From 58bb6ffac496655e00a5097a6f2c3caaf2b43012 Mon Sep 17 00:00:00 2001 From: William P Date: Wed, 8 Apr 2026 11:20:06 -0400 Subject: [PATCH] add authentik --- kubernetes/charts/authentik.nix | 170 ++++++++++++++++++ kubernetes/charts/default.nix | 1 + .../authentik/authentik-credentials.nix | 40 +++++ kubernetes/secrets/default.nix | 1 + security/sops.nix | 9 + security/sops_nix.yaml | 12 +- 6 files changed, 231 insertions(+), 2 deletions(-) create mode 100644 kubernetes/charts/authentik.nix create mode 100644 kubernetes/secrets/authentik/authentik-credentials.nix diff --git a/kubernetes/charts/authentik.nix b/kubernetes/charts/authentik.nix new file mode 100644 index 0000000..fae828f --- /dev/null +++ b/kubernetes/charts/authentik.nix @@ -0,0 +1,170 @@ +{ + services.k3s.autoDeployCharts = { + authentik = { + name = "authentik"; + version = "2026.2.2"; + repo = "https://charts.goauthentik.io"; + createNamespace = true; + targetNamespace = "authentik"; + hash = "sha256-zgoaiXnO2M410oRVnJpg4KCN81psLSjVqUpV6CYowOU="; + values = { + server = { + replicas = 1; + volumeMounts = [ + { + name = "cert-dubyatp-xyz"; + readOnly = true; + mountPath = "/certs/dubyatp-xyz"; + } + ]; + volumes = [ + { + name = "cert-dubyatp-xyz"; + secret = { + defaultMode = 420; # octal 0644 + secretName = "cert-dubyatp-xyz"; + }; + } + ]; + }; + worker = { + replicas = 0; + }; + global = { + env = [ + { + name = "AUTHENTIK_SECRET_KEY"; + valueFrom.secretKeyRef = { + name = "authentik-credentials"; + key = "authentik-secret-key"; + }; + } + { + name = "AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS"; + value = "true"; + } + { + name = "AUTHENTIK_POSTGRESQL__HOST"; + value = "weyma-bs-pgsql-rw.cloudnativepg.svc.cluster.local"; + } + { + name = "AUTHENTIK_POSTGRESQL__NAME"; + value = "authentik"; + } + { + name = "AUTHENTIK_POSTGRESQL__USER"; + value = "authentik"; + } + { + name = "AUTHENTIK_POSTGRESQL__PASSWORD"; + valueFrom.secretKeyRef = { + name = "authentik-db-auth"; + key = "password"; + }; + } + { + name = "AUTHENTIK_EMAIL__FROM"; + value = "authentik_dubyatp@em924671.dubyatp.xyz"; + } + { + name = "AUTHENTIK_EMAIL__HOST"; + value = "mail.smtp2go.com"; + } + { + name = "AUTHENTIK_EMAIL__USE_TLS"; + value = "true"; + } + { + name = "AUTHENTIK_EMAIL__USERNAME"; + value = "authentik_dubyatp"; + } + { + name = "AUTHENTIK_EMAIL__PASSWORD"; + valueFrom.secretKeyRef = { + name = "authentik-credentials"; + key = "smtp-password"; + }; + } + { + name = "AUTHENTIK_EMAIL__TIMEOUT"; + value = "30"; + } + { + name = "AUTHENTIK_STORAGE__BACKEND"; + value = "s3"; + } + { + name = "AUTHENTIK_STORAGE__S3__ENDPOINT"; + value = "https://weyma-s3.infra.dubyatp.xyz"; + } + { + name = "AUTHENTIK_STORAGE__S3__BUCKET_NAME"; + value = "authentik-files"; + } + { + name = "AUTHENTIK_STORAGE__S3__ACCESS_KEY"; + valueFrom.secretKeyRef = { + name = "authentik-files"; + key = "AWS_ACCESS_KEY_ID"; + }; + } + { + name = "AUTHENTIK_STORAGE__S3__SECRET_KEY"; + valueFrom.secretKeyRef = { + name = "authentik-files"; + key = "AWS_SECRET_ACCESS_KEY"; + }; + } + ]; + }; + additionalObjects = [ + { + apiVersion = "networking.k8s.io/v1"; + kind = "Ingress"; + metadata.name = "authentik-ingress"; + spec = { + ingressClassName = "traefik"; + rules = [ + { + host = "auth.dubyatp.xyz"; + http.paths = [ + { + backend.service = { + name = "authentik-server"; + port.number = 80; + }; + path = "/"; + pathType = "Prefix"; + } + ]; + } + { + host = "auth-bs.dubyatp.xyz"; + http.paths = [ + { + backend.service = { + name = "authentik-server"; + port.number = 80; + }; + path = "/"; + pathType = "Prefix"; + } + ]; + } + ]; + tls = [ + { + hosts = [ + "auth.dubyatp.xyz" + "auth-bs.dubyatp.xyz" + ]; + secretName = "cert-dubyatp-xyz"; + } + ]; + }; + } + ]; + }; + }; + }; +} \ No newline at end of file diff --git a/kubernetes/charts/default.nix b/kubernetes/charts/default.nix index 982f8bd..675f863 100644 --- a/kubernetes/charts/default.nix +++ b/kubernetes/charts/default.nix @@ -2,5 +2,6 @@ imports = [ ./cloudnativepg.nix ./cert-manager.nix + ./authentik.nix ]; } \ No newline at end of file diff --git a/kubernetes/secrets/authentik/authentik-credentials.nix b/kubernetes/secrets/authentik/authentik-credentials.nix new file mode 100644 index 0000000..5fb54fb --- /dev/null +++ b/kubernetes/secrets/authentik/authentik-credentials.nix @@ -0,0 +1,40 @@ +{ config, ... }: +{ + sops.templates."authentik-credentials.yaml" = { + mode = "0444"; + content = '' + apiVersion: v1 + kind: Secret + metadata: + name: authentik-credentials + namespace: authentik + type: Opaque + stringData: + admin-password: ${config.sops.placeholder.authentik_admin_password} + authentik-secret-key: ${config.sops.placeholder.authentik_secret_key} + replication-password: ${config.sops.placeholder.authentik_replication_password} + smtp-password: ${config.sops.placeholder.authentik_smtp_password} + user-password: ${config.sops.placeholder.authentik_user_password} + --- + apiVersion: v1 + kind: Secret + metadata: + name: authentik-db-auth + namespace: authentik + type: Opaque + stringData: + password: ${config.sops.placeholder.authentik_db_password} + --- + apiVersion: v1 + kind: Secret + metadata: + name: authentik-files + namespace: authentik + type: Opaque + stringData: + AWS_ACCESS_KEY_ID: ${config.sops.placeholder.authentik_files_keyid} + AWS_SECRET_ACCESS_KEY: ${config.sops.placeholder.authentik_files_keysecret} + ''; + path = "/var/lib/rancher/k3s/server/manifests/secrets/authentik-credentials.yaml"; + }; +} \ No newline at end of file diff --git a/kubernetes/secrets/default.nix b/kubernetes/secrets/default.nix index 40dc532..bf61af5 100644 --- a/kubernetes/secrets/default.nix +++ b/kubernetes/secrets/default.nix @@ -3,5 +3,6 @@ ./cloudnativepg/s3-backup-creds.nix ./cloudnativepg/weyma-pgsql-replication.nix ./cert-manager/cloudflare-api-token.nix + ./authentik/authentik-credentials.nix ]; } \ No newline at end of file diff --git a/security/sops.nix b/security/sops.nix index 2516c0a..c77c984 100644 --- a/security/sops.nix +++ b/security/sops.nix @@ -23,6 +23,15 @@ weyma_pgsql_replication_tls_key = {}; cloudflare_api_token = {}; + + authentik_admin_password = {}; + authentik_secret_key = {}; + authentik_replication_password = {}; + authentik_smtp_password = {}; + authentik_user_password = {}; + authentik_db_password = {}; + authentik_files_keyid = {}; + authentik_files_keysecret = {}; }; }; } \ No newline at end of file diff --git a/security/sops_nix.yaml b/security/sops_nix.yaml index 08bade3..2a7ec35 100644 --- a/security/sops_nix.yaml +++ b/security/sops_nix.yaml @@ -3,6 +3,14 @@ pw_root: