diff --git a/flake.lock b/flake.lock index 3b7fdd5..a29b645 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,49 @@ { "nodes": { + "authentik-nix": { + "inputs": { + "authentik-src": "authentik-src", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "napalm": "napalm", + "nixpkgs": "nixpkgs", + "pyproject-build-systems": "pyproject-build-systems", + "pyproject-nix": "pyproject-nix", + "systems": "systems", + "uv2nix": "uv2nix" + }, + "locked": { + "lastModified": 1759322529, + "narHash": "sha256-yiv/g/tiJI3PI95F7vhTnaf1TDsIkFLrmmFTjWfb6pQ=", + "owner": "nix-community", + "repo": "authentik-nix", + "rev": "69fac057b2e553ee17c9a09b822d735823d65a6c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "authentik-nix", + "type": "github" + } + }, + "authentik-src": { + "flake": false, + "locked": { + "lastModified": 1759190535, + "narHash": "sha256-pIzDaoDWc58cY/XhsyweCwc4dfRvkaT/zqsV1gDSnCI=", + "owner": "goauthentik", + "repo": "authentik", + "rev": "8d3a289d12c7de2f244c76493af7880f70d08af2", + "type": "github" + }, + "original": { + "owner": "goauthentik", + "ref": "version/2025.8.4", + "repo": "authentik", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -21,6 +65,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1751685974, @@ -37,6 +97,24 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1756770412, + "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "4524271976b625a4a605beefd893f270620fd751", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nvix", @@ -58,9 +136,9 @@ "type": "github" } }, - "flake-parts_2": { + "flake-parts_3": { "inputs": { - "nixpkgs-lib": "nixpkgs-lib" + "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { "lastModified": 1738453229, @@ -76,6 +154,27 @@ "type": "github" } }, + "flake-utils": { + "inputs": { + "systems": [ + "authentik-nix", + "systems" + ] + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "hardware": { "locked": { "lastModified": 1759582739, @@ -127,11 +226,37 @@ "type": "github" } }, + "napalm": { + "inputs": { + "flake-utils": [ + "authentik-nix", + "flake-utils" + ], + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1725806412, + "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=", + "owner": "willibutz", + "repo": "napalm", + "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5", + "type": "github" + }, + "original": { + "owner": "willibutz", + "ref": "avoid-foldl-stack-overflow", + "repo": "napalm", + "type": "github" + } + }, "niri-flake": { "inputs": { "niri-stable": "niri-stable", "niri-unstable": "niri-unstable", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixpkgs-stable": "nixpkgs-stable", "xwayland-satellite-stable": "xwayland-satellite-stable", "xwayland-satellite-unstable": "xwayland-satellite-unstable" @@ -205,7 +330,7 @@ }, "nix-secrets": { "inputs": { - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1758997836, @@ -223,11 +348,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1759381078, - "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=", + "lastModified": 1757745802, + "narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee", + "rev": "c23193b943c6c689d70ee98ce3128239ed9e32d1", "type": "github" }, "original": { @@ -254,6 +379,21 @@ } }, "nixpkgs-lib": { + "locked": { + "lastModified": 1754788789, + "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixpkgs-lib_2": { "locked": { "lastModified": 1738452942, "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=", @@ -314,6 +454,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1759381078, + "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1750605355, "narHash": "sha256-xT8cPLTxlktxI9vSdoBlAVK7dXgd8IK59j7ZwzkkhnI=", @@ -327,7 +483,7 @@ "type": "indirect" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1759439645, "narHash": "sha256-oiAyQaRilPk525Z5aTtTNWNzSrcdJ7IXM0/PL3CGlbI=", @@ -343,7 +499,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1757745802, "narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=", @@ -359,7 +515,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { "lastModified": 1756696532, "narHash": "sha256-6FWagzm0b7I/IGigOv9pr6LL7NQ86mextfE8g8Q6HBg=", @@ -375,7 +531,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1739214665, "narHash": "sha256-26L8VAu3/1YRxS8MHgBOyOM8xALdo6N0I04PgorE7UM=", @@ -393,11 +549,11 @@ }, "nvf": { "inputs": { - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts_2", "mnw": "mnw", - "nixpkgs": "nixpkgs_5", - "systems": "systems" + "nixpkgs": "nixpkgs_6", + "systems": "systems_2" }, "locked": { "lastModified": 1757773905, @@ -415,7 +571,7 @@ }, "nvix": { "inputs": { - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_5", "nvf": "nvf" }, "locked": { @@ -432,15 +588,66 @@ "type": "github" } }, + "pyproject-build-systems": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ], + "pyproject-nix": [ + "authentik-nix", + "pyproject-nix" + ], + "uv2nix": [ + "authentik-nix", + "uv2nix" + ] + }, + "locked": { + "lastModified": 1757296493, + "narHash": "sha256-6nzSZl28IwH2Vx8YSmd3t6TREHpDbKlDPK+dq1LKIZQ=", + "owner": "pyproject-nix", + "repo": "build-system-pkgs", + "rev": "5b8e37fe0077db5c1df3a5ee90a651345f085d38", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "build-system-pkgs", + "type": "github" + } + }, + "pyproject-nix": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1757246327, + "narHash": "sha256-6pNlGhwOIMfhe/RLjHdpXveKS4FyLHvlGe+KtjDild4=", + "owner": "pyproject-nix", + "repo": "pyproject.nix", + "rev": "8d77f342d66ad1601cdb9d97e9388b69f64d4c8e", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "pyproject.nix", + "type": "github" + } + }, "root": { "inputs": { + "authentik-nix": "authentik-nix", "disko": "disko", "hardware": "hardware", "home-manager": "home-manager", "niri-flake": "niri-flake", "nix-darwin": "nix-darwin", "nix-secrets": "nix-secrets", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "nixpkgs-darwin": "nixpkgs-darwin", "nixpkgs-stable": "nixpkgs-stable_2", "nixpkgs-unstable": "nixpkgs-unstable", @@ -470,6 +677,21 @@ } }, "systems": { + "locked": { + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", + "owner": "nix-systems", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default-linux", + "type": "github" + } + }, + "systems_2": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -486,8 +708,8 @@ }, "the-nest": { "inputs": { - "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_6" + "flake-parts": "flake-parts_3", + "nixpkgs": "nixpkgs_7" }, "locked": { "lastModified": 1745340936, @@ -503,6 +725,31 @@ "type": "github" } }, + "uv2nix": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ], + "pyproject-nix": [ + "authentik-nix", + "pyproject-nix" + ] + }, + "locked": { + "lastModified": 1757925761, + "narHash": "sha256-7Hwz0vfHuFqCo5v7Q07GQgLBWuPvZCuf/5/pk4NoADg=", + "owner": "pyproject-nix", + "repo": "uv2nix", + "rev": "780494c40895bb7419a73d942bee326291e80b3b", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "uv2nix", + "type": "github" + } + }, "xwayland-satellite-stable": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index 9b83d18..5a9e543 100644 --- a/flake.nix +++ b/flake.nix @@ -110,6 +110,7 @@ }; niri-flake.url = "github:sodiboo/niri-flake"; + authentik-nix.url = "github:nix-community/authentik-nix"; # CrOS inputs nix-secrets.url = "git+ssh://git@github.com/TheWanderingCrow/nix-secrets"; diff --git a/hosts/nixos/HandlerOne/default.nix b/hosts/nixos/HandlerOne/default.nix index 93dcd2e..8829e80 100644 --- a/hosts/nixos/HandlerOne/default.nix +++ b/hosts/nixos/HandlerOne/default.nix @@ -20,6 +20,7 @@ # Disks inputs.disko.nixosModules.disko + inputs.authentik-nix.nixosModules.default (lib.custom.relativeToRoot "hosts/common/disks/btrfs-disk.nix") { _module.args = { diff --git a/modules/services/auth-provider/default.nix b/modules/services/auth-provider/default.nix index e370ded..a23c8f7 100644 --- a/modules/services/auth-provider/default.nix +++ b/modules/services/auth-provider/default.nix @@ -5,23 +5,13 @@ reverse_proxy http://localhost:5555 ''; }; - - sops.secrets."keycloak/database/pass" = {}; - - services.keycloak = { + sops.templates.authentik-env.content = '' + AUTHENTIK_SECRET_KEY=qwerasvvbkuhjbn235987@!$ + AUTHENTIK_LISTEN__HTTP=127.0.0.1:5555 + AUTHENTIK_LISTEN__HTTPS=127.0.0.1:5443 + ''; + services.authentik = { enable = true; - initialAdminPassword = "changeme"; - settings = { - hostname = "https://auth.wanderingcrow.net"; - http-port = 5555; - https-port = 9443; - http-enabled = true; - hostname-strict-https = false; - }; - database = { - type = "postgresql"; - createLocally = true; - passwordFile = config.sops.secrets."keycloak/database/pass".path; - }; + environmentFile = config.sops.templates.authentik-env.path; }; }