Infini-DL360/authentik: init with ldap

flake.nix

@@ -60,6 +60,9 @@
     ## Qtile
     qtile.url = "github:qtile/qtile";
 
+    ## Authentik
+    authentik-nix.url = "github:nix-community/authentik-nix";
+
     ### Cleanup ###
     ## Common
     blank.url = "github:divnix/blank";
@@ -72,6 +75,12 @@
     agenix.inputs.home-manager.follows = "home-manager";
     agenix.inputs.nixpkgs.follows = "nixpkgs";
     agenix.inputs.systems.follows = "systems";
+    authentik-nix.inputs.flake-compat.follows = "blank";
+    authentik-nix.inputs.flake-parts.follows = "flake-parts";
+    authentik-nix.inputs.flake-utils.follows = "flake-utils";
+    authentik-nix.inputs.nixpkgs.follows = "nixpkgs";
+    authentik-nix.inputs.poetry2nix.inputs.treefmt-nix.follows = "treefmt-nix";
+    authentik-nix.inputs.systems.follows = "systems";
     conduwuit.inputs.attic.follows = "blank";
     conduwuit.inputs.cachix.follows = "blank";
     conduwuit.inputs.flake-compat.follows = "blank";
@@ -206,6 +215,7 @@
               inputs.nixos-wsl.nixosModules.wsl
 
               # --- Domain-Specific Modules ---
+              inputs.authentik-nix.nixosModules.default
               inputs.lix-module.nixosModules.default
               inputs.hydra.nixosModules.overlayNixpkgsForThisHydra
               inputs.nix-minecraft.nixosModules.minecraft-servers

hosts/Infini-DL360/authentik.nix

@@ -0,0 +1,50 @@
+{ config, common, secrets, ... }:
+let
+  domain = common.subdomain "auth";
+  ldap = common.subdomain "ldap";
+in
+{
+  services.authentik = {
+    enable = true;
+    environmentFile = secrets.authentik;
+    settings = {
+      email = with common.email; {
+        host = smtp.address;
+        port = smtp.STARTTLS;
+        username = outgoing;
+        from = withSubaddress "authentik";
+        use_tls = true;
+        use_ssl = false;
+      };
+      disable_startup_analytics = true;
+      cookie_domain = common.domain;
+    };
+
+    nginx = {
+      enable = true;
+      enableACME = true;
+      host = domain;
+    };
+  };
+
+  services.authentik-ldap = {
+    enable = true;
+    environmentFile = secrets.authentik-ldap;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 3389 6636 ];
+
+  security.acme.certs.${ldap} = {
+    group = "nginx";
+    webroot = null;
+  };
+
+  systemd.services.authentik-worker.serviceConfig.LoadCredential = [
+    "${ldap}.pem:${config.security.acme.certs.${ldap}.directory}/fullchain.pem"
+    "${ldap}.key:${config.security.acme.certs.${ldap}.directory}/key.pem"
+  ];
+
+  services.nginx.virtualHosts.${domain} = {
+    acmeRoot = null;
+  };
+}

hosts/Infini-DL360/default.nix

@@ -6,6 +6,7 @@
     ./web.nix
 
     private.nixosModules.minecraft-servers
+    ./authentik.nix
     ./conduwuit.nix
     ./factorio.nix
     ./forgejo.nix

