini-DL360/authentik.nix b/hosts/Infini-DL360/authentik.nix
new file mode 100644
index 0000000..7ae9696
--- /dev/null
+++ b/hosts/Infini-DL360/authentik.nix
@@ -0,0 +1,50 @@
+{ config, common, secrets, ... }:
+let
+  domain = common.subdomain "auth";
+  ldap = common.subdomain "ldap";
+in
+{
+  services.authentik = {
+    enable = true;
+    environmentFile = secrets.authentik;
+    settings = {
+      email = with common.email; {
+        host = smtp.address;
+        port = smtp.STARTTLS;
+        username = outgoing;
+        from = withSubaddress "authentik";
+        use_tls = true;
+        use_ssl = false;
+      };
+      disable_startup_analytics = true;
+      cookie_domain = common.domain;
+    };
+
+    nginx = {
+      enable = true;
+      enableACME = true;
+      host = domain;
+    };
+  };
+
+  services.authentik-ldap = {
+    enable = true;
+    environmentFile = secrets.authentik-ldap;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 3389 6636 ];
+
+  security.acme.certs.${ldap} = {
+    group = "nginx";
+    webroot = null;
+  };
+
+  systemd.services.authentik-worker.serviceConfig.LoadCredential = [
+    "${ldap}.pem:${config.security.acme.certs.${ldap}.directory}/fullchain.pem"
+    "${ldap}.key:${config.security.acme.certs.${ldap}.directory}/key.pem"
+  ];
+
+  services.nginx.virtualHosts.${domain} = {
+    acmeRoot = null;
+  };
+}
diff --git a/hosts/Infini-DL360/default.nix b/hosts/Infini-DL360/default.nix
index 7701a1a..036ef59 100644
--- a/hosts/Infini-DL360/default.nix
+++ b/hosts/Infini-DL360/default.nix
@@ -6,6 +6,7 @@
     ./web.nix
 
     private.nixosModules.minecraft-servers
+    ./authentik.nix
     ./conduwuit.nix
     ./factorio.nix
     ./forgejo.nix
diff --git a/secrets/authentik-ldap.age b/secrets/authentik-ldap.age
new file mode 100644
index 0000000..881cc01
--- /dev/null
+++ b/secrets/authentik-ldap.age
@@ -0,0 +1,55 @@
+age-encryption.org/v1