ENC[AES256_GCM,data:hbPcqxEFhdH4Y6KOFFCMfujL0B9uHzmNAwNNK4qLEVE=,iv:Xrw cnpg_s3_backup_key: ENC[AES256_GCM,data:zaMuxcu2XwgkmhkYnYKeZQQwRzSEJGPT2662B7k5JHzCH4e1TEEd+A==,iv:Na2iAuqgx8UNnDvXvP3N+csqVZFTsDwqR6OKeO/b/GY=,tag:jHeFVdRdTwk83XG6T1TwGA==,type:str] weyma_pgsql_replication_tls_key: ENC[AES256_GCM,data:WHCH9DJMa5/L9BCNAyfYUmgptCLu+NVtEIDjjPeb7adDUfz/fDwAUB7TOXBf19AyXaCD4NTw4IVm6UVp9/8azpAVyQ5uR5R0X3eVYAEdIHUQdOPVQsCmIQTAMwih2G41QedM3Q+gA/JRIqxX+DwtH44Celb069VmiGmlzwLbvPt9d9ZREs3KKr7p/GvVoa2atMk74/qLAKSmkAP9yZJ3q5azmmQ5/skECWmvRJ4prr/uUpIzzMIIQ6kyaafE3sKf8s/+rlsb+zT+6T527OX54xmp0QCDPQuqhEiuFvLXnqxiDwcgZ+QWbFQwj5ubCU++F3GtasCec5/wTSKa26MgNd7DvSwpQH0vdxszOoxStxNAXSouIevwFdKsvAZP60x3jWs+BcFry+cFlVrAMp5NmQ==,iv:JN+9SeyIx4kJfTiuFucLp8cKCEGeWvd3DbNeMsfeVms=,tag:GSkGD1kRmzruG0bWmxa+xA==,type:str] cloudflare_api_token: ENC[AES256_GCM,data:luEm0zRdyUgOe4VxJ6IrTlKSf5tk4ayQn7MwbImvn2Eswzq4tXdCsQ==,iv:BoI/p2n5+RIfL6KsiOViv5RlhpCkP5ylEOf7eRBjxcw=,tag:dxN1qRoaYnCoBepWSmBRBQ==,type:str] +authentik_admin_password: ENC[AES256_GCM,data:TiuxIguDfhI3e+6GdqTLfqNUZ7ZigV8E4gj6Goqozgg=,iv:uVzCa6VQucQY5as3S+75r+0IGBqoFmPxUPqkjRr2KpA=,tag:pEYGLzIu8Dg4/XB3JXfn7w==,type:str] +authentik_secret_key: ENC[AES256_GCM,data:A3GKlCYuTW3nVezQ5TuI/eBbaBQLy43tqbgibTkrZiU=,iv:z4sBa9EESqYIv1IWx63dHvKSpQ7RVejsFhXFW45dTU8=,tag:PikzndBzaEmUBTcy0O+lnQ==,type:str] +authentik_replication_password: ENC[AES256_GCM,data:CXPdevPPexbK2BCCpa50EHrL3g8bQCBW/8AAMd3XppA=,iv:9L7J3NJ5b9ZDczYHTZ3LFHfURhogxCAKyIPneTuKjuw=,tag:m0BY8rYVrVF3NGsjzsOW+A==,type:str] +authentik_smtp_password: ENC[AES256_GCM,data:l0vfN1QxHWlu321XQvccpw==,iv:1nT8d+xDTZE3UOnXdAC2O72SOImeE8WRQlzM58do+9g=,tag:B9u/96C7fNbYNjIpTYLSAA==,type:str] +authentik_user_password: ENC[AES256_GCM,data:BJdiJouByTIoXYL3xn7zn6czVuXHheDdRKXKrM22PlE=,iv:0qvfgfHxUzFJGpDViMOzIDLjBwONvgUePNTE1lOKoQ8=,tag:K+8dgVwTZ+JA7yY07xoNdg==,type:str] +authentik_db_password: ENC[AES256_GCM,data:mAYOax2eC3E4lPsseD/bjPlOnL7pFavXbfArETKy,iv:hb/VBLKNc8yU6viSWm1ds4v24kpbndbKjwf4xN5/Ha8=,tag:T22wPtEvJXWfohP/lyU9YQ==,type:str] +authentik_files_keyid: ENC[AES256_GCM,data:342mVrO6ezaKAxDBWpnoFV2K5ZI=,iv:hCdivaMnEKl1zTC8BO+3EjdEPUDF0SHlev4N1tjprRo=,tag:zhiP0fZCW061HCyn6y8blw==,type:str] +authentik_files_keysecret: ENC[AES256_GCM,data:KlYmsEsvINbyzoHRuru7asAysw5c9XJPdTb+YF/hb256AifG7zfp0Q==,iv:AXV6xolmQZtHzE1FmGAuLwgg3i/mMqiTWNwnXKCUNE0=,tag:frd3kvOu91hjRljUeXViNQ==,type:str] sops: age: - recipient: age1usxppyy4nfqtlvlvj5fgcwze6yy3yyvuqadrcmwwtt5dtctfkfrqzuk5w3 @@ -14,7 +22,7 @@ sops: Q1VUZnpnOUh2SVQ2RC9XOG5qUTVzeWMKd4nZfXETJi1tbRrUDb938mk+OOnIru9t F66KTiCc7akLC165G1ywBMShMPi5K+X9vRzGfmzUmwOHh2f4tZLBHA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-19T22:11:05Z" - mac: ENC[AES256_GCM,data:E5PsFbu3XLpqAX3x3EFEkFd9XgUeaZraSmYhjItCoAmIZE7qy1/10j2B72tGtDC0GQ5o/0cC0mkjkHqUJZjdmGUTQ2+dKC1rSBDpOsrLEMPqKgxsfxXYRRWK1zqK0tlIhDcGECWAvcq9oIArZ5yMQB88dYIZ+u/AX5PHOLvDH6Y=,iv:KP8BAqyrNzk7VwZrtJBXtpQ79ySBwQzMs3hd8S42yLc=,tag:i0USZC6KkZuoHoNjHY2rGg==,type:str] + lastmodified: "2026-04-08T14:52:06Z" + mac: ENC[AES256_GCM,data:vV04hhnzD7pFbTV3CRxFzg26cOlzWh8AxyjYRBxL8nwmk+v47ApNqciuVzYPaw8jjvPN9qWAZuEqbY2ZApQnzhDiSFAm7mxviZSpOFPL1AxEz40iweuFt/Q9C6pqtOR2cRDu5lti6HSsafbsKSi2rDlh6ycDn8A/dclvpJ1oMV0=,iv:oFA2uWg1opYYRoMvGuHrY8+Kz1x2AmOdYCKJl+V9bSY=,tag:dntYsHiwUHxEig+sNLxICA==,type:str] unencrypted_suffix: _unencrypted version: 3.12.2