now we have to make jitsi work

works!
wip
2024-08-27 14:54:51 -06:00 · 2024-08-25 14:47:29 -06:00 · 2024-08-25 04:37:33 -06:00
6 changed files with 380 additions and 56 deletions
--- a/flake.lock
+++ b/flake.lock
@ -3,8 +3,8 @@
    "attic": {
      "inputs": {
        "crane": "crane",
-        "flake-compat": "flake-compat",
-        "flake-utils": "flake-utils",
+        "flake-compat": "flake-compat_2",
+        "flake-utils": "flake-utils_2",
        "nixpkgs": "nixpkgs",
        "nixpkgs-stable": "nixpkgs-stable"
      },
@ -23,10 +23,53 @@
        "type": "github"
      }
    },
+    "authentik-nix": {
+      "inputs": {
+        "authentik-src": "authentik-src",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "flake-utils": "flake-utils",
+        "napalm": "napalm",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "poetry2nix": "poetry2nix"
+      },
+      "locked": {
+        "lastModified": 1724362025,
+        "narHash": "sha256-/fzIU/Hjgksy7A4ji09zK6cH7ATQV5rAEYb/wgBw8x8=",
+        "owner": "nix-community",
+        "repo": "authentik-nix",
+        "rev": "39cf62b92149800dd2a436f8b18acd471c9180dd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "authentik-nix",
+        "type": "github"
+      }
+    },
+    "authentik-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1724339964,
+        "narHash": "sha256-QwK/auMLCJEHHtyexFnO+adCq/u0fezHQ90fXW9J4c4=",
+        "owner": "goauthentik",
+        "repo": "authentik",
+        "rev": "8a0b31b9227ca33b96c5448f185419f17090ed38",
+        "type": "github"
+      },
+      "original": {
+        "owner": "goauthentik",
+        "ref": "version/2024.6.4",
+        "repo": "authentik",
+        "type": "github"
+      }
+    },
    "cachix": {
      "inputs": {
        "devenv": "devenv",
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_4",
        "nixpkgs": "nixpkgs_3",
        "pre-commit-hooks": "pre-commit-hooks"
      },
@ -105,8 +148,8 @@
        "complement": "complement",
        "crane": "crane_2",
        "fenix": "fenix",
-        "flake-compat": "flake-compat_5",
-        "flake-utils": "flake-utils_3",
+        "flake-compat": "flake-compat_6",
+        "flake-utils": "flake-utils_4",
        "liburing": "liburing",
        "nix-filter": "nix-filter",
        "nixpkgs": [
@ -218,7 +261,7 @@
        ],
        "nix": "nix",
        "nixpkgs": "nixpkgs_2",
-        "poetry2nix": "poetry2nix",
+        "poetry2nix": "poetry2nix_2",
        "pre-commit-hooks": [
          "conduwuit",
          "cachix",
@ -268,11 +311,11 @@
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
@ -300,11 +343,11 @@
    "flake-compat_3": {
      "flake": false,
      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
        "type": "github"
      },
      "original": {
@ -330,6 +373,22 @@
      }
    },
    "flake-compat_5": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_6": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
@ -346,7 +405,43 @@
        "type": "github"
      }
    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1722555600,
+        "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
      "locked": {
        "lastModified": 1667395993,
        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
