add authentik

2026-01-10 17:34:05 -05:00 · 2025-11-02 11:45:03 -05:00 · 2025-11-02 11:45:03 -05:00 · 3d610bb84e
commit 3d610bb84e
parent ca8a707ae2
3 changed files with 45 additions and 8 deletions
--- a/flake.lock
+++ b/flake.lock
@ -387,11 +387,11 @@
        "nixpkgs": "nixpkgs_5"
      },
      "locked": {
-        "lastModified": 1762099877,
-        "narHash": "sha256-aRDSsfVrwyvPxAlZQAH0bYTMRtDnE6dZZ7U8rakTuxo=",
+        "lastModified": 1762101890,
+        "narHash": "sha256-k7/cK8/6dA4V0qxXflpUgtsRg0gsdyUlPJlC5s3gsYA=",
        "ref": "refs/heads/master",
-        "rev": "9e38f0a51ad341ad6a1367897d6f143730994839",
-        "revCount": 143,
+        "rev": "a394862e50d0a26e25a247457ad6d739af18a105",
+        "revCount": 145,
        "type": "git",
        "url": "ssh://git@github.com/TheWanderingCrow/nix-secrets"
      },
--- a/hosts/nixos/HandlerOne/default.nix
+++ b/hosts/nixos/HandlerOne/default.nix
@ -9,7 +9,8 @@
  lib,
  pkgs,
  ...
-}: {
+}:
+{
  imports = lib.flatten [
    # Hardware
    ./hardware-configuration.nix
@ -53,6 +54,7 @@
      "modules/services/fail2ban"
      "modules/services/ntfy-sh"
      "modules/services/mesh/client.nix"
+      "modules/services/auth-provider"
      "modules/services/ollama/proxy.nix" # Just host the proxy path back to Parzival
      "modules/services/netbox"
      "modules/services/matrix"
@ -71,7 +73,10 @@
    networkmanager.enable = true;
    enableIPv6 = false;
    firewall = {
-      allowedTCPPorts = [80 443];
+      allowedTCPPorts = [
+        80
+        443
+      ];
    };
  };

--- a/modules/services/auth-provider/default.nix
+++ b/modules/services/auth-provider/default.nix
@ -1,17 +1,49 @@
-{config, ...}: {
+{ inputs, config, ... }:
+let
+  sopsFolder = builtins.toString inputs.nix-secrets + "/sops";
+in
+{
  services.caddy = {
    enable = true;
    virtualHosts."auth.wanderingcrow.net".extraConfig = ''
      reverse_proxy http://localhost:5555
    '';
  };
+
+  sops.secrets = {
+    "authentik/secret-key" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+    "authentik/smtp/host" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+    "authentik/smtp/port" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+    "authentik/smtp/user" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+    "authentik/smtp/pass" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+  };
+
  sops.templates.authentik-env.content = ''
-    AUTHENTIK_SECRET_KEY=qwerasvvbkuhjbn235987@!$
+    AUTHENTIK_SECRET_KEY=${config.sops.placeholder."authentik/secret-key"}
    AUTHENTIK_LISTEN__HTTP=127.0.0.1:5555
    AUTHENTIK_LISTEN__HTTPS=127.0.0.1:5443
+    AUTHENTIK_EMAIL__HOST=${config.sops.placeholder."authentik/smtp/host"}
+    AUTHENTIK_EMAIL__PORT=${config.sops.placeholder."authentik/smtp/port"}
+    AUTHENTIK_EMAIL__USERNAME=${config.sops.placeholder."authentik/smtp/user"}
+    AUTHENTIK_EMAIL__PASSWORD=${config.sops.placeholder."authentik/smtp/pass"}
+    AUTHENTIK_EMAIL__FROM=${config.sops.placeholder."authentik/smtp/user"}
  '';
  services.authentik = {
    enable = true;
    environmentFile = config.sops.templates.authentik-env.path;
+    settings.email = {
+      use_tls = true;
+      use_ssl = true;
+    };
  };
 }