Infinidoge/universe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Infini-DL360/authentik: init with ldap

Browse source
This commit is contained in:
Infinidoge 2025-01-15 23:25:36 -05:00
parent a0b997ec31
commit eb1bfcf1f1
Signed by: Infinidoge
SSH key fingerprint: SHA256:EMoPe5e2dO0gEvtBb2xkZTz5dkyL0rBmuiGTKG5s96E
7 changed files with 121 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
flake.nix
View file

@ -60,6 +60,9 @@
## Qtile ## Qtile
qtile.url = "github:qtile/qtile"; qtile.url = "github:qtile/qtile";
## Authentik
authentik-nix.url = "github:nix-community/authentik-nix";
### Cleanup ### ### Cleanup ###
## Common ## Common
blank.url = "github:divnix/blank"; blank.url = "github:divnix/blank";
@ -72,6 +75,12 @@
agenix.inputs.home-manager.follows = "home-manager"; agenix.inputs.home-manager.follows = "home-manager";
agenix.inputs.nixpkgs.follows = "nixpkgs"; agenix.inputs.nixpkgs.follows = "nixpkgs";
agenix.inputs.systems.follows = "systems"; agenix.inputs.systems.follows = "systems";
authentik-nix.inputs.flake-compat.follows = "blank";
authentik-nix.inputs.flake-parts.follows = "flake-parts";
authentik-nix.inputs.flake-utils.follows = "flake-utils";
authentik-nix.inputs.nixpkgs.follows = "nixpkgs";
authentik-nix.inputs.poetry2nix.inputs.treefmt-nix.follows = "treefmt-nix";
authentik-nix.inputs.systems.follows = "systems";
conduwuit.inputs.attic.follows = "blank"; conduwuit.inputs.attic.follows = "blank";
conduwuit.inputs.cachix.follows = "blank"; conduwuit.inputs.cachix.follows = "blank";
conduwuit.inputs.flake-compat.follows = "blank"; conduwuit.inputs.flake-compat.follows = "blank";
@ -206,6 +215,7 @@
inputs.nixos-wsl.nixosModules.wsl inputs.nixos-wsl.nixosModules.wsl
# --- Domain-Specific Modules --- # --- Domain-Specific Modules ---
inputs.authentik-nix.nixosModules.default
inputs.lix-module.nixosModules.default inputs.lix-module.nixosModules.default
inputs.hydra.nixosModules.overlayNixpkgsForThisHydra inputs.hydra.nixosModules.overlayNixpkgsForThisHydra
inputs.nix-minecraft.nixosModules.minecraft-servers inputs.nix-minecraft.nixosModules.minecraft-servers

50
hosts/Infini-DL360/authentik.nix Normal file
View file

@ -0,0 +1,50 @@
{ config, common, secrets, ... }:
let
domain = common.subdomain "auth";
ldap = common.subdomain "ldap";
in
{
services.authentik = {
enable = true;
environmentFile = secrets.authentik;
settings = {
email = with common.email; {
host = smtp.address;
port = smtp.STARTTLS;
username = outgoing;
from = withSubaddress "authentik";
use_tls = true;
use_ssl = false;
};
disable_startup_analytics = true;
cookie_domain = common.domain;
};
nginx = {
enable = true;
enableACME = true;
host = domain;
};
};
services.authentik-ldap = {
enable = true;
environmentFile = secrets.authentik-ldap;
};
networking.firewall.allowedTCPPorts = [ 3389 6636 ];
security.acme.certs.${ldap} = {
group = "nginx";
webroot = null;
};
systemd.services.authentik-worker.serviceConfig.LoadCredential = [
"${ldap}.pem:${config.security.acme.certs.${ldap}.directory}/fullchain.pem"
"${ldap}.key:${config.security.acme.certs.${ldap}.directory}/key.pem"
];
services.nginx.virtualHosts.${domain} = {
acmeRoot = null;
};
}

1
hosts/Infini-DL360/default.nix
View file

@ -6,6 +6,7 @@
./web.nix ./web.nix
private.nixosModules.minecraft-servers private.nixosModules.minecraft-servers
./authentik.nix
./conduwuit.nix ./conduwuit.nix
./factorio.nix ./factorio.nix
./forgejo.nix ./forgejo.nix