@ -361,9 +456,9 @@
        "type": "github"
      }
    },
-    "flake-utils_2": {
+    "flake-utils_3": {
      "inputs": {
-        "systems": "systems"
+        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1689068808,
@ -379,9 +474,9 @@
        "type": "github"
      }
    },
-    "flake-utils_3": {
+    "flake-utils_4": {
      "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1710146030,
@ -398,9 +493,9 @@
        "type": "github"
      }
    },
-    "flake-utils_4": {
+    "flake-utils_5": {
      "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_5"
      },
      "locked": {
        "lastModified": 1710146030,
@ -416,9 +511,9 @@
        "type": "github"
      }
    },
-    "flake-utils_5": {
+    "flake-utils_6": {
      "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_6"
      },
      "locked": {
        "lastModified": 1710146030,
@ -480,7 +575,7 @@
    },
    "homepage": {
      "inputs": {
-        "flake-utils": "flake-utils_5",
+        "flake-utils": "flake-utils_6",
        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
@ -547,9 +642,34 @@
        "type": "github"
      }
    },
+    "napalm": {
+      "inputs": {
+        "flake-utils": [
+          "authentik-nix",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717929455,
+        "narHash": "sha256-BiI5xWygriOJuNISnGAeL0KYxrEMnjgpg+7wDskVBhI=",
+        "owner": "nix-community",
+        "repo": "napalm",
+        "rev": "e1babff744cd278b56abe8478008b4a9e23036cf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "napalm",
+        "type": "github"
+      }
+    },
    "nix": {
      "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat_3",
        "nixpkgs": [
          "conduwuit",
          "cachix",
@ -592,6 +712,28 @@
      }
    },
    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "poetry2nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703863825,
+        "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
+    "nix-github-actions_2": {
      "inputs": {
        "nixpkgs": [
          "conduwuit",
@ -664,6 +806,18 @@
        "type": "github"
      }
    },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1722555339,
+        "narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
+      }
+    },
    "nixpkgs-regression": {
      "locked": {
        "lastModified": 1643052045,
@ -791,8 +945,36 @@
    },
    "poetry2nix": {
      "inputs": {
-        "flake-utils": "flake-utils_2",
+        "flake-utils": [
+          "authentik-nix",
+          "flake-utils"
+        ],
        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ],
+        "systems": "systems_2",
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1724208502,
+        "narHash": "sha256-TCRcEPSfgAw/t7kClmlr23s591N06mQCrhzlAO7cyFw=",
+        "owner": "nix-community",
+        "repo": "poetry2nix",
+        "rev": "884b66152b0c625b8220b570a31dc7acc36749a3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "poetry2nix",
+        "type": "github"
+      }
+    },
+    "poetry2nix_2": {
+      "inputs": {
+        "flake-utils": "flake-utils_3",
+        "nix-github-actions": "nix-github-actions_2",
        "nixpkgs": [
          "conduwuit",
          "cachix",
