chore(koi): authentik -> kanidm

2024-10-26 22:44:01 +03:00 · 2024-10-26 22:44:01 +03:00 · 11aea04fe5
commit 11aea04fe5
parent c69d1b8675
11 changed files with 147 additions and 99 deletions
--- a/hosts/koi/configuration.nix
+++ b/hosts/koi/configuration.nix
@ -30,8 +30,7 @@
    ./containers/navidrome
    ./containers/conduwuit
    ./containers/zond
-    ./containers/authentik
+    ./containers/kanidm
    ./containers/outline-wiki
    ./containers/siyuan
    ./containers/teisu.nix
    ./containers/bots/pcre-sub-bot.nix
--- a/hosts/koi/containers/authentik/default.nix
+++ b/hosts/koi/containers/authentik/default.nix
@ -1,77 +0,0 @@
 { abs, pkgs, config, ... }@inputs:
 let 
  secrets = import (abs "lib/secrets.nix");
  UID = 1110;
  sharedConfig = {
    image = "ghcr.io/goauthentik/server:2024.8.2";
    dependsOn = [ "authentik-redis" ];
    environment = {
      AUTHENTIK_POSTGRESQL__HOST = "172.17.0.1";
      AUTHENTIK_POSTGRESQL__USER = "authentik";
      AUTHENTIK_POSTGRESQL__PASSWORD = "authentik";
      AUTHENTIK_POSTGRESQL__NAME = "authentik";
      AUTHENTIK_REDIS__HOST = "authentik-redis.docker";
    };
    volumes = [
      "/mnt/puffer/authentik/media:/media"
      "/mnt/puffer/authentik/templates:/templates"
    ];
    user = builtins.toString UID;
    environmentFiles = [
      (secrets.file config "authentik-env")
    ];
  };
 in {
  imports = [
    # email related + AUTHENTIK_SECRET_KEY
    (secrets.declare [{
      name = "authentik-env";
      owner = "authentik";
    }])
  ];
  users.users.authentik = {
    isNormalUser = true;
    uid = UID;
  };
  services.postgresql.ensureUsers = [
    { name = "authentik"; ensureDBOwnership = true; }
  ];
  services.postgresql.ensureDatabases = [ "authentik" ];
  desu.postgresql.ensurePasswords.authentik = "authentik";
  virtualisation.oci-containers.containers.authentik-redis = {
    image = "docker.io/redis:7.0-alpine";
    volumes = [
      "/mnt/puffer/authentik/redis:/data"
    ];
    user = builtins.toString UID;
  };
  virtualisation.oci-containers.containers.authentik-server = sharedConfig // {
    cmd = [ "server" ];
  };
  systemd.services.docker-authentik-server.after = [ "postgresql.service" ];
  virtualisation.oci-containers.containers.authentik-worker = sharedConfig // {
    cmd = [ "worker" ];
  };
  systemd.services.docker-authentik-worker.after = [ "postgresql.service" ];
  systemd.tmpfiles.rules = [
    "d /mnt/puffer/authentik 0777 root root -"
  ];
  services.nginx.virtualHosts."id.stupid.fish" = {
    forceSSL = true;
    useACMEHost = "stupid.fish";
    locations."/" = {
      proxyPass = "http://authentik-server.docker:9000$request_uri";
      proxyWebsockets = true;
    };
  };
 }
--- a/hosts/koi/containers/kanidm/default.nix
+++ b/hosts/koi/containers/kanidm/default.nix
@ -0,0 +1,51 @@
 { abs, pkgs, config, ... }@inputs:
 let 
  secrets = import (abs "lib/secrets.nix");
  UID = 1111;
 in {
  imports = [
    (secrets.declare [
      {
        name = "kanidm-tls-key";
        owner = "kanidm";
      }
      {
