archive/server_config
Archived
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

wip

Browse source
This commit is contained in:
Fabian Montero 2024-08-25 04:37:33 -06:00
parent 806b00f634
commit 8c4a28b66d
Signed by untrusted user: fabian
GPG key ID: 1FFAC35E1798174F
5 changed files with 372 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

290
flake.lock generated
View file

@ -3,8 +3,8 @@
"attic": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs",
"nixpkgs-stable": "nixpkgs-stable"
},
@ -23,10 +23,53 @@
"type": "github"
}
},
"authentik-nix": {
"inputs": {
"authentik-src": "authentik-src",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"napalm": "napalm",
"nixpkgs": [
"nixpkgs"
],
"poetry2nix": "poetry2nix"
},
"locked": {
"lastModified": 1724362025,
"narHash": "sha256-/fzIU/Hjgksy7A4ji09zK6cH7ATQV5rAEYb/wgBw8x8=",
"owner": "nix-community",
"repo": "authentik-nix",
"rev": "39cf62b92149800dd2a436f8b18acd471c9180dd",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "authentik-nix",
"type": "github"
}
},
"authentik-src": {
"flake": false,
"locked": {
"lastModified": 1724339964,
"narHash": "sha256-QwK/auMLCJEHHtyexFnO+adCq/u0fezHQ90fXW9J4c4=",
"owner": "goauthentik",
"repo": "authentik",
"rev": "8a0b31b9227ca33b96c5448f185419f17090ed38",
"type": "github"
},
"original": {
"owner": "goauthentik",
"ref": "version/2024.6.4",
"repo": "authentik",
"type": "github"
}
},
"cachix": {
"inputs": {
"devenv": "devenv",
"flake-compat": "flake-compat_3",
"flake-compat": "flake-compat_4",
"nixpkgs": "nixpkgs_3",
"pre-commit-hooks": "pre-commit-hooks"
},
@ -105,8 +148,8 @@
"complement": "complement",
"crane": "crane_2",
"fenix": "fenix",
"flake-compat": "flake-compat_5",
"flake-utils": "flake-utils_3",
"flake-compat": "flake-compat_6",
"flake-utils": "flake-utils_4",
"liburing": "liburing",
"nix-filter": "nix-filter",
"nixpkgs": [
@ -218,7 +261,7 @@
],
"nix": "nix",
"nixpkgs": "nixpkgs_2",
"poetry2nix": "poetry2nix",
"poetry2nix": "poetry2nix_2",
"pre-commit-hooks": [
"conduwuit",
"cachix",
@ -268,11 +311,11 @@
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
@ -300,11 +343,11 @@
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
@ -330,6 +373,22 @@
}
},
"flake-compat_5": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_6": {
"flake": false,
"locked": {
"lastModified": 1696426674,
@ -346,7 +405,43 @@
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1722555600,
"narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
@ -361,9 +456,9 @@
"type": "github"
}
},
"flake-utils_2": {
"flake-utils_3": {
"inputs": {
"systems": "systems"
"systems": "systems_3"
},
"locked": {
"lastModified": 1689068808,
@ -379,9 +474,9 @@
"type": "github"
}
},
"flake-utils_3": {
"flake-utils_4": {
"inputs": {
"systems": "systems_2"
"systems": "systems_4"
},
"locked": {
"lastModified": 1710146030,
@ -398,9 +493,9 @@
"type": "github"
}
},
"flake-utils_4": {
"flake-utils_5": {
"inputs": {
"systems": "systems_3"
"systems": "systems_5"
},
"locked": {
"lastModified": 1710146030,
@ -416,9 +511,9 @@
"type": "github"
}
},
"flake-utils_5": {
"flake-utils_6": {
"inputs": {
"systems": "systems_4"
"systems": "systems_6"
},
"locked": {
"lastModified": 1710146030,
@ -480,7 +575,7 @@
},
"homepage": {
"inputs": {
"flake-utils": "flake-utils_5",
"flake-utils": "flake-utils_6",
"nixpkgs": "nixpkgs_4"
},
"locked": {
@ -547,9 +642,34 @@
"type": "github"
}
},
"napalm": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nixpkgs": [
"authentik-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717929455,
"narHash": "sha256-BiI5xWygriOJuNISnGAeL0KYxrEMnjgpg+7wDskVBhI=",
"owner": "nix-community",
"repo": "napalm",
"rev": "e1babff744cd278b56abe8478008b4a9e23036cf",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "napalm",
"type": "github"
}
},
"nix": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-compat": "flake-compat_3",
"nixpkgs": [
"conduwuit",
"cachix",
@ -592,6 +712,28 @@
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703863825,
"narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-github-actions_2": {
"inputs": {
"nixpkgs": [
"conduwuit",
@ -664,6 +806,18 @@
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1722555339,
"narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
}
},
"nixpkgs-regression": {
"locked": {
"lastModified": 1643052045,
@ -791,8 +945,36 @@
},
"poetry2nix": {
"inputs": {
"flake-utils": "flake-utils_2",
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"authentik-nix",
"nixpkgs"
],
"systems": "systems_2",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1724208502,
"narHash": "sha256-TCRcEPSfgAw/t7kClmlr23s591N06mQCrhzlAO7cyFw=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "884b66152b0c625b8220b570a31dc7acc36749a3",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"poetry2nix_2": {
"inputs": {
"flake-utils": "flake-utils_3",
"nix-github-actions": "nix-github-actions_2",
"nixpkgs": [
"conduwuit",
"cachix",
@ -818,7 +1000,7 @@
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat_4",
"flake-compat": "flake-compat_5",
"gitignore": "gitignore",
"nixpkgs": [
"conduwuit",
@ -860,8 +1042,9 @@
},
"root": {
"inputs": {
"authentik-nix": "authentik-nix",
"conduwuit": "conduwuit",
"flake-utils": "flake-utils_4",
"flake-utils": "flake-utils_5",
"home-manager": "home-manager",
"homepage": "homepage",
"impermanence": "impermanence",
@ -913,9 +1096,8 @@
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
"id": "systems",
"type": "indirect"
}
},
"systems_3": {
@ -948,6 +1130,58 @@
"type": "github"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_6": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1719749022,
"narHash": "sha256-ddPKHcqaKCIFSFc/cvxS14goUhCOAwsM1PbMr0ZtHMg=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "8df5ff62195d4e67e2264df0b7f5e8c9995fd0bd",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"unstable": {
"locked": {
"lastModified": 1722185531,

6
flake.nix
View file

@ -26,6 +26,11 @@
url = "github:StarCitizenTools/mediawiki-skins-Citizen/v2.27.0";
flake = false;
};
authentik-nix = {
url = "github:nix-community/authentik-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = flakes @ {
@ -39,6 +44,7 @@
homepage,
conduwuit,
mediawikiSkinCitizen,
authentik-nix,
}: let
system = "x86_64-linux";

102
sys/srv/authentik.nix Normal file
View file

@ -0,0 +1,102 @@
{
lib,
pkgs,
flakes,
...
}:
with lib; {
imports = [flakes.authentik-nix.nixosModules.default];
options = {
services.nginx.virtualHosts = mkOption {
type = with lib.types;
attrsOf (
submodule
(
{config, ...}: {
options = {
enableAuthentik = mkOption {
default = false;
type = bool;
};
};
config = mkIf config.enableAuthentik {
extraConfig = ''
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
proxy_redirect http:// $scheme://;
proxy_buffers 8 16k;
proxy_buffer_size 32k;
location /outpost.goauthentik.io {
proxy_pass http://auth.posixlycorrect.com/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
# required for POST requests to work
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
'';
};
}
)
);
};
};
config = {
services = {
authentik = {
enable = true;
environmentFile = "/var/trust/authentik/authentik-env";
nginx = {
enable = true;
enableACME = true;
host = "auth.posixlycorrect.com";
};
settings = {
email = {
host = "smtp.fastmail.com";
port = 587;
username = "fabianmontero@fastmail.com";
use_tls = true;
use_ssl = false;
from = "auth@posixlycorrect.com";
};
disable_startup_analytics = true;
avatars = "initials";
};
};
};
};
}

1
sys/srv/default.nix
View file

@ -17,5 +17,6 @@ with lib; {
./jellyfin.nix
./msmtp.nix
./kuma.nix
./authentik.nix
];
}

1
sys/srv/mediawiki.nix
View file

@ -10,6 +10,7 @@ with lib; {
virtualHosts."wiki.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
enableAuthentik = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;