Arion: Add Authentik
This commit is contained in:
parent
184495ae51
commit
311ae93432
6 changed files with 199 additions and 2 deletions
129
hosts/franz/arion/auth/arion-compose.nix
Normal file
129
hosts/franz/arion/auth/arion-compose.nix
Normal file
|
@ -0,0 +1,129 @@
|
||||||
|
{pkgs, ...}: let
|
||||||
|
authentikImage = "ghcr.io/goauthentik/server:2024.4.1";
|
||||||
|
in {
|
||||||
|
project.name = "auth";
|
||||||
|
|
||||||
|
networks.dmz = {
|
||||||
|
name = "dmz";
|
||||||
|
external = true;
|
||||||
|
};
|
||||||
|
networks.internal = {};
|
||||||
|
|
||||||
|
services = {
|
||||||
|
authentik.service = {
|
||||||
|
image = authentikImage;
|
||||||
|
container_name = "authentik";
|
||||||
|
labels = {
|
||||||
|
"traefik.enable" = "true";
|
||||||
|
|
||||||
|
"traefik.http.services.authentik.loadbalancer.server.port" = "9000";
|
||||||
|
"traefik.http.routers.authentik.service" = "authentik";
|
||||||
|
"traefik.http.routers.authentik.rule" = "Host(`auth.ghoscht.com`)";
|
||||||
|
"traefik.http.routers.authentik.entrypoints" = "websecure";
|
||||||
|
"traefik.http.routers.authentik.tls" = "true";
|
||||||
|
"traefik.http.routers.authentik.tls.certresolver" = "letsencrypt";
|
||||||
|
|
||||||
|
"traefik.http.services.authentik-external.loadbalancer.server.port" = "9000";
|
||||||
|
"traefik.http.routers.authentik-external.service" = "authentik-external";
|
||||||
|
"traefik.http.routers.authentik-external.rule" = "Host(`auth.ghoscht.com`)";
|
||||||
|
"traefik.http.routers.authentik-external.entrypoints" = "websecure-external";
|
||||||
|
"traefik.http.routers.authentik-external.tls" = "true";
|
||||||
|
"traefik.http.routers.authentik-external.tls.certresolver" = "letsencrypt";
|
||||||
|
};
|
||||||
|
command = "server";
|
||||||
|
environment = {
|
||||||
|
AUTHENTIK_REDIS__HOST = "redis";
|
||||||
|
AUTHENTIK_POSTGRESQL__HOST = "postgres";
|
||||||
|
AUTHENTIK_ERROR_REPORTING__ENABLED = "true";
|
||||||
|
};
|
||||||
|
env_file = [
|
||||||
|
"/home/ghoscht/.docker/auth/authentik.env"
|
||||||
|
];
|
||||||
|
dns = ["1.1.1.1"];
|
||||||
|
restart = "always";
|
||||||
|
depends_on = {
|
||||||
|
redis = {condition = "service_healthy";};
|
||||||
|
postgres = {condition = "service_healthy";};
|
||||||
|
};
|
||||||
|
volumes = [
|
||||||
|
"/storage/dataset/docker/auth/authentik_media:/media"
|
||||||
|
"/storage/dataset/docker/auth/authentik_custom_templates:/templates"
|
||||||
|
];
|
||||||
|
networks = [
|
||||||
|
"dmz"
|
||||||
|
"internal"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
worker.service = {
|
||||||
|
image = authentikImage;
|
||||||
|
command = "worker";
|
||||||
|
environment = {
|
||||||
|
AUTHENTIK_REDIS__HOST = "redis";
|