55
secrets/authentik-ldap.age Normal file
View file

@ -0,0 +1,55 @@
age-encryption.org/v1
-> ssh-ed25519 sQ/0YA 45Xehc7VVPbIlgsi7TNGSEtO2t3rzLyZ5YpmqLBwsV0
zvdRHbvKMN7UHE/23InpKrY4ZjSeS7dG6FUmemEvrj0
-> ssh-ed25519 aYlTiQ aroJxAQnSoe5nQ9XLEuVfctVTuZCA1dz58QGUfVHkX4
NCMvDEzRxiLjqK8/55iXBiNDaJco0nbuN9GoOA28ZM8
-> ssh-ed25519 i9xGKA Qt9WjkuN+O2Qd8EDU1Oh/G9zQLf3LtbtLBLccMNIunM
TGf8czfM5AsYap3jC8RQqiK8EZz6nkg/ETwUOjmOTSg
-> ssh-ed25519 ydxrGg wIX12uEK76B4GxixYepk8Za2dXdi6SC7KnxWeVJ44QQ
xsNU4m5Nii5H5htV7u18PQBafTk5pHlae7WeAYeJNp8
-> ssh-ed25519 oqB+OQ /skWuFpVL6PHjUNkPNBQYMxJngdLd0zzebzWVJ3u8QU
0Qj7w8QbbaF0be7Z+X93AlrEABLopW0HC1A+dLBaKcE
-> ssh-ed25519 gIJNbA n1HDVZgNWAZwKviLWZ+dw+WLzXVywElc+gM1ja0ilgE
coMdTnFduLH84KClPl48B8nnBmklTZTLLUQPYOUluZ4
-> ssh-ed25519 hjL/yw TGg4TUQ6FTXliL080QbF9n2vm/Wl5cGznCS1LJkKNwc
eH3BlNOjsnLx7YQOqpzVUnlj2VN3/LuApzaCcUxE2DU
-> ssh-ed25519 Ig0rsg Y20/6dtLW26qmdPpTo5+Y1lKzXFyRu/tsOb0nNG5Oy8
cu9xRDyaetXbYL8l63m0LLwe5DO6S5MCCrh68g/VZEc
-> ssh-ed25519 U4Pefg b7k53fcR+OaZZ0quznxG9gZF3fCPDLcITGjmlSWaing
IueR2mA68ZpW5DN/21saH7XX4WZ0bx6Byq/ujUI3dxo
-> ssh-ed25519 SqmlZQ cJYcWJMsgzrOLQh3tMAxNHwod5tFzwAsNq+pgXe7VSU
dI+dQ7LX7YBb5VZH0nbdadO1RhZymVhx+LR6GM77O54
-> ssh-ed25519 GT2Stg pe6hSAAr8UgfVsc9S4YExQmLu/BovuTuDkI5pHrLOg0
kfrKZRrEZBRblKxhNAc2hfK0xJkwUjuEemGc8NvLSRs
-> ssh-ed25519 oAMyvg pERphhA/Iy6JMmfk3u4MdFGPFsgX8orA9IWFz+OKPWI
E7kSlpnHKuurKBnHGpZra2/Y2E2nP4U+4r7xjFc3H88
-> ssh-ed25519 VIHjXg RDRtgg1C1V653qPRveNN22E7aURc3nn8t7DIqAonW1Q
ogNXIGYjvthFLLi4UAK5O6XBSMz6ryHqa9qVXFhlxcQ
-> ssh-ed25519 VEv3zg WtBszZ9ULXMUnkIm2NbzW1n3upnDbYyj4vFuIOMBZAY
Qymsh8bIib3aDpOtRUQExnQAxUFM2os8+n5zr/VbK8U
-> ssh-ed25519 m7J79g ztGfKhVhM58dCs0jQXQ4CaUJ+38tmiT7gCjMSP53vBM
BjYjY2no/i+OxpW+lttfiyVq0Rdx6UK6dZzV5BK2s6g
-> ssh-ed25519 2S7Wcg P9Lp9CmgNhFPK3dhcL5RCI9C/e/T14gHQnUisbB63Uc
xwB59NM8MK0PoLEcdZlgVmTN6XUwEkBvEHf4MEUvgj0
