feat: authentik

2026-02-28 10:06:42 +01:00
parent a9022a4f55
commit 674ce6957c
13 changed files with 84 additions and 221 deletions
--- a/hosts/common/ports.nix
+++ b/hosts/common/ports.nix
@@ -37,9 +37,7 @@
      slash-nemoti = 3016;
      kestra = 3018;
      outline = 3019;
-      pangolin = 3020;
+      authentik = 3023;
      pangolin-api = 3021;
      pangolin-ws = 3022;
      # Home automation
      homarr = 7575;
--- a/hosts/m3-atlas/secrets.nix
+++ b/hosts/m3-atlas/secrets.nix
@@ -56,10 +56,6 @@
        file = ../../secrets/exa-key.age;
        owner = "m3tam3re";
      };
      outline-key = {
        file = ../../secrets/outline-key.age;
        owner = "m3tam3re";
      };
      basecamp-client-id = {
        file = ../../secrets/basecamp-client-id.age;
        owner = "m3tam3re";
@@ -68,6 +64,7 @@
        file = ../../secrets/basecamp-client-secret.age;
        owner = "m3tam3re";
      };
      authentik-env = {file = ../../secrets/authentik-env.age;};
    };
  };
 }
--- a/hosts/m3-atlas/services/containers/authentik.nix
+++ b/hosts/m3-atlas/services/containers/authentik.nix
@@ -0,0 +1,67 @@
 {config, ...}: let
  image = "ghcr.io/goauthentik/server:2026.2.0";
  serverIp = "10.89.0.22";
  workerIp = "10.89.0.23";
  postgresHost = "10.89.0.1";
  postgresPort = config.m3ta.ports.get "postgres";
  authentikPort = config.m3ta.ports.get "authentik";
  sharedEnv = {
    AUTHENTIK_POSTGRESQL__HOST = postgresHost;
    AUTHENTIK_POSTGRESQL__PORT = toString postgresPort;
    AUTHENTIK_POSTGRESQL__USER = "authentik";
    AUTHENTIK_POSTGRESQL__NAME = "authentik";
  };
 in {
  virtualisation.oci-containers.containers = {
    "authentik-server" = {
      inherit image;
      cmd = ["server"];
      environment = sharedEnv;
      environmentFiles = [config.age.secrets.authentik-env.path];
      ports = ["127.0.0.1:${toString authentikPort}:9000"];
      volumes = [
        "authentik_media:/media"
        "authentik_templates:/templates"
      ];
      extraOptions = [
        "--add-host=postgres:${postgresHost}"
        "--ip=${serverIp}"
        "--network=web"
      ];
    };
    "authentik-worker" = {
      inherit image;
      cmd = ["worker"];
      user = "root";
      environment = sharedEnv;
      environmentFiles = [config.age.secrets.authentik-env.path];
      volumes = [
        "authentik_media:/media"
        "authentik_certs:/certs"
        "authentik_templates:/templates"
      ];
      extraOptions = [
        "--add-host=postgres:${postgresHost}"
        "--ip=${workerIp}"
        "--network=web"
      ];
    };
  };
  services.traefik.dynamicConfigOptions.http = {
    services.authentik.loadBalancer.servers = [
      {url = "http://localhost:${toString authentikPort}/";}
    ];
    routers.authentik = {
      rule = "Host(`auth.m3ta.dev`)";
      tls = {certResolver = "godaddy";};
      service = "authentik";
      entrypoints = "websecure";
    };
  };
 }
--- a/hosts/m3-atlas/services/containers/default.nix
+++ b/hosts/m3-atlas/services/containers/default.nix
@@ -11,6 +11,7 @@
    ./restreamer.nix
    ./slash.nix
    ./slash-nemoti.nix
    ./authentik.nix
  ];
  system.activationScripts.createPodmanNetworkWeb = lib.mkAfter ''
    if ! /run/current-system/sw/bin/podman network exists web; then
--- a/hosts/m3-atlas/services/containers/netbird.nix
+++ b/hosts/m3-atlas/services/containers/netbird.nix
@@ -1,6 +1,5 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
@@ -42,7 +41,7 @@
      auth = {
        issuer = "https://${domain}/oauth2";
-        # localAuthDisabled = true;
+        localAuthDisabled = true;
        signKeyRefreshEnabled = true;
        dashboardRedirectURIs = [
          "https://${domain}/nb-auth"
--- a/hosts/m3-atlas/services/containers/pangolin.nix
+++ b/hosts/m3-atlas/services/containers/pangolin.nix
@@ -1,211 +0,0 @@
 {
  config,
  pkgs,
  lib,
  ...