        name = "kanidm-tls-cert";
        owner = "kanidm";
      }
    ])
    ./proxy.nix
  ];
  users.users.kanidm = {
    isNormalUser = true;
    uid = UID;
  };
  virtualisation.oci-containers.containers.kanidm = {
    image = "kanidm/server:1.3.3";
    volumes = [
      "/srv/kanidm/data:/data/db"
      "${./server.toml}:/data/server.toml"
      "${(secrets.file config "kanidm-tls-key")}:/data/key.pem"
      "${(secrets.file config "kanidm-tls-cert")}:/data/chain.pem"
    ];
    user = "${builtins.toString UID}:60";
  };
  systemd.tmpfiles.rules = [
    "d /srv/kanidm/data 0700 ${builtins.toString UID} ${builtins.toString UID} -"
  ];
  services.nginx.virtualHosts."id.stupid.fish" = {
    forceSSL = true;
    useACMEHost = "stupid.fish";
    locations."/" = {
      proxyPass = "https://kanidm.docker:8443$request_uri";
      proxyWebsockets = true;
    };
  };
 }
--- a/hosts/koi/containers/kanidm/proxy.nix
+++ b/hosts/koi/containers/kanidm/proxy.nix
@ -0,0 +1,69 @@
 { pkgs, config, lib, ... }: 
 let 
  cfg = config.desu.openid-proxy;
 in {
  options.desu.openid-proxy = with lib; {
    services = mkOption {
      type = types.attrsOf (types.submodule ({ ... }: {
        options = {
          clientId = mkOption {
            type = types.str;
            description = "oauth2 client id";
          };
          domain = mkOption {
            type = types.str;
            description = "domain that the service will be hosted on";
          };
          upstream = mkOption {
            type = types.str;
            description = "upstream address";
          };
          envSecret = mkOption {
            type = types.str;
            description = "name of the secret that contains the env vars (OAUTH2_PROXY_COOKIE_SECRET, OAUTH2_PROXY_CLIENT_SECRET)";
          };
          extra = mkOption {
            type = types.listOf types.str;
            description = "extra arguments that will be passed to the service";
            default = [];
          };
          uid = mkOption {
            type = types.int;
            description = "uid of the user that will run the service";
          };
        };
      }));
      default = {};
    };
  };
  config = lib.mkIf (cfg.services != {}) {
    virtualisation.oci-containers.containers = builtins.listToAttrs (
      map (name: let 
        service = cfg.services.${name};
      in {
        name = "${name}-oidc";
        value = {
          image = "quay.io/oauth2-proxy/oauth2-proxy:v7.7.1-amd64";
          user = "${builtins.toString service.uid}";
          environmentFiles = [
            config.age.secrets.${service.envSecret}.path
          ];
          cmd = [ 
            "--reverse-proxy=true"
            "--http-address=0.0.0.0:80"
            "--skip-provider-button=true"
            "--provider=oidc"
            "--email-domain=*"
            "--client-id=${service.clientId}"
            "--upstream=${service.upstream}"
            "--redirect-url=https://${service.domain}/oauth2/callback"
            "--oidc-issuer-url=https://id.stupid.fish/oauth2/openid/${service.clientId}"
