From 0173886501a9e9824c6a27e2c7c7de99f09ef051 Mon Sep 17 00:00:00 2001 From: Bereich Administration Rechentechnik Date: Wed, 22 Jan 2025 17:19:23 +0100 Subject: [PATCH] working goauthentik --- configuration.nix | 104 ++++++++++++++ flake.lock | 269 +++++++++++++++++++++++++++++++++++++ flake.nix | 34 +++++ hardware-configuration.nix | 33 +++++ 4 files changed, 440 insertions(+) create mode 100644 configuration.nix create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hardware-configuration.nix diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..ca771b5 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,104 @@ +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ]; + +security.pam.loginLimits = [{ + domain = "*"; + type = "soft"; + item = "nofile"; + value = "8192"; + }]; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nix.settings.download-buffer-size = 6710886400; + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + + networking.hostName = "authentik"; + networking.interfaces.ens18.ipv4.addresses = [ + { + address = "10.0.0.3"; + prefixLength = 24; + } + ]; + networking.defaultGateway.address = "10.0.0.1"; + networking.nameservers = [ "141.56.1.1" "141.56.1.2" ]; + + time.timeZone = "Europe/Berlin"; + + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = lib.mkForce "de"; + useXkbConfig = true; # use xkb.options in tty. + }; + + users.users.administration = { + isNormalUser = true; + extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + packages = with pkgs; [ + ]; + }; + + environment.systemPackages = with pkgs; [ + tmux + git + htop + neovim + ]; + + services.openssh.enable = true; + services.authentik = { + enable = true; + # The environmentFile needs to be on the target host! + # Best use something like sops-nix or agenix to manage it + environmentFile = "/var/lib/authentik_secret"; + settings = { + email = { + host = "mail.stura.htw-dresden.de"; + port = 25; + username = "authentik@stura.htw-dresden.de"; + use_tls = false; + use_ssl = false; + from = "authentik@stura.htw-dresden.de"; + }; + disable_startup_analytics = true; + avatars = "initials"; + }; + }; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 389 9000 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # system.copySystemConfiguration = true; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.11"; # Did you read the comment? + +} + diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..a50958f --- /dev/null +++ b/flake.lock @@ -0,0 +1,269 @@ +{ + "nodes": { + "authentik": { + "inputs": { + "authentik-src": "authentik-src", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "napalm": "napalm", + "nixpkgs": "nixpkgs", + "poetry2nix": "poetry2nix", + "systems": "systems" + }, + "locked": { + "lastModified": 1736445563, + "narHash": "sha256-+f1MWPtja+LRlTHJP/i/3yxmnzo2LGtZmxtJJTdAp8o=", + "owner": "nix-community", + "repo": "authentik-nix", + "rev": "bf5a5bf42189ff5f468f0ff26c9296233a97eb6c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "authentik-nix", + "type": "github" + } + }, + "authentik-src": { + "flake": false, + "locked": { + "lastModified": 1736440980, + "narHash": "sha256-Z3rFFrXrOKaF9NpY/fInsEbzdOWnWqLfEYl7YX9hFEU=", + "owner": "goauthentik", + "repo": "authentik", + "rev": "9d81f0598c7735e2b4616ee865ab896056a67408", + "type": "github" + }, + "original": { + "owner": "goauthentik", + "ref": "version/2024.12.2", + "repo": "authentik", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1727826117, + "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": [ + "authentik", + "systems" + ] + }, + "locked": { + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "napalm": { + "inputs": { + "flake-utils": [ + "authentik", + "flake-utils" + ], + "nixpkgs": [ + "authentik", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1725806412, + "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=", + "owner": "willibutz", + "repo": "napalm", + "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5", + "type": "github" + }, + "original": { + "owner": "willibutz", + "ref": "avoid-foldl-stack-overflow", + "repo": "napalm", + "type": "github" + } + }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "authentik", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1735834308, + "narHash": "sha256-dklw3AXr3OGO4/XT1Tu3Xz9n/we8GctZZ75ZWVqAVhk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "6df24922a1400241dae323af55f30e4318a6ca65", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1727825735, + "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1737469691, + "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "poetry2nix": { + "inputs": { + "flake-utils": [ + "authentik", + "flake-utils" + ], + "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "authentik", + "nixpkgs" + ], + "systems": [ + "authentik", + "systems" + ], + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1735164664, + "narHash": "sha256-DaWy+vo3c4TQ93tfLjUgcpPaSoDw4qV4t76Y3Mhu84I=", + "owner": "nix-community", + "repo": "poetry2nix", + "rev": "1fb01e90771f762655be7e0e805516cd7fa4d58e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "poetry2nix", + "type": "github" + } + }, + "root": { + "inputs": { + "authentik": "authentik", + "nixpkgs": "nixpkgs_2" + } + }, + "systems": { + "locked": { + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", + "owner": "nix-systems", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default-linux", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "authentik", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730120726, + "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..fdaa6a1 --- /dev/null +++ b/flake.nix @@ -0,0 +1,34 @@ +{ + description = "A very basic flake"; + nixConfig = { + extra-substituters = [ + + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + authentik = { + url = "github:nix-community/authentik-nix"; + #inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = { self, nixpkgs, authentik }: { + + formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; + nixosConfigurations = { + authentik = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./configuration.nix + authentik.nixosModules.default + ]; + }; + }; + }; +} diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..b640750 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,33 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/ca98acfb-7698-4bc2-a7a0-f24fc0fc3c46"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +}