From 8c4a28b66d1b41c2f1246518c8cc2c3a0b3868d0 Mon Sep 17 00:00:00 2001 From: Fabian Montero Date: Sun, 25 Aug 2024 04:37:33 -0600 Subject: [PATCH] wip --- flake.lock | 290 ++++++++++++++++++++++++++++++++++++++---- flake.nix | 6 + sys/srv/authentik.nix | 102 +++++++++++++++ sys/srv/default.nix | 1 + sys/srv/mediawiki.nix | 1 + 5 files changed, 372 insertions(+), 28 deletions(-) create mode 100644 sys/srv/authentik.nix diff --git a/flake.lock b/flake.lock index 2c903d7..3fd9fa3 100644 --- a/flake.lock +++ b/flake.lock @@ -3,8 +3,8 @@ "attic": { "inputs": { "crane": "crane", - "flake-compat": "flake-compat", - "flake-utils": "flake-utils", + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_2", "nixpkgs": "nixpkgs", "nixpkgs-stable": "nixpkgs-stable" }, @@ -23,10 +23,53 @@ "type": "github" } }, + "authentik-nix": { + "inputs": { + "authentik-src": "authentik-src", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "napalm": "napalm", + "nixpkgs": [ + "nixpkgs" + ], + "poetry2nix": "poetry2nix" + }, + "locked": { + "lastModified": 1724362025, + "narHash": "sha256-/fzIU/Hjgksy7A4ji09zK6cH7ATQV5rAEYb/wgBw8x8=", + "owner": "nix-community", + "repo": "authentik-nix", + "rev": "39cf62b92149800dd2a436f8b18acd471c9180dd", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "authentik-nix", + "type": "github" + } + }, + "authentik-src": { + "flake": false, + "locked": { + "lastModified": 1724339964, + "narHash": "sha256-QwK/auMLCJEHHtyexFnO+adCq/u0fezHQ90fXW9J4c4=", + "owner": "goauthentik", + "repo": "authentik", + "rev": "8a0b31b9227ca33b96c5448f185419f17090ed38", + "type": "github" + }, + "original": { + "owner": "goauthentik", + "ref": "version/2024.6.4", + "repo": "authentik", + "type": "github" + } + }, "cachix": { "inputs": { "devenv": "devenv", - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "nixpkgs": "nixpkgs_3", "pre-commit-hooks": "pre-commit-hooks" }, @@ -105,8 +148,8 @@ "complement": "complement", "crane": "crane_2", "fenix": "fenix", - "flake-compat": "flake-compat_5", - "flake-utils": "flake-utils_3", + "flake-compat": "flake-compat_6", + "flake-utils": "flake-utils_4", "liburing": "liburing", "nix-filter": "nix-filter", "nixpkgs": [ @@ -218,7 +261,7 @@ ], "nix": "nix", "nixpkgs": "nixpkgs_2", - "poetry2nix": "poetry2nix", + "poetry2nix": "poetry2nix_2", "pre-commit-hooks": [ "conduwuit", "cachix", @@ -268,11 +311,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -300,11 +343,11 @@ "flake-compat_3": { "flake": false, "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "owner": "edolstra", "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "type": "github" }, "original": { @@ -330,6 +373,22 @@ } }, "flake-compat_5": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_6": { "flake": false, "locked": { "lastModified": 1696426674, @@ -346,7 +405,43 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { "locked": { "lastModified": 1667395993, "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", @@ -361,9 +456,9 @@ "type": "github" } }, - "flake-utils_2": { + "flake-utils_3": { "inputs": { - "systems": "systems" + "systems": "systems_3" }, "locked": { "lastModified": 1689068808, @@ -379,9 +474,9 @@ "type": "github" } }, - "flake-utils_3": { + "flake-utils_4": { "inputs": { - "systems": "systems_2" + "systems": "systems_4" }, "locked": { "lastModified": 1710146030, @@ -398,9 +493,9 @@ "type": "github" } }, - "flake-utils_4": { + "flake-utils_5": { "inputs": { - "systems": "systems_3" + "systems": "systems_5" }, "locked": { "lastModified": 1710146030, @@ -416,9 +511,9 @@ "type": "github" } }, - "flake-utils_5": { + "flake-utils_6": { "inputs": { - "systems": "systems_4" + "systems": "systems_6" }, "locked": { "lastModified": 1710146030, @@ -480,7 +575,7 @@ }, "homepage": { "inputs": { - "flake-utils": "flake-utils_5", + "flake-utils": "flake-utils_6", "nixpkgs": "nixpkgs_4" }, "locked": { @@ -547,9 +642,34 @@ "type": "github" } }, + "napalm": { + "inputs": { + "flake-utils": [ + "authentik-nix", + "flake-utils" + ], + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717929455, + "narHash": "sha256-BiI5xWygriOJuNISnGAeL0KYxrEMnjgpg+7wDskVBhI=", + "owner": "nix-community", + "repo": "napalm", + "rev": "e1babff744cd278b56abe8478008b4a9e23036cf", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "napalm", + "type": "github" + } + }, "nix": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "nixpkgs": [ "conduwuit", "cachix", @@ -592,6 +712,28 @@ } }, "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703863825, + "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nix-github-actions_2": { "inputs": { "nixpkgs": [ "conduwuit", @@ -664,6 +806,18 @@ "type": "github" } }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1722555339, + "narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz" + } + }, "nixpkgs-regression": { "locked": { "lastModified": 1643052045, @@ -791,8 +945,36 @@ }, "poetry2nix": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": [ + "authentik-nix", + "flake-utils" + ], "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ], + "systems": "systems_2", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1724208502, + "narHash": "sha256-TCRcEPSfgAw/t7kClmlr23s591N06mQCrhzlAO7cyFw=", + "owner": "nix-community", + "repo": "poetry2nix", + "rev": "884b66152b0c625b8220b570a31dc7acc36749a3", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "poetry2nix", + "type": "github" + } + }, + "poetry2nix_2": { + "inputs": { + "flake-utils": "flake-utils_3", + "nix-github-actions": "nix-github-actions_2", "nixpkgs": [ "conduwuit", "cachix", @@ -818,7 +1000,7 @@ }, "pre-commit-hooks": { "inputs": { - "flake-compat": "flake-compat_4", + "flake-compat": "flake-compat_5", "gitignore": "gitignore", "nixpkgs": [ "conduwuit", @@ -860,8 +1042,9 @@ }, "root": { "inputs": { + "authentik-nix": "authentik-nix", "conduwuit": "conduwuit", - "flake-utils": "flake-utils_4", + "flake-utils": "flake-utils_5", "home-manager": "home-manager", "homepage": "homepage", "impermanence": "impermanence", @@ -913,9 +1096,8 @@ "type": "github" }, "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" + "id": "systems", + "type": "indirect" } }, "systems_3": { @@ -948,6 +1130,58 @@ "type": "github" } }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_6": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719749022, + "narHash": "sha256-ddPKHcqaKCIFSFc/cvxS14goUhCOAwsM1PbMr0ZtHMg=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "8df5ff62195d4e67e2264df0b7f5e8c9995fd0bd", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, "unstable": { "locked": { "lastModified": 1722185531, diff --git a/flake.nix b/flake.nix index 4560147..13dac98 100644 --- a/flake.nix +++ b/flake.nix @@ -26,6 +26,11 @@ url = "github:StarCitizenTools/mediawiki-skins-Citizen/v2.27.0"; flake = false; }; + + authentik-nix = { + url = "github:nix-community/authentik-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = flakes @ { @@ -39,6 +44,7 @@ homepage, conduwuit, mediawikiSkinCitizen, + authentik-nix, }: let system = "x86_64-linux"; diff --git a/sys/srv/authentik.nix b/sys/srv/authentik.nix new file mode 100644 index 0000000..bc7e1e6 --- /dev/null +++ b/sys/srv/authentik.nix @@ -0,0 +1,102 @@ +{ + lib, + pkgs, + flakes, + ... +}: +with lib; { + imports = [flakes.authentik-nix.nixosModules.default]; + + options = { + services.nginx.virtualHosts = mkOption { + type = with lib.types; + attrsOf ( + submodule + ( + {config, ...}: { + options = { + enableAuthentik = mkOption { + default = false; + type = bool; + }; + }; + config = mkIf config.enableAuthentik { + extraConfig = '' + auth_request /outpost.goauthentik.io/auth/nginx; + error_page 401 = @goauthentik_proxy_signin; + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + + # translate headers from the outposts back to the actual upstream + auth_request_set $authentik_username $upstream_http_x_authentik_username; + auth_request_set $authentik_groups $upstream_http_x_authentik_groups; + auth_request_set $authentik_email $upstream_http_x_authentik_email; + auth_request_set $authentik_name $upstream_http_x_authentik_name; + auth_request_set $authentik_uid $upstream_http_x_authentik_uid; + + proxy_set_header X-authentik-username $authentik_username; + proxy_set_header X-authentik-groups $authentik_groups; + proxy_set_header X-authentik-email $authentik_email; + proxy_set_header X-authentik-name $authentik_name; + proxy_set_header X-authentik-uid $authentik_uid; + + proxy_redirect http:// $scheme://; + + proxy_buffers 8 16k; + proxy_buffer_size 32k; + + location /outpost.goauthentik.io { + proxy_pass http://auth.posixlycorrect.com/outpost.goauthentik.io; + # ensure the host of this vserver matches your external URL you've configured + # in authentik + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + add_header Set-Cookie $auth_cookie; + auth_request_set $auth_cookie $upstream_http_set_cookie; + + # required for POST requests to work + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + } + + location @goauthentik_proxy_signin { + internal; + add_header Set-Cookie $auth_cookie; + return 302 /outpost.goauthentik.io/start?rd=$request_uri; + # For domain level, use the below error_page to redirect to your authentik server with the full redirect path + # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; + } + ''; + }; + } + ) + ); + }; + }; + + config = { + services = { + authentik = { + enable = true; + environmentFile = "/var/trust/authentik/authentik-env"; + nginx = { + enable = true; + enableACME = true; + host = "auth.posixlycorrect.com"; + }; + settings = { + email = { + host = "smtp.fastmail.com"; + port = 587; + username = "fabianmontero@fastmail.com"; + use_tls = true; + use_ssl = false; + from = "auth@posixlycorrect.com"; + }; + disable_startup_analytics = true; + avatars = "initials"; + }; + }; + }; + }; +} diff --git a/sys/srv/default.nix b/sys/srv/default.nix index 61ccd14..4b02f44 100644 --- a/sys/srv/default.nix +++ b/sys/srv/default.nix @@ -17,5 +17,6 @@ with lib; { ./jellyfin.nix ./msmtp.nix ./kuma.nix + ./authentik.nix ]; } diff --git a/sys/srv/mediawiki.nix b/sys/srv/mediawiki.nix index d07bd80..03f16e0 100644 --- a/sys/srv/mediawiki.nix +++ b/sys/srv/mediawiki.nix @@ -10,6 +10,7 @@ with lib; { virtualHosts."wiki.posixlycorrect.com" = { enableACME = true; forceSSL = true; + enableAuthentik = true; extraConfig = '' proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 128;