secrets/authentik-ldap.age

@@ -0,0 +1,55 @@
+age-encryption.org/v1
+-> ssh-ed25519 sQ/0YA 45Xehc7VVPbIlgsi7TNGSEtO2t3rzLyZ5YpmqLBwsV0
+zvdRHbvKMN7UHE/23InpKrY4ZjSeS7dG6FUmemEvrj0
+-> ssh-ed25519 aYlTiQ aroJxAQnSoe5nQ9XLEuVfctVTuZCA1dz58QGUfVHkX4
+NCMvDEzRxiLjqK8/55iXBiNDaJco0nbuN9GoOA28ZM8
+-> ssh-ed25519 i9xGKA Qt9WjkuN+O2Qd8EDU1Oh/G9zQLf3LtbtLBLccMNIunM
+TGf8czfM5AsYap3jC8RQqiK8EZz6nkg/ETwUOjmOTSg
+-> ssh-ed25519 ydxrGg wIX12uEK76B4GxixYepk8Za2dXdi6SC7KnxWeVJ44QQ
+xsNU4m5Nii5H5htV7u18PQBafTk5pHlae7WeAYeJNp8
+-> ssh-ed25519 oqB+OQ /skWuFpVL6PHjUNkPNBQYMxJngdLd0zzebzWVJ3u8QU
+0Qj7w8QbbaF0be7Z+X93AlrEABLopW0HC1A+dLBaKcE
+-> ssh-ed25519 gIJNbA n1HDVZgNWAZwKviLWZ+dw+WLzXVywElc+gM1ja0ilgE
+coMdTnFduLH84KClPl48B8nnBmklTZTLLUQPYOUluZ4
+-> ssh-ed25519 hjL/yw TGg4TUQ6FTXliL080QbF9n2vm/Wl5cGznCS1LJkKNwc
+eH3BlNOjsnLx7YQOqpzVUnlj2VN3/LuApzaCcUxE2DU
+-> ssh-ed25519 Ig0rsg Y20/6dtLW26qmdPpTo5+Y1lKzXFyRu/tsOb0nNG5Oy8
+cu9xRDyaetXbYL8l63m0LLwe5DO6S5MCCrh68g/VZEc
+-> ssh-ed25519 U4Pefg b7k53fcR+OaZZ0quznxG9gZF3fCPDLcITGjmlSWaing
+IueR2mA68ZpW5DN/21saH7XX4WZ0bx6Byq/ujUI3dxo
+-> ssh-ed25519 SqmlZQ cJYcWJMsgzrOLQh3tMAxNHwod5tFzwAsNq+pgXe7VSU
+dI+dQ7LX7YBb5VZH0nbdadO1RhZymVhx+LR6GM77O54
+-> ssh-ed25519 GT2Stg pe6hSAAr8UgfVsc9S4YExQmLu/BovuTuDkI5pHrLOg0
+kfrKZRrEZBRblKxhNAc2hfK0xJkwUjuEemGc8NvLSRs
+-> ssh-ed25519 oAMyvg pERphhA/Iy6JMmfk3u4MdFGPFsgX8orA9IWFz+OKPWI
+E7kSlpnHKuurKBnHGpZra2/Y2E2nP4U+4r7xjFc3H88
+-> ssh-ed25519 VIHjXg RDRtgg1C1V653qPRveNN22E7aURc3nn8t7DIqAonW1Q
+ogNXIGYjvthFLLi4UAK5O6XBSMz6ryHqa9qVXFhlxcQ
+-> ssh-ed25519 VEv3zg WtBszZ9ULXMUnkIm2NbzW1n3upnDbYyj4vFuIOMBZAY
+Qymsh8bIib3aDpOtRUQExnQAxUFM2os8+n5zr/VbK8U
+-> ssh-ed25519 m7J79g ztGfKhVhM58dCs0jQXQ4CaUJ+38tmiT7gCjMSP53vBM
+BjYjY2no/i+OxpW+lttfiyVq0Rdx6UK6dZzV5BK2s6g
+-> ssh-ed25519 2S7Wcg P9Lp9CmgNhFPK3dhcL5RCI9C/e/T14gHQnUisbB63Uc
+xwB59NM8MK0PoLEcdZlgVmTN6XUwEkBvEHf4MEUvgj0
+-> ssh-ed25519 EMoPew 4DCY0Hr3ahCsbIQaSILeDjc2U9d5r1Bu0Wq6+DkqBT0
+4Q/UuDNUhDiwGVrj55gpevb9EjMJYEGiQApWZ1W7lwQ
+-> ssh-ed25519 izZ3FQ kl0RdeRgACTlT+1clA+jO2mnwgt17K7vmmr7kzm2OTI
+A5yb1h8cceCZG59WDrYS5zfvefOXAruyktFv+VeeK6M
+-> ssh-ed25519 zNb8DQ xwsiHBtFVgurDq0+PkvXFm9+pu7gE7IiIZjLgCuNUmo
+rQtHSSAUWB9dN3nqkMUsSIDn4K+R2qbERcHTfyDRADI
+-> ssh-ed25519 GB2MZQ Dfmtib/IZ/rrPae8uqc03E9VF23lI2jMUAoPn9qdcFw
+cmBx9o+xDSDXr6HKFMYuAa8oxbcAQ//rF1E/xzF8gcA
+-> ssh-ed25519 FelIjw yXxK2S5XK3CLZBYDt9znkO/kq92rp7L/wJ2/e+xMzEQ
+5kLji+xXPEY84mnKl0mIRWkFF3RQuEQFQ/kL/KLcH8w
+-> ssh-ed25519 TRpHkw 5D9fXwQACh1E1G+30L+ncFZF+bhYmQyVl0T4v5NOikc
+bOtITbo94qqRF8OvucxdOpvt2y+YSV1U1hXP0NvT/lc
+-> ssh-ed25519 rKpRzQ M8kmtJoaHcrC0oj3Yz7TN6vAwT1xs660k7+YqR8eOhs
+eSNF8UCZNyq2ZKYptCPFonjLqCGtRvReQqOctiNE7QI
+-> ssh-ed25519 8/Dzqw AZKks01oa5bdJAXIJ9ZaQ09EG1umZIxQ8v1bZCbmKAY
+RX2kvUvk42mfOkni8j6mbNXnM9+34vETVdQ5XhyjhV8
+-> ssh-ed25519 tJyugw utGEjfJPxWfq0cYOdsme8sbZiNf/yw1ZJQpix/Ht+H4
+yQ1tN3UxSEuBmP3m0csNODTWGgSY7H44kD/zrCGnKxk
+-> ssh-ed25519 lpPUYw rKzfbeo38K941NUnNhXGA+HG5P6tI43Cn3Z+8HrTWHI
+4h80ZrR0x/Zk+1c1B3vX9tBzb1eMyno0oOEzJ+1lOmI
+--- zR2LWBuBZmIT1u6j1bSo95VtulxE/hHLsmMoKXkrnqE
+ÿ5ÖÔTÏÇÕM¼Ó âçõˬ3òy­#§ 47®Ñ¿<C391>Þ(¯Á>{›¯vTIÆ¡¹@®ô65$×à¢á»B‰ä°¨sÕ1[Q$·4Mz<4D>ó€i"‰ûÊ—<0F>eà±2P£.gåÕç4¥§õº²±ö™nšêA›Îµtz-/BûwÌåé׎g·Èø‰œj

secrets/default.nix

@@ -55,6 +55,9 @@ in
       (mkIf config.services.searx.enable {
         inherit (secrets) searx;
       })
+      (mkIf config.services.authentik.enable {
+        inherit (secrets) authentik authentik-ldap;
+      })
     ];
   };
 }

secrets/secrets.nix

@@ -43,4 +43,6 @@ generate [
   "hedgedoc.age"
   "searx.age"
   "ovpn.age"
+  "authentik.age"
+  "authentik-ldap.age"
 ]