||||||
|
AUTHENTIK_POSTGRESQL__HOST = "postgres";
|
||||||
|
AUTHENTIK_ERROR_REPORTING__ENABLED = "true";
|
||||||
|
};
|
||||||
|
env_file = [
|
||||||
|
"/home/ghoscht/.docker/auth/authentik.env"
|
||||||
|
];
|
||||||
|
dns = ["1.1.1.1"];
|
||||||
|
depends_on = {
|
||||||
|
redis = {condition = "service_healthy";};
|
||||||
|
postgres = {condition = "service_healthy";};
|
||||||
|
};
|
||||||
|
volumes = [
|
||||||
|
"/var/run/docker.sock:/var/run/docker.sock"
|
||||||
|
"/storage/dataset/docker/auth/authentik_media:/media"
|
||||||
|
"/storage/dataset/docker/auth/authentik_custom_templates:/templates"
|
||||||
|
];
|
||||||
|
restart = "always";
|
||||||
|
user = "root";
|
||||||
|
networks = [
|
||||||
|
"internal"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
redis.service = {
|
||||||
|
image = "redis:7.2.4";
|
||||||
|
command = "--save 60 1 --loglevel warning";
|
||||||
|
healthcheck = {
|
||||||
|
test = [
|
||||||
|
"CMD-SHELL"
|
||||||
|
"redis-cli ping | grep PONG"
|
||||||
|
];
|
||||||
|
start_period = "20s";
|
||||||
|
interval = "30s";
|
||||||
|
retries = 5;
|
||||||
|
timeout = "5s";
|
||||||
|
};
|
||||||
|
restart = "always";
|
||||||
|
volumes = [
|
||||||
|
"/storage/dataset/docker/auth/redis_data:/data"
|
||||||
|
];
|
||||||
|
networks = [
|
||||||
|
"internal"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
postgres.service = {
|
||||||
|
image = "postgres:12.18";
|
||||||
|
restart = "always";
|
||||||
|
env_file = [
|
||||||
|
"/home/ghoscht/.docker/auth/postgres.env"
|
||||||
|
];
|
||||||
|
volumes = [
|
||||||
|
"/storage/dataset/docker/auth/postgres_data:/var/lib/postgresql/data"
|
||||||
|
];
|
||||||
|
healthcheck = {
|
||||||
|
test = [
|
||||||
|
"CMD-SHELL"
|
||||||
|
"pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"
|
||||||
|
];
|
||||||
|
start_period = "20s";
|
||||||
|
interval = "30s";
|
||||||
|
retries = 5;
|
||||||
|
timeout = "5s";
|
||||||
|
};
|
||||||
|
networks = [
|
||||||
|
"internal"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
6
hosts/franz/arion/auth/arion-pkgs.nix
Normal file
6
hosts/franz/arion/auth/arion-pkgs.nix
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
|
||||||
|
import <nixpkgs> {
|
||||||
|
# We specify the architecture explicitly. Use a Linux remote builder when
|
||||||
|
# calling arion from other platforms.
|
||||||
|
system = "x86_64-linux";
|
||||||
|
}
|
45
hosts/franz/arion/auth/default.nix
Normal file
45
hosts/franz/arion/auth/default.nix
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
{config, ...}: let
|
||||||
|
vars = import ../../../../vars.nix;
|
||||||
|
in {
|
||||||
|
virtualisation.arion = {
|
||||||
|
projects.auth.settings = {
|
||||||
|