@ -818,7 +1000,7 @@
    },
    "pre-commit-hooks": {
      "inputs": {
-        "flake-compat": "flake-compat_4",
+        "flake-compat": "flake-compat_5",
        "gitignore": "gitignore",
        "nixpkgs": [
          "conduwuit",
@ -860,8 +1042,9 @@
    },
    "root": {
      "inputs": {
+        "authentik-nix": "authentik-nix",
        "conduwuit": "conduwuit",
-        "flake-utils": "flake-utils_4",
+        "flake-utils": "flake-utils_5",
        "home-manager": "home-manager",
        "homepage": "homepage",
        "impermanence": "impermanence",
@ -913,9 +1096,8 @@
        "type": "github"
      },
      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
+        "id": "systems",
+        "type": "indirect"
      }
    },
    "systems_3": {
@ -948,6 +1130,58 @@
        "type": "github"
      }
    },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_6": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "poetry2nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1719749022,
+        "narHash": "sha256-ddPKHcqaKCIFSFc/cvxS14goUhCOAwsM1PbMr0ZtHMg=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "8df5ff62195d4e67e2264df0b7f5e8c9995fd0bd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
    "unstable": {
      "locked": {
        "lastModified": 1722185531,
--- a/flake.nix
+++ b/flake.nix
@ -26,6 +26,11 @@
      url = "github:StarCitizenTools/mediawiki-skins-Citizen/v2.27.0";
      flake = false;
    };
+
+    authentik-nix = {
+      url = "github:nix-community/authentik-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs = flakes @ {
@ -39,6 +44,7 @@
    homepage,
    conduwuit,
    mediawikiSkinCitizen,
+    authentik-nix,
  }: let
    system = "x86_64-linux";

--- a/pki/gatekeeper_ca.pem
+++ b/pki/gatekeeper_ca.pem
@ -1,21 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIDijCCAnKgAwIBAgIUQCBAoFSQrYx063PnK3XKiOJSpvQwDQYJKoZIhvcNAQEL
-BQAwKzEpMCcGA1UEAwwgcG9zaXhseWNvcnJlY3QuY29tIGdhdGVrZWVwZXIgQ0Ew
-HhcNMjQwODAyMDcxNzE4WhcNMzQwNzMxMDcxNzE4WjArMSkwJwYDVQQDDCBwb3Np
-eGx5Y29ycmVjdC5jb20gZ2F0ZWtlZXBlciBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAKxjqIpRxIu2yPejUbyMixZACESrbmIGOhhxwUu1ys6aYPOZ
-7yQMs5xuJXcgCuD7Oba1eBi+CpLhyvgZlyLrCfxoCzTdAeeXq0EB7YUn8IYEN3dR
-e+yds//zkjRzbXAaIbUoAF8XaXgylOSIXLNrh0TTjNscC+TPYvKSbaDhdICOZ1ky
-u08w5QdOoi1W8FNJd4LKIKWQZW3dMeNaBbKnt9R4mjL28tE5gP6ZYUvcCIoqYAbE
-DSNq29lXsmDzbD914bN5wYoTP3A+k8QG6eYGb10YgaaJ0TBxeLzadVBq7gFylMt3
-1LTNmH/v+l73IYfiDV4O3d33cg0VOKqiD48WCnkCAwEAAaOBpTCBojAMBgNVHRME
-BTADAQH/MB0GA1UdDgQWBBStVj4YoMTnD+XZ+doBI7Ao17Gg3DBmBgNVHSMEXzBd
-gBStVj4YoMTnD+XZ+doBI7Ao17Gg3KEvpC0wKzEpMCcGA1UEAwwgcG9zaXhseWNv
-cnJlY3QuY29tIGdhdGVrZWVwZXIgQ0GCFEAgQKBUkK2MdOtz5yt1yojiUqb0MAsG
-A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAZgbpPdkhAbrbA7Y63WI2Bo26
-tPVCZpsEKiwpyEbDDC+NVrbOit1kQg/j26RuXLDVg19IfXk407FVFVGYVJNE+kXt
-KjyKCGyyZUBQRebCN8kzFsCQ/AJSfzNKQhEK68rchSH66mbjtOtItkdVZRnq0pWI
-7WXlTIxK8KTcAx2V/ijyalCENUpwRWfM4Qnkqsi82Dx9e8V0TRCLomW7IQok4dre
-F6IolUHw9ZuSC10/T8n8+riqWBWEisBGLz79OrdETdHK9A5gpNHRF+sO9JAhVr/t
-exBWTEJ33BeI0NX87d0Pneun4nss5FsLst+Ut7Y0F2QF2Iar1iERUalHVIjCtA==
-----END CERTIFICATE-----
--- a/sys/srv/authentik.nix
+++ b/sys/srv/authentik.nix
@ -0,0 +1,110 @@
+{
+  lib,
+  pkgs,
+  flakes,
+  ...
