Arion: Add Authentik

This commit is contained in:
GHOSCHT 2024-05-03 12:19:03 +02:00
parent 184495ae51
commit 311ae93432
Signed by: ghoscht
GPG key ID: 2C2C1C62A5388E82
6 changed files with 199 additions and 2 deletions

View file

@ -0,0 +1,129 @@
{pkgs, ...}: let
authentikImage = "ghcr.io/goauthentik/server:2024.4.1";
in {
project.name = "auth";
networks.dmz = {
name = "dmz";
external = true;
};
networks.internal = {};
services = {
authentik.service = {
image = authentikImage;
container_name = "authentik";
labels = {
"traefik.enable" = "true";
"traefik.http.services.authentik.loadbalancer.server.port" = "9000";
"traefik.http.routers.authentik.service" = "authentik";
"traefik.http.routers.authentik.rule" = "Host(`auth.ghoscht.com`)";
"traefik.http.routers.authentik.entrypoints" = "websecure";
"traefik.http.routers.authentik.tls" = "true";
"traefik.http.routers.authentik.tls.certresolver" = "letsencrypt";
"traefik.http.services.authentik-external.loadbalancer.server.port" = "9000";
"traefik.http.routers.authentik-external.service" = "authentik-external";
"traefik.http.routers.authentik-external.rule" = "Host(`auth.ghoscht.com`)";
"traefik.http.routers.authentik-external.entrypoints" = "websecure-external";
"traefik.http.routers.authentik-external.tls" = "true";
"traefik.http.routers.authentik-external.tls.certresolver" = "letsencrypt";
};
command = "server";
environment = {
AUTHENTIK_REDIS__HOST = "redis";
AUTHENTIK_POSTGRESQL__HOST = "postgres";
AUTHENTIK_ERROR_REPORTING__ENABLED = "true";
};
env_file = [
"/home/ghoscht/.docker/auth/authentik.env"
];
dns = ["1.1.1.1"];
restart = "always";
depends_on = {
redis = {condition = "service_healthy";};
postgres = {condition = "service_healthy";};
};
volumes = [
"/storage/dataset/docker/auth/authentik_media:/media"
"/storage/dataset/docker/auth/authentik_custom_templates:/templates"
];
networks = [
"dmz"
"internal"
];
};
worker.service = {
image = authentikImage;
command = "worker";
environment = {
AUTHENTIK_REDIS__HOST = "redis";
AUTHENTIK_POSTGRESQL__HOST = "postgres";
AUTHENTIK_ERROR_REPORTING__ENABLED = "true";
};
env_file = [
"/home/ghoscht/.docker/auth/authentik.env"
];
dns = ["1.1.1.1"];
depends_on = {
redis = {condition = "service_healthy";};
postgres = {condition = "service_healthy";};
};
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
"/storage/dataset/docker/auth/authentik_media:/media"
"/storage/dataset/docker/auth/authentik_custom_templates:/templates"
];
restart = "always";
user = "root";
networks = [
"internal"
];
};
redis.service = {
image = "redis:7.2.4";
command = "--save 60 1 --loglevel warning";
healthcheck = {
test = [
"CMD-SHELL"
"redis-cli ping | grep PONG"
];
start_period = "20s";
interval = "30s";
retries = 5;
timeout = "5s";
};
restart = "always";
volumes = [
"/storage/dataset/docker/auth/redis_data:/data"
];
networks = [
"internal"
];
};
postgres.service = {
image = "postgres:12.18";
restart = "always";
env_file = [
"/home/ghoscht/.docker/auth/postgres.env"
];
volumes = [
"/storage/dataset/docker/auth/postgres_data:/var/lib/postgresql/data"
];
healthcheck = {
test = [
"CMD-SHELL"
"pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"
];
start_period = "20s";
interval = "30s";
retries = 5;
timeout = "5s";
};
networks = [
"internal"
];
};
};
}

View file

@ -0,0 +1,6 @@
# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
import <nixpkgs> {
# We specify the architecture explicitly. Use a Linux remote builder when
# calling arion from other platforms.
system = "x86_64-linux";
}

View file

@ -0,0 +1,45 @@
{config, ...}: let
vars = import ../../../../vars.nix;
in {
virtualisation.arion = {
projects.auth.settings = {
imports = [./arion-compose.nix];
};
};
sops.secrets."auth/postgres_db" = {
owner = vars.user;
};
sops.secrets."auth/postgres_user" = {
owner = vars.user;
};
sops.secrets."auth/postgres_pw" = {
owner = vars.user;
};
sops.secrets."auth/authentik_secret_key" = {
owner = vars.user;
};
sops.templates."postgres.env" = {
path = "/home/${vars.user}/.docker/auth/postgres.env";
owner = vars.user;
mode = "0775";
content = ''
POSTGRES_PASSWORD="${config.sops.placeholder."auth/postgres_pw"}"
POSTGRES_USER="${config.sops.placeholder."auth/postgres_user"}"
POSTGRES_DB="${config.sops.placeholder."auth/postgres_db"}"
'';
};
sops.templates."authentik.env" = {
path = "/home/${vars.user}/.docker/auth/authentik.env";
owner = vars.user;
mode = "0775";
content = ''
AUTHENTIK_POSTGRESQL__PASSWORD="${config.sops.placeholder."auth/postgres_pw"}"
AUTHENTIK_POSTGRESQL__USER="${config.sops.placeholder."auth/postgres_user"}"
AUTHENTIK_POSTGRESQL__NAME="${config.sops.placeholder."auth/postgres_db"}"
AUTHENTIK_SECRET_KEY="${config.sops.placeholder."auth/authentik_secret_key"}"
'';
};
}