imports = [./arion-compose.nix];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.secrets."auth/postgres_db" = {
|
||||||
|
owner = vars.user;
|
||||||
|
};
|
||||||
|
sops.secrets."auth/postgres_user" = {
|
||||||
|
owner = vars.user;
|
||||||
|
};
|
||||||
|
sops.secrets."auth/postgres_pw" = {
|
||||||
|
owner = vars.user;
|
||||||
|
};
|
||||||
|
sops.secrets."auth/authentik_secret_key" = {
|
||||||
|
owner = vars.user;
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.templates."postgres.env" = {
|
||||||
|
path = "/home/${vars.user}/.docker/auth/postgres.env";
|
||||||
|
owner = vars.user;
|
||||||
|
mode = "0775";
|
||||||
|
content = ''
|
||||||
|
POSTGRES_PASSWORD="${config.sops.placeholder."auth/postgres_pw"}"
|
||||||
|
POSTGRES_USER="${config.sops.placeholder."auth/postgres_user"}"
|
||||||
|
POSTGRES_DB="${config.sops.placeholder."auth/postgres_db"}"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.templates."authentik.env" = {
|
||||||
|
path = "/home/${vars.user}/.docker/auth/authentik.env";
|
||||||
|
owner = vars.user;
|
||||||
|
mode = "0775";
|
||||||
|
content = ''
|
||||||
|
AUTHENTIK_POSTGRESQL__PASSWORD="${config.sops.placeholder."auth/postgres_pw"}"
|
||||||
|
AUTHENTIK_POSTGRESQL__USER="${config.sops.placeholder."auth/postgres_user"}"
|
||||||
|
AUTHENTIK_POSTGRESQL__NAME="${config.sops.placeholder."auth/postgres_db"}"
|
||||||
|
AUTHENTIK_SECRET_KEY="${config.sops.placeholder."auth/authentik_secret_key"}"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
|
@ -20,6 +20,7 @@
|
||||||
./feed
|
./feed
|
||||||
./matrix
|
./matrix
|
||||||
./headscale
|
./headscale
|
||||||
|
./auth
|
||||||
];
|
];
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [arion];
|
environment.systemPackages = with pkgs; [arion];
|
||||||
|
|
|
@ -186,6 +186,17 @@ in {
|
||||||
- arion -f ${arionPath}/headscale/arion-compose.nix -p ${arionPath}/headscale/arion-pkgs.nix stop
|
- arion -f ${arionPath}/headscale/arion-compose.nix -p ${arionPath}/headscale/arion-pkgs.nix stop
|
||||||
after:
|
after:
|
||||||
- arion -f ${arionPath}/headscale/arion-compose.nix -p ${arionPath}/headscale/arion-pkgs.nix start
|
- arion -f ${arionPath}/headscale/arion-compose.nix -p ${arionPath}/headscale/arion-pkgs.nix start
|
||||||
|
auth:
|
||||||
|
from: /storage/dataset/docker/auth
|
||||||
|
to:
|
||||||
|
- zfs
|
||||||
|
- eustachius
|
||||||
|
cron: '0 4 * * 0' # Every Sunday at 4:00
|
||||||
|
hooks:
|
||||||
|
before:
|
||||||
|
- arion -f ${arionPath}/auth/arion-compose.nix -p ${arionPath}/auth/arion-pkgs.nix stop
|
||||||
|
after:
|
||||||
|
- arion -f ${arionPath}/auth/arion-compose.nix -p ${arionPath}/auth/arion-pkgs.nix start
|
||||||
backends:
|
backends:
|
||||||