+}:
+with lib; {
+  imports = [flakes.authentik-nix.nixosModules.default];
+
+  options = {
+    services.nginx.virtualHosts = mkOption {
+      type = with lib.types;
+        attrsOf (
+          submodule
+          (
+            {config, ...}: {
+              options = {
+                enableAuthentik = mkOption {
+                  default = false;
+                  type = bool;
+                };
+                locations = mkOption {
+                  type = attrsOf (
+                    submodule {
+                      config = mkIf config.enableAuthentik {
+                        extraConfig = ''
+                          auth_request        /outpost.goauthentik.io/auth/nginx;
+                          error_page          401 = @goauthentik_proxy_signin;
+                          auth_request_set $auth_cookie $upstream_http_set_cookie;
+                          add_header Set-Cookie $auth_cookie;
+
+                          # translate headers from the outposts back to the actual upstream
+                          auth_request_set $authentik_username $upstream_http_x_authentik_username;
+                          auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+                          auth_request_set $authentik_email $upstream_http_x_authentik_email;
+                          auth_request_set $authentik_name $upstream_http_x_authentik_name;
+                          auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+
+                          proxy_set_header X-authentik-username $authentik_username;
+                          proxy_set_header X-authentik-groups $authentik_groups;
+                          proxy_set_header X-authentik-email $authentik_email;
+                          proxy_set_header X-authentik-name $authentik_name;
+                          proxy_set_header X-authentik-uid $authentik_uid;
+                        '';
+                      };
+                    }
+                  );
+                };
+              };
+              config = mkIf config.enableAuthentik {
+                extraConfig = ''
+                  proxy_buffers 8 16k;
+                  proxy_buffer_size 32k;
+
+                  location /outpost.goauthentik.io {
+                    proxy_pass          http://localhost:9000/outpost.goauthentik.io;
+                    # ensure the host of this vserver matches your external URL you've configured
+                    # in authentik
+                    proxy_set_header    Host $host;
+                    proxy_redirect      http://localhost:9000 https://auth.posixlycorrect.com;
+                    proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
+                    add_header          Set-Cookie $auth_cookie;
+                    auth_request_set    $auth_cookie $upstream_http_set_cookie;
+
+                    # required for POST requests to work
+                    proxy_pass_request_body off;
+                    proxy_set_header Content-Length "";
+                  }
+
+                  location @goauthentik_proxy_signin {
+                    internal;
+                    add_header Set-Cookie $auth_cookie;
+                    return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
+                    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
+                    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
+                  }
+                '';
+              };
+            }
+          )
+        );
+    };
+  };
+
+  config = {
+    services = {
+      authentik = {
+        enable = true;
+        environmentFile = "/var/trust/authentik/authentik-env";
+        nginx = {
+          enable = true;
+          enableACME = true;
+          host = "auth.posixlycorrect.com";
+        };
+        settings = {
+          email = {
+            host = "smtp.fastmail.com";
+            port = 587;
+            username = "fabianmontero@fastmail.com";
+            use_tls = true;
+            use_ssl = false;
+            from = "auth@posixlycorrect.com";
+          };
+          disable_startup_analytics = true;
+          avatars = "initials";
+        };
+      };
+    };
+  };
+}
--- a/sys/srv/default.nix
+++ b/sys/srv/default.nix
@ -17,5 +17,6 @@ with lib; {
    ./jellyfin.nix
    ./msmtp.nix
    ./kuma.nix
+    ./authentik.nix
  ];
 }
--- a/sys/srv/jitsi.nix
+++ b/sys/srv/jitsi.nix
@ -9,16 +9,10 @@ with lib; {
      virtualHosts."meet.posixlycorrect.com" = {
        enableACME = true;
        forceSSL = true;
+        enableAuthentik = false;
        extraConfig = ''
          proxy_headers_hash_max_size 512;
          proxy_headers_hash_bucket_size 128;
-
-            ssl_verify_depth 1;
-            ssl_verify_client on;
-            ssl_client_certificate ${../../pki/gatekeeper_ca.pem};
-            if ($ssl_client_verify != "SUCCESS") {
-              return 403;
-            }
        '';
      };
    };
Author	SHA1	Message	Date
Fabian Montero	ff24142579	now we have to make jitsi work	2024-08-27 14:54:51 -06:00
Fabian Montero	167c519a25	works!	2024-08-25 14:47:29 -06:00
Fabian Montero	8c4a28b66d	wip	2024-08-25 04:37:33 -06:00