View file

@ -20,6 +20,7 @@
./feed
./matrix
./headscale
./auth
];
environment.systemPackages = with pkgs; [arion];

View file

@ -186,6 +186,17 @@ in {
- arion -f ${arionPath}/headscale/arion-compose.nix -p ${arionPath}/headscale/arion-pkgs.nix stop
after:
- arion -f ${arionPath}/headscale/arion-compose.nix -p ${arionPath}/headscale/arion-pkgs.nix start
auth:
from: /storage/dataset/docker/auth
to:
- zfs
- eustachius
cron: '0 4 * * 0' # Every Sunday at 4:00
hooks:
before:
- arion -f ${arionPath}/auth/arion-compose.nix -p ${arionPath}/auth/arion-pkgs.nix stop
after:
- arion -f ${arionPath}/auth/arion-compose.nix -p ${arionPath}/auth/arion-pkgs.nix start
backends:
zfs:
type: local

View file

@ -37,6 +37,11 @@ matrix:
postgres_password: ENC[AES256_GCM,data:sKlU4HKDDNERv4LZK9/M2+kvnNht1uxQ7+pQSIZWPkk=,iv:fD98XPUMjo+eZOmE/cVOh5TFkmTY/KDCjfZcf5fSWOg=,tag:B5zsxgjvs7+czDWcCst/eg==,type:str]
dyndns:
cloudflare_api_key: ENC[AES256_GCM,data:O8biURYpw+joKm5A+7E9ARKlFRcnwFaqrbLPHevOXvYTFED1NdMSGQ==,iv:Vm1DreqdaFd1owN7zci242gzpGEZqE57Yn9XAzVxXoQ=,tag:KdQtVvZCypAYIghtuM5kjw==,type:str]
auth:
postgres_db: ENC[AES256_GCM,data:zRDkvA5+p57YMW/J,iv:2LQ5f+uZ15rd6b+c/z9iaVrRNrtMnjj411guxzOke+c=,tag:5VgnajLXvte6FHKNM+mRsw==,type:str]
postgres_user: ENC[AES256_GCM,data:Cuw3XEY419FOoguYvyQ=,iv:spERtcJschAfYKjH2W5mgcDbPM2O3GT39lCbcfSK60Y=,tag:nT2LOywbjtSIqSiyPgA2Mw==,type:str]
postgres_pw: ENC[AES256_GCM,data:k22Pg9tU9eH//wf0lRDs0hEnW17EHlbnBUAOosHjUSxDcYzNSvltdpqcYN/Y00E9,iv:/EaIzuiJIWmdGDZ9gJYpscjss7xaxpmvyxxe+L5XSJM=,tag:Ny9oUEf9dKvn/kNGp7nKtw==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:IBO3ROfj4Mso5/MGQZsS0fVDcqj9XhD74tDWPpDLmcgdYx59p2R3jVwIhxgj0yWiga03UBvXECVSIjTAcPuhX2uBG6DsbyUmI2T2GOi1,iv:U6bRXxDg9rWS34krp2WTGSZ9QWX0p5MK8Q7ETCONjNA=,tag:RAIHwCg8xcXsbniOGaX9tQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -52,8 +57,8 @@ sops:
VUUxcEhvYi8zeXlCUUViUTl0eWdhcU0KXOfbnDc+zc8lnBcyEAV5EiJSjcSU6AgI
EfeRw8qVqwChrYn1agslcNnDbE0WQsOCBuA6cE4V3kRofp9HU949ig==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-01T14:35:26Z"
mac: ENC[AES256_GCM,data:w7CK7SSvG3/vgpSwW3F3n/FRpm797pYcYs6sy46qBZffpyi4lSS0e1bnqqIcHxBWP8EWXHJwXIA+eyzpdH9UhUbJ/B7ZSaK0rQC6rp9CIIw5+R1js3ccV/ByOjgzz/fhTWGiYp15sm5d/CjZGq99+kME4LOWkkmE/UTevivFbn8=,iv:VzHl8Vn4D7bHe3LY+GjBHKYmiYIRSkThsl1aky/B7AM=,tag:K+8sQ9AMzADuBHulFauB+g==,type:str]
lastmodified: "2024-05-03T09:07:25Z"
mac: ENC[AES256_GCM,data:0dWibOxEX8UaXDZSYuSZDuAZch6E6+MIfOz/3QtTt3aQI8R0ySDlEYVTbDEa9IHpjQExDJTeGDrpdRBswOEAIJS1tNDY8SG2RVQagT5STbKx/FX8x55CeWWfh12KkSCvkANBvT0O3jkhVlGcMZPSthrBGm8jwDYte4cc09oZDGA=,iv:5ECpNjHTnXPZcLf/pOYZJ/yEnbIdIbJ5wzVCzDu4G0A=,tag:4YT2oMUgXFQm2sR6X/apXA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1