zfs:
|
zfs:
|
||||||
type: local
|
type: local
|
||||||
|
|
|
@ -37,6 +37,11 @@ matrix:
|
||||||
postgres_password: ENC[AES256_GCM,data:sKlU4HKDDNERv4LZK9/M2+kvnNht1uxQ7+pQSIZWPkk=,iv:fD98XPUMjo+eZOmE/cVOh5TFkmTY/KDCjfZcf5fSWOg=,tag:B5zsxgjvs7+czDWcCst/eg==,type:str]
|
postgres_password: ENC[AES256_GCM,data:sKlU4HKDDNERv4LZK9/M2+kvnNht1uxQ7+pQSIZWPkk=,iv:fD98XPUMjo+eZOmE/cVOh5TFkmTY/KDCjfZcf5fSWOg=,tag:B5zsxgjvs7+czDWcCst/eg==,type:str]
|
||||||
dyndns:
|
dyndns:
|
||||||
cloudflare_api_key: ENC[AES256_GCM,data:O8biURYpw+joKm5A+7E9ARKlFRcnwFaqrbLPHevOXvYTFED1NdMSGQ==,iv:Vm1DreqdaFd1owN7zci242gzpGEZqE57Yn9XAzVxXoQ=,tag:KdQtVvZCypAYIghtuM5kjw==,type:str]
|
cloudflare_api_key: ENC[AES256_GCM,data:O8biURYpw+joKm5A+7E9ARKlFRcnwFaqrbLPHevOXvYTFED1NdMSGQ==,iv:Vm1DreqdaFd1owN7zci242gzpGEZqE57Yn9XAzVxXoQ=,tag:KdQtVvZCypAYIghtuM5kjw==,type:str]
|
||||||
|
auth:
|
||||||
|
postgres_db: ENC[AES256_GCM,data:zRDkvA5+p57YMW/J,iv:2LQ5f+uZ15rd6b+c/z9iaVrRNrtMnjj411guxzOke+c=,tag:5VgnajLXvte6FHKNM+mRsw==,type:str]
|
||||||
|
postgres_user: ENC[AES256_GCM,data:Cuw3XEY419FOoguYvyQ=,iv:spERtcJschAfYKjH2W5mgcDbPM2O3GT39lCbcfSK60Y=,tag:nT2LOywbjtSIqSiyPgA2Mw==,type:str]
|
||||||
|
postgres_pw: ENC[AES256_GCM,data:k22Pg9tU9eH//wf0lRDs0hEnW17EHlbnBUAOosHjUSxDcYzNSvltdpqcYN/Y00E9,iv:/EaIzuiJIWmdGDZ9gJYpscjss7xaxpmvyxxe+L5XSJM=,tag:Ny9oUEf9dKvn/kNGp7nKtw==,type:str]
|
||||||
|
authentik_secret_key: ENC[AES256_GCM,data:IBO3ROfj4Mso5/MGQZsS0fVDcqj9XhD74tDWPpDLmcgdYx59p2R3jVwIhxgj0yWiga03UBvXECVSIjTAcPuhX2uBG6DsbyUmI2T2GOi1,iv:U6bRXxDg9rWS34krp2WTGSZ9QWX0p5MK8Q7ETCONjNA=,tag:RAIHwCg8xcXsbniOGaX9tQ==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -52,8 +57,8 @@ sops:
|
||||||
VUUxcEhvYi8zeXlCUUViUTl0eWdhcU0KXOfbnDc+zc8lnBcyEAV5EiJSjcSU6AgI
|
VUUxcEhvYi8zeXlCUUViUTl0eWdhcU0KXOfbnDc+zc8lnBcyEAV5EiJSjcSU6AgI
|
||||||
EfeRw8qVqwChrYn1agslcNnDbE0WQsOCBuA6cE4V3kRofp9HU949ig==
|
EfeRw8qVqwChrYn1agslcNnDbE0WQsOCBuA6cE4V3kRofp9HU949ig==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-05-01T14:35:26Z"
|
lastmodified: "2024-05-03T09:07:25Z"
|
||||||
mac: ENC[AES256_GCM,data:w7CK7SSvG3/vgpSwW3F3n/FRpm797pYcYs6sy46qBZffpyi4lSS0e1bnqqIcHxBWP8EWXHJwXIA+eyzpdH9UhUbJ/B7ZSaK0rQC6rp9CIIw5+R1js3ccV/ByOjgzz/fhTWGiYp15sm5d/CjZGq99+kME4LOWkkmE/UTevivFbn8=,iv:VzHl8Vn4D7bHe3LY+GjBHKYmiYIRSkThsl1aky/B7AM=,tag:K+8sQ9AMzADuBHulFauB+g==,type:str]
|
mac: ENC[AES256_GCM,data:0dWibOxEX8UaXDZSYuSZDuAZch6E6+MIfOz/3QtTt3aQI8R0ySDlEYVTbDEa9IHpjQExDJTeGDrpdRBswOEAIJS1tNDY8SG2RVQagT5STbKx/FX8x55CeWWfh12KkSCvkANBvT0O3jkhVlGcMZPSthrBGm8jwDYte4cc09oZDGA=,iv:5ECpNjHTnXPZcLf/pOYZJ/yEnbIdIbJ5wzVCzDu4G0A=,tag:4YT2oMUgXFQm2sR6X/apXA==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.8.1
|
||||||
|
|
Loading…
Reference in a new issue