+-> ssh-ed25519 sQ/0YA 45Xehc7VVPbIlgsi7TNGSEtO2t3rzLyZ5YpmqLBwsV0
+zvdRHbvKMN7UHE/23InpKrY4ZjSeS7dG6FUmemEvrj0
+-> ssh-ed25519 aYlTiQ aroJxAQnSoe5nQ9XLEuVfctVTuZCA1dz58QGUfVHkX4
+NCMvDEzRxiLjqK8/55iXBiNDaJco0nbuN9GoOA28ZM8
+-> ssh-ed25519 i9xGKA Qt9WjkuN+O2Qd8EDU1Oh/G9zQLf3LtbtLBLccMNIunM
+TGf8czfM5AsYap3jC8RQqiK8EZz6nkg/ETwUOjmOTSg
+-> ssh-ed25519 ydxrGg wIX12uEK76B4GxixYepk8Za2dXdi6SC7KnxWeVJ44QQ
+xsNU4m5Nii5H5htV7u18PQBafTk5pHlae7WeAYeJNp8
+-> ssh-ed25519 oqB+OQ /skWuFpVL6PHjUNkPNBQYMxJngdLd0zzebzWVJ3u8QU
+0Qj7w8QbbaF0be7Z+X93AlrEABLopW0HC1A+dLBaKcE
+-> ssh-ed25519 gIJNbA n1HDVZgNWAZwKviLWZ+dw+WLzXVywElc+gM1ja0ilgE
+coMdTnFduLH84KClPl48B8nnBmklTZTLLUQPYOUluZ4
+-> ssh-ed25519 hjL/yw TGg4TUQ6FTXliL080QbF9n2vm/Wl5cGznCS1LJkKNwc
+eH3BlNOjsnLx7YQOqpzVUnlj2VN3/LuApzaCcUxE2DU
+-> ssh-ed25519 Ig0rsg Y20/6dtLW26qmdPpTo5+Y1lKzXFyRu/tsOb0nNG5Oy8
+cu9xRDyaetXbYL8l63m0LLwe5DO6S5MCCrh68g/VZEc
+-> ssh-ed25519 U4Pefg b7k53fcR+OaZZ0quznxG9gZF3fCPDLcITGjmlSWaing
+IueR2mA68ZpW5DN/21saH7XX4WZ0bx6Byq/ujUI3dxo
+-> ssh-ed25519 SqmlZQ cJYcWJMsgzrOLQh3tMAxNHwod5tFzwAsNq+pgXe7VSU
+dI+dQ7LX7YBb5VZH0nbdadO1RhZymVhx+LR6GM77O54
+-> ssh-ed25519 GT2Stg pe6hSAAr8UgfVsc9S4YExQmLu/BovuTuDkI5pHrLOg0
+kfrKZRrEZBRblKxhNAc2hfK0xJkwUjuEemGc8NvLSRs
+-> ssh-ed25519 oAMyvg pERphhA/Iy6JMmfk3u4MdFGPFsgX8orA9IWFz+OKPWI
+E7kSlpnHKuurKBnHGpZra2/Y2E2nP4U+4r7xjFc3H88
+-> ssh-ed25519 VIHjXg RDRtgg1C1V653qPRveNN22E7aURc3nn8t7DIqAonW1Q
+ogNXIGYjvthFLLi4UAK5O6XBSMz6ryHqa9qVXFhlxcQ
+-> ssh-ed25519 VEv3zg WtBszZ9ULXMUnkIm2NbzW1n3upnDbYyj4vFuIOMBZAY
+Qymsh8bIib3aDpOtRUQExnQAxUFM2os8+n5zr/VbK8U
+-> ssh-ed25519 m7J79g ztGfKhVhM58dCs0jQXQ4CaUJ+38tmiT7gCjMSP53vBM
+BjYjY2no/i+OxpW+lttfiyVq0Rdx6UK6dZzV5BK2s6g
+-> ssh-ed25519 2S7Wcg P9Lp9CmgNhFPK3dhcL5RCI9C/e/T14gHQnUisbB63Uc
+xwB59NM8MK0PoLEcdZlgVmTN6XUwEkBvEHf4MEUvgj0
+-> ssh-ed25519 EMoPew 4DCY0Hr3ahCsbIQaSILeDjc2U9d5r1Bu0Wq6+DkqBT0
+4Q/UuDNUhDiwGVrj55gpevb9EjMJYEGiQApWZ1W7lwQ