 }: let
  # Define the Pangolin configuration as a Nix attribute set
  pangolinConfig = {
    app = {
      dashboard_url = "https://vpn.m3tam3re.com";
      log_level = "info";
      save_logs = false;
    };
    domains = {
      vpn = {
        base_domain = "m3tam3re.com";
        cert_resolver = "godaddy";
        prefer_wildcard_cert = false;
      };
    };
    server = {
      external_port = 3000;
      internal_port = 3001;
      next_port = 3002;
      internal_hostname = "pangolin";
      session_cookie_name = "p_session_token";
      resource_access_token_param = "p_token";
      resource_session_request_param = "p_session_request";
    };
    traefik = {
      cert_resolver = "godaddy";
      http_entrypoint = "web";
      https_entrypoint = "websecure";
    };
    gerbil = {
      start_port = 51820;
      base_endpoint = "vpn.m3tam3re.com";
      use_subdomain = false;
      block_size = 24;
      site_block_size = 30;
      subnet_group = "100.89.137.0/20";
    };
    rate_limits = {
      global = {
        window_minutes = 1;
        max_requests = 100;
      };
    };
    email = {
      smtp_host = config.age.secrets.smtp-host.path;
      smtp_port = 587;
      smtp_user = config.age.secrets.smtp-user.path;
      smtp_pass = config.age.secrets.smtp-pass.path;
      no_reply = config.age.secrets.smtp-user.path;
    };
    users = {
      server_admin = {
        email = "admin@m3tam3re.com";
        password = config.age.secrets.pangolin-admin-password.path;
      };
    };
    flags = {
      require_email_verification = true;
      disable_signup_without_invite = true;
      disable_user_create_org = true;
      allow_raw_resources = true;
      allow_base_domain_resources = true;
    };
  };
  # Convert Nix attribute set to YAML using a simpler approach
  pangolinConfigYaml = pkgs.writeTextFile {
    name = "config.yml";
    text = lib.generators.toYAML {} pangolinConfig;
  };
 in {
  # Define the containers
  virtualisation.oci-containers.containers = {
    "pangolin" = {
      image = "fosrl/pangolin:1.1.0";
      autoStart = true;
      volumes = [
        "${pangolinConfigYaml}:/app/config/config.yml:ro" # Mount the config file directly
        "pangolin_config:/app/config/data" # Volume for persistent data
      ];
      ports = [
        "127.0.0.1:3020:3001" # API server
        "127.0.0.1:3021:3002" # Next.js server
        "127.0.0.1:3022:3000" # API/WebSocket server
      ];
      extraOptions = ["--ip=10.89.0.20" "--network=web"];
    };
    "gerbil" = {
      image = "fosrl/gerbil:1.0.0";
      autoStart = true;
      volumes = [
        "pangolin_config:/var/config" # Share the volume for persistent data
      ];
      cmd = [
        "--reachableAt=http://gerbil:3003"
        "--generateAndSaveKeyTo=/var/config/key"
        "--remoteConfig=http://pangolin:3001/api/v1/gerbil/get-config"
        "--reportBandwidthTo=http://pangolin:3001/api/v1/gerbil/receive-bandwidth"
      ];
      ports = [
        "51820:51820/udp" # WireGuard port
      ];
      extraOptions = [
        "--ip=10.89.0.21"
        "--network=web"
        "--cap-add=NET_ADMIN"
        "--cap-add=SYS_MODULE"
      ];
    };
  };
  # Secrets for Pangolin
  # age.secrets = {
  #   "smtp-host" = {
  #     file = ../secrets/smtp-host.age;
  #     owner = "root";
  #     group = "root";
  #     mode = "0400";
  #   };
  #   "smtp-user" = {
  #     file = ../secrets/smtp-user.age;
  #     owner = "root";
  #     group = "root";
  #     mode = "0400";
  #   };
  #   "smtp-pass" = {
  #     file = ../secrets/smtp-pass.age;
  #     owner = "root";
  #     group = "root";
  #     mode = "0400";
  #   };
  #   "pangolin-admin-password" = {
  #     file = ../secrets/pangolin-admin-password.age;
  #     owner = "root";
  #     group = "root";
  #     mode = "0400";
  #   };
  # };
  # Traefik configuration for Pangolin
  services.traefik.dynamicConfigOptions = {