          ] ++ service.extra;
        };
      }) (builtins.attrNames cfg.services)
    );
  };
 }
--- a/hosts/koi/containers/kanidm/server.toml
+++ b/hosts/koi/containers/kanidm/server.toml
@ -0,0 +1,9 @@
 bindaddress = "0.0.0.0:8443"
 adminbindpath = "/tmp/kanidm.sock"
 trust_x_forward_for = true
 db_path = "/data/db/kanidm.db"
 tls_chain = "/data/chain.pem"
 tls_key = "/data/key.pem"
 domain = "id.stupid.fish"
 origin = "https://id.stupid.fish"
--- a/hosts/koi/containers/siyuan/default.nix
+++ b/hosts/koi/containers/siyuan/default.nix
@ -9,7 +9,7 @@ let
 in {
  imports = [
    (secrets.declare [{
-      name = "siyuan-teidesu-authentik-env";
+      name = "siyuan-teidesu-proxy-env";
      owner = "siyuan-teidesu";
    }])
  ];
@ -30,33 +30,30 @@ in {
    ];
    cmd = [ "--workspace=/data" ];
    environment = {
-      # we manage auth via authentik
+      # we manage auth via openid-proxy
      SIYUAN_ACCESS_AUTH_CODE_BYPASS = "true";
    };
    user = builtins.toString UID;
  };
  virtualisation.oci-containers.containers.siyuan-teidesu-authentik = {
    image = "ghcr.io/goauthentik/proxy";
    environment = {
      AUTHENTIK_HOST = "https://id.stupid.fish";
    };
    user = builtins.toString UID;
    environmentFiles = [
      (secrets.file config "siyuan-teidesu-authentik-env")
    ];
  };
  systemd.tmpfiles.rules = [
    "d /srv/siyuan-teidesu 0700 ${builtins.toString UID} ${builtins.toString UID} -"
  ];
  desu.openid-proxy.services.siyuan-teidesu = {
    clientId = "teidesu-siyuan";
    domain = "siyuan.tei.su";
    upstream = "http://siyuan-teidesu.docker:6806";
    envSecret = "siyuan-teidesu-proxy-env";
    uid = UID;
  };
  services.nginx.virtualHosts."siyuan.tei.su" = {
    forceSSL = true;
    useACMEHost = "tei.su";
    locations."/" = {
-      proxyPass = "http://siyuan-teidesu-authentik.docker:9000$request_uri";
+      proxyPass = "http://siyuan-teidesu-oidc.docker$request_uri";
      proxyWebsockets = true;
    };
  };
--- a/secrets/kanidm-tls-cert.age
+++ b/secrets/kanidm-tls-cert.age
--- a/secrets/kanidm-tls-key.age
+++ b/secrets/kanidm-tls-key.age
--- a/secrets/openid-proxy-env.age
+++ b/secrets/openid-proxy-env.age
@ -0,0 +1,6 @@
 age-encryption.org/v1
 -> ssh-ed25519 sj88Xw em5uDRlc3WU8cHrelbBNgb1TY4DQna/GC4MvhRVCJ3U
 eqyrs56AvN4+wVjH58meq8milx1wnXRhF6bd122tlmQ
 --- U9jh49an0uX5qumssc7TXc9n+yO7b2dtZ3Y7NmjsaIE
 f<EFBFBD>ÜŽ¹êcÒôeu7¨àÜ<…Pƒ_{´‚b†TbþƒÔ‹“Næ<ŒõÀgFcò‘±öe‹MÐH<C390>h’.4¥ZÅ€TIò—¼¿<>Íß<>ù:»!ºIÚ«Ü?ä€<C3A4>ÍäÒî
 ÙqÃÇTèMâÙéMñ¢›•ÀXô53£{™Ó
¢¿ÑJ‚=æÒ&7S%„/P)¶‡ÉNJ—s±4Hûkžˆš‘|¨Ý#æ
--- a/secrets/siyuan-teidesu-authentik-env.age
+++ b/secrets/siyuan-teidesu-authentik-env.age
@ -1,6 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 sj88Xw K4t0UbmCo9hVvB3k0ut17zjnN/SrqjiCRokNy4CSvi4
 b067KvwE3J3NrXY5ZANkoUdS0UTTbkWWrCpsWtS0eP8
 --- 7cx4kHSwSvsAlAMvfM/lGr3B2QhmD6vhNdFSzLAnUuo
 fÁÏr¹rx/E×!~ õZM×Tj¸€ì@'EcnV¤sÍqØy±q<k¬¼±k˜t™1þ	wÌ¤’~(?	_bÝÐ8q ï¿•›„bˆÞgÄ4W.†óOâ,¹Çšùy‰º$Û9°(^
 rÐ
--- a/secrets/siyuan-teidesu-proxy-env.age
+++ b/secrets/siyuan-teidesu-proxy-env.age