-> ssh-ed25519 EMoPew 4DCY0Hr3ahCsbIQaSILeDjc2U9d5r1Bu0Wq6+DkqBT0
4Q/UuDNUhDiwGVrj55gpevb9EjMJYEGiQApWZ1W7lwQ
-> ssh-ed25519 izZ3FQ kl0RdeRgACTlT+1clA+jO2mnwgt17K7vmmr7kzm2OTI
A5yb1h8cceCZG59WDrYS5zfvefOXAruyktFv+VeeK6M
-> ssh-ed25519 zNb8DQ xwsiHBtFVgurDq0+PkvXFm9+pu7gE7IiIZjLgCuNUmo
rQtHSSAUWB9dN3nqkMUsSIDn4K+R2qbERcHTfyDRADI
-> ssh-ed25519 GB2MZQ Dfmtib/IZ/rrPae8uqc03E9VF23lI2jMUAoPn9qdcFw
cmBx9o+xDSDXr6HKFMYuAa8oxbcAQ//rF1E/xzF8gcA
-> ssh-ed25519 FelIjw yXxK2S5XK3CLZBYDt9znkO/kq92rp7L/wJ2/e+xMzEQ
5kLji+xXPEY84mnKl0mIRWkFF3RQuEQFQ/kL/KLcH8w
-> ssh-ed25519 TRpHkw 5D9fXwQACh1E1G+30L+ncFZF+bhYmQyVl0T4v5NOikc
bOtITbo94qqRF8OvucxdOpvt2y+YSV1U1hXP0NvT/lc
-> ssh-ed25519 rKpRzQ M8kmtJoaHcrC0oj3Yz7TN6vAwT1xs660k7+YqR8eOhs
eSNF8UCZNyq2ZKYptCPFonjLqCGtRvReQqOctiNE7QI
-> ssh-ed25519 8/Dzqw AZKks01oa5bdJAXIJ9ZaQ09EG1umZIxQ8v1bZCbmKAY
RX2kvUvk42mfOkni8j6mbNXnM9+34vETVdQ5XhyjhV8
-> ssh-ed25519 tJyugw utGEjfJPxWfq0cYOdsme8sbZiNf/yw1ZJQpix/Ht+H4
yQ1tN3UxSEuBmP3m0csNODTWGgSY7H44kD/zrCGnKxk
-> ssh-ed25519 lpPUYw rKzfbeo38K941NUnNhXGA+HG5P6tI43Cn3Z+8HrTWHI
4h80ZrR0x/Zk+1c1B3vX9tBzb1eMyno0oOEzJ+1lOmI
--- zR2LWBuBZmIT1u6j1bSo95VtulxE/hHLsmMoKXkrnqE
ÿ5ÖÔTÏÇÕM¼Ó âçõˬ3òy­#§ 47®Ñ¿<C391>Þ(¯Á>{¯vTIÆ¡¹@®ô65$×à¢á»B‰ä°¨sÕ1[Q$·4Mz<4D>ó€i"‰ûÊ—<0F>eà±2P£.gåÕç4¥§õº²±ö™nšêAεtz-/BûwÌåé׎g·Èø‰œj

BIN
secrets/authentik.age Normal file
View file

Binary file not shown.

3
secrets/default.nix
View file

@ -55,6 +55,9 @@ in
(mkIf config.services.searx.enable { (mkIf config.services.searx.enable {
inherit (secrets) searx; inherit (secrets) searx;
}) })
(mkIf config.services.authentik.enable {
inherit (secrets) authentik authentik-ldap;
})
]; ];
}; };
} }

2
secrets/secrets.nix
View file

@ -43,4 +43,6 @@ generate [
"hedgedoc.age" "hedgedoc.age"
"searx.age" "searx.age"
"ovpn.age" "ovpn.age"
"authentik.age"
"authentik-ldap.age"
] ]