    http = {
      # Next.js service (front-end)
      services.pangolin-next-service.loadBalancer.servers = [
        {url = "http://localhost:3021";}
      ];
      # API service
      services.pangolin-api-service.loadBalancer.servers = [
        {url = "http://localhost:3022";}
      ];
      # Routers
      routers = {
        # Next.js router (handles everything except API paths)
        "pangolin-next" = {
          rule = "Host(`vpn.m3tam3re.com`) && !PathPrefix(`/api/v1`)";
          service = "pangolin-next-service";
          entrypoints = ["websecure"];
          tls = {
            certResolver = "godaddy";
          };
        };
        # API router
        "pangolin-api" = {
          rule = "Host(`vpn.m3tam3re.com`) && PathPrefix(`/api/v1`)";
          service = "pangolin-api-service";
          entrypoints = ["websecure"];
          tls = {
            certResolver = "godaddy";
          };
        };
      };
    };
  };
  # Add HTTP provider to Traefik for dynamic configuration from Pangolin
  services.traefik.staticConfigOptions.providers.http = {
    endpoint = "http://localhost:3020/api/v1/traefik-config";
    pollInterval = "5s";
  };
  # Add experimental section for Badger plugin
  services.traefik.staticConfigOptions.experimental = {
    plugins = {
      #TODO create an overlay for the plugin
      badger = {
        moduleName = "github.com/fosrl/badger";
        version = "v1.0.0";
      };
    };
  };
  # Firewall configuration for WireGuard
  networking.firewall.allowedUDPPorts = [51820]; # WireGuard port
 }
--- a/hosts/m3-atlas/services/default.nix
+++ b/hosts/m3-atlas/services/default.nix
@@ -5,6 +5,7 @@
    ./gitea-actions-runner.nix
    ./minio.nix
    ./mysql.nix
    ./netbird.nix
    ./n8n.nix
    ./paperless.nix
    ./postgres.nix
--- a/hosts/m3-atlas/services/netbird.nix
+++ b/hosts/m3-atlas/services/netbird.nix
@@ -0,0 +1,3 @@
 {
  services.netbird.enable = true;
 }
--- a/hosts/m3-atlas/services/postgres.nix
+++ b/hosts/m3-atlas/services/postgres.nix
@@ -27,6 +27,7 @@
      host    baserow      baserow      10.89.0.0/24    scram-sha-256
      host    kestra       kestra       10.89.0.0/24    scram-sha-256
      host    netbird      netbird      10.89.0.0/24    scram-sha-256
      host    authentik    authentik    10.89.0.0/24    scram-sha-256
      # Deny all other connections
      local   all       all       reject
@@ -37,7 +38,7 @@
  services.postgresqlBackup = {
    enable = true;
    startAt = "03:10:00";
-    databases = ["baserow" "paperless" "kestra"];
+    databases = ["baserow" "paperless" "kestra" "authentik" "netbird"];
  };
  networking.firewall = {
    extraCommands = ''
--- a/hosts/m3-kratos/services/default.nix
+++ b/hosts/m3-kratos/services/default.nix
@@ -3,6 +3,7 @@
    ./containers
    ./mem0.nix
    ./n8n.nix
    ./netbird.nix
    ./postgres.nix
    ./sound.nix
    ./udev.nix
--- a/hosts/m3-kratos/services/netbird.nix
+++ b/hosts/m3-kratos/services/netbird.nix
@@ -0,0 +1,5 @@
 {pkgs, ...}: {
  services.netbird.enable = true;
  environment.systemPackages = [pkgs.netbird-ui];
  networking.firewall.checkReversePath = "loose";
 }
--- a/secrets.nix
+++ b/secrets.nix
@@ -13,6 +13,7 @@ let
 in {
  "secrets/anytype-key.age".publicKeys = systems ++ users;
  "secrets/anytype-key-ares.age".publicKeys = systems ++ users;
  "secrets/authentik-env.age".publicKeys = systems ++ users;
  "secrets/baserow-env.age".publicKeys = systems ++ users;
  "secrets/ghost-env.age".publicKeys = systems ++ users;
  "secrets/littlelink-m3tam3re.age".publicKeys = systems ++ users;
--- a/secrets/authentik-env.age
+++ b/secrets/authentik-env.age