+-> ssh-ed25519 izZ3FQ kl0RdeRgACTlT+1clA+jO2mnwgt17K7vmmr7kzm2OTI
+A5yb1h8cceCZG59WDrYS5zfvefOXAruyktFv+VeeK6M
+-> ssh-ed25519 zNb8DQ xwsiHBtFVgurDq0+PkvXFm9+pu7gE7IiIZjLgCuNUmo
+rQtHSSAUWB9dN3nqkMUsSIDn4K+R2qbERcHTfyDRADI
+-> ssh-ed25519 GB2MZQ Dfmtib/IZ/rrPae8uqc03E9VF23lI2jMUAoPn9qdcFw
+cmBx9o+xDSDXr6HKFMYuAa8oxbcAQ//rF1E/xzF8gcA
+-> ssh-ed25519 FelIjw yXxK2S5XK3CLZBYDt9znkO/kq92rp7L/wJ2/e+xMzEQ
+5kLji+xXPEY84mnKl0mIRWkFF3RQuEQFQ/kL/KLcH8w
+-> ssh-ed25519 TRpHkw 5D9fXwQACh1E1G+30L+ncFZF+bhYmQyVl0T4v5NOikc
+bOtITbo94qqRF8OvucxdOpvt2y+YSV1U1hXP0NvT/lc
+-> ssh-ed25519 rKpRzQ M8kmtJoaHcrC0oj3Yz7TN6vAwT1xs660k7+YqR8eOhs
+eSNF8UCZNyq2ZKYptCPFonjLqCGtRvReQqOctiNE7QI
+-> ssh-ed25519 8/Dzqw AZKks01oa5bdJAXIJ9ZaQ09EG1umZIxQ8v1bZCbmKAY
+RX2kvUvk42mfOkni8j6mbNXnM9+34vETVdQ5XhyjhV8
+-> ssh-ed25519 tJyugw utGEjfJPxWfq0cYOdsme8sbZiNf/yw1ZJQpix/Ht+H4
+yQ1tN3UxSEuBmP3m0csNODTWGgSY7H44kD/zrCGnKxk
+-> ssh-ed25519 lpPUYw rKzfbeo38K941NUnNhXGA+HG5P6tI43Cn3Z+8HrTWHI
+4h80ZrR0x/Zk+1c1B3vX9tBzb1eMyno0oOEzJ+1lOmI
+--- zR2LWBuBZmIT1u6j1bSo95VtulxE/hHLsmMoKXkrnqE
+ÿ5ÖÔTÏÇÕM¼Ó âçõË¬3òy­#§ 47®Ñ¿Þ(¯Á>{›¯vTIÆ¡¹@®ô65$×à¢á»B‰ä°¨sÕ1[Q$·4Mzó€i"‰ûÊ—eà±2P£.gåÕç4¥§õº²±ö™nšêA›Îµtz-/BûwÌåé×Žg·Èø‰œj
\ No newline at end of file
diff --git a/secrets/authentik.age b/secrets/authentik.age
new file mode 100644
index 0000000000000000000000000000000000000000..b8771defe86451f4d933bed148b646c2f588bd99
GIT binary patch
literal 3131
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH4%9b@bX3TV2o5Vt
zwlt0^jLI%HHt-M6Dl)W;v~=-EtF#Pqch)cW@(9jM%8u|ha^=eQ$q#Z)FHKA`NGvNV
z4o@`94+!+j&&>--a?SBg%`=UR@(L<;NzMu@EJn92F)}A4Gf=_LH`&xLD9}79CDBRS
z*+M_h!X>fXH^aR=BP^>Zy)Y%!)kr@v)4Z&r%8{$eFf7>3vmhrjImh4FBB0ROGsnl>
z(Z{FAvaG;SJ2x}4sL&}OsvsymITGErOv?&)Z%2i26GLsI;OtDJyn@J}z}(8JWMg*^
z*L>6byfQ<ROkZEOGEX-bV-rs=Lr1QRG*5GjG_wN3^iYGejFJ*J=lnoF|6-%G#FWI~
zB-0F+92b+)sPv@Bl5}+2DpM+o+|w1p4Rgavy(`^319L;o98*myDxFM1L(M(Rz0-3H
zf^*WcO+!NTg9BZ?4FkE#5+h5ZoJ@1{gOXjcQ%Wl<jFQZKeY3N?EmA#<%mRvC4YR9^
ziycEEgG|tE%P(}&_77C3attpnD=YE!4A1aN^)m|3EVMMvH8V>xOLp@!^C*b)^iK^m
ztSHDx4>jQ`b&0Gj%T5i>E(<sCH;qX2DmP2it_TiI3JD9%GVnFAEDp}7v@p;1NyM-%
z-P6l2$x*?}J1D@V!o@Gsq%trs%F{A6tI8rU(aEsP-8I{#DBa83Oh3rk-%sDj$$~4b
zqR^|N(92D`Jgd^o$R*6ZAfnXB#3CmsIkm{d*uW!9TRW`O$D=eW+Y#Mw8CgF1mE{V>
z?tuZ`rrF*mr5-sUAwkZbzA5^KWhJ?pg~4uK<=KvYfhqo_ZpHb=Sq5B*Nrm}-VMS3v
z`dN-uCI0Cy6`7e?=8=)U1)lx}{-!}rfw@(Yx!QRd8LsHId8Qi_6{jnthbBhkRfPNL
zyZMAv<QN5-rdFg__!{I@_(bMgmindT26`JA_<QFW2b*vO1s7X{1{J3TTcnowmV_6V
z6cw2G`i5p@=qFox7bJ!|d3t4=M;25%hXkVA7HSfZnwGBMS6Uq8>h0=eoR#Jp7-(jk
z6<}dpSP+!rYUya|WmaHW8XW1J77`eh9F)%$<!n%vZ)xeAk`Ws2o#JL{85C?9kd$kY
zQV>$*RheVxo96Ft9&Q*_?uX&G;KJOTs6Yj6b4!EdY<K6J#DFrVa`$}KvdlCOBY&q<
zPa}QrJmdVts4~ye?21aS^gu2PN23Dg{L0E=Q=@_$qe5dZZT$!nN7tmxw8Y{Nv)m*D
zuS8S*%CaE898Yw=xrZ19m!vCrmwK4E<r?_76{Zv=rezhIYezU$W~ZeZRb{89rhBH8
z1{S(j7KKOUgr{>A=H~eshGhm;c~n*vg_mczRA%Rw=_mT6TSj`7dj=&2dxYv6J6V`|
zdSax>d`I8PvUCNnoI;m~M2lQg7dPkNV55q%yu##g(?Ij2Ocx*DqF~o#OMk<RT+49p
z@^Y@?vQ&#iQ`6EAPe0$N{6fPrGw)n8zsw-*L<9YtB+s18B)9U2@Wdc}r)+e;g?V~p
zMWicu6_n-q7*|$!Sa?TdrfEld<Rp8BRs~g<XBInFdMA}9mV4%vcx6=;g$HsKgnAX2
zXQgDMWoM*2mPX|I2N&cgMSA#z1v&ahgk(eoWJZ~KYL{BLM3!UN=2~W4m99{n8<t(=
zWt47N7;0i!n41?=nv)Y?Y~kcq;#pjj6=i8@9_Wz~q+Q_SYQa^M?%|*8ZyXe5krWkP
zY35NHmX=)Ul49avl$W38RblQ~=oJ?3?C+fG9*S;TuDO@FWx9e#ihFo*YL-QwTcxjI
zR;poMR!*9WUsZ07en?_^Qe~J|ep-QJNu^(MRWet0aBx|vzoSQXZcd_`MO28HrE5WI
zxl_5To0(r(mPKTdcYb7nS6YR?2}U_-6l@-zoURa%XOxpu7#SL5<m#WPZD3}Y<m(d@
z7~mf4>*AYX>T8;v8eC=RXl&+ES<GeN>Er01Zs6stZJ_TG?%|e~VVdNho*HRxoU5Ia
zTH)gEXW(rdXcnGWf>GnR`sN3umMb_1ctm<zMg*1{SrlYdy17>v2P9|sS9n$h<VB`b
znuG+qn^zUNyJu&G6mun68o2u8>4%pY2UL}p_(ql+X#0Da6qXmcI!9UNq!gy6N0vl7
z2WJInW7arTQO0h83MM(J7M{lLk>M3?`sV35j^T-=Uit=Jo|ch?MupB%d13Bh`36aq
z+EpGVTp|8NIga`sRleGexoMW(7CAn?o+Y6Ho`$~uNu`#4`L0ziS(UC8rbby9@mA%R
zWZ@F1Q0QGzSQZ@M<dkfb;pZNdo$lvm=IO2<n3hptV4@vTSeWf<oT4A%=oMkWRb&uQ
zQDTu%7~*3P5}qCIVdmv;THqd4;_74+TJGtaY8jDN7#W`J;aP@JD!V%w`9=jQIGP(&
zx@9Lv6c-s46&O@`x_N|n_*giFxftpj=J*9yRu;Mx1QdAYh2)xWrRA4-`lM8(8D~U!
z2Y6HlmR5zDlm+=m6{Tl~>HFoo1*L_Vxl{!gn}u4Sr%AWe9M7zB1+N0bEVqyn(}?1v
zloZdXf;_*Za%VI5DyLjO1NVY#e{J*Zbf=2&$g-?#E+_qviqP!DjNGWg)R5Gol7KMB
zysSiLLuWH@i?qPRz@YrFOv8Y%%%}>Ck}D*rz$3d{!P3mkL*LLl$s*7{F~wB7+#@Hz
z$J;00vZyS>v)td;CEUWyAf>W6s35|Zt28+|J=ZtG%p=R(zdR~5+sLfg*fJo$Aj>2&
zGBq>Jq%g%XC^*W|(Y*j8-io{nf~o=)DgsjSTmy|F3nG&8GqM6QlHA>$%u77<lL|{y
z&4Y^_{j`&ds{Be*d<;CflFWm>L&Netql)uG!hG_Q1M>>}^0kdZa-2>4ybN<avvWNI
z!y>Z$a?CKwNeg|Ks={)Gf{ajo*W4)mB<~92w8|o<;?#mv_Y8A=*J8sUi^R(G)SNUo
zXTzX;eFIM}gNzJIw}{Z7eB=BqQ;Wa=BlB?gNJHn8a;Fe?PwzC7a^J}8Qn!@CJSU9&
zR^nAznqIDupH=0W>R)E$pO#<Zl~HOCnw*-P<5XOpW~QHC>5^<7QB;<d8f9r#nB~Zo
zYL@9#;ptv(l9*u@85rSbT3J<TR90jjR2gbnoaq*nUuaquP-qsB5s6Wo<`e{kMwTlW
z2Dm%ro0^-26ozM8W(E7DTI5yarf2y2=BBu&q^FbwyOekqSX!DSXS#CbM}<`sx<;8<
z8bzc#raKj72V|A!8JqfL7KarYmYP}wM^$<UIUD3;1!QyS>gp<#MkR-&=b9Qg<z*+8
zx)>H4xujPZCWb_nr&W}erIs4|Cgy2JMwBL*dqr}ohi>1m&&F;b_VTmrF{gyoT}uPD
zY2I$*6gvO6)AJg0T<QE>iD#1%gO<25$Eg03o4JVp&C6+TIUm|>-m*Y->kOuUYxKe!
z_DxUxwaWeOp(C%4<Q5!S+glfXCF7^vni*-1f2Er&g53=o82th@%+^M5xN(--{qvK)
z@>4L>IC6Qg`(leOZ>M)zv*J&PsvS;UvMo2t)XMAsccUE=xdAc@mQ1%0F%`{yp!y_N
nAjDZ;x=X?D_TH5rj4R^!vi2|gdf>+-hKtMXuWFdB*(3r0hUf;-

literal 0
HcmV?d00001

diff --git a/secrets/default.nix b/secrets/default.nix
index 8eba52d..18cf7ed 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -55,6 +55,9 @@ in
       (mkIf config.services.searx.enable {
         inherit (secrets) searx;
       })
+      (mkIf config.services.authentik.enable {
+        inherit (secrets) authentik authentik-ldap;
+      })
     ];
   };
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 4b7ad07..24b8595 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -43,4 +43,6 @@ generate [
   "hedgedoc.age"
   "searx.age"
   "ovpn.age"
+  "authentik.age"
+  "authentik-ldap.age"
 ]