add authentik
This commit is contained in:
170
kubernetes/charts/authentik.nix
Normal file
170
kubernetes/charts/authentik.nix
Normal file
@@ -0,0 +1,170 @@
|
||||
{
|
||||
services.k3s.autoDeployCharts = {
|
||||
authentik = {
|
||||
name = "authentik";
|
||||
version = "2026.2.2";
|
||||
repo = "https://charts.goauthentik.io";
|
||||
createNamespace = true;
|
||||
targetNamespace = "authentik";
|
||||
hash = "sha256-zgoaiXnO2M410oRVnJpg4KCN81psLSjVqUpV6CYowOU=";
|
||||
values = {
|
||||
server = {
|
||||
replicas = 1;
|
||||
volumeMounts = [
|
||||
{
|
||||
name = "cert-dubyatp-xyz";
|
||||
readOnly = true;
|
||||
mountPath = "/certs/dubyatp-xyz";
|
||||
}
|
||||
];
|
||||
volumes = [
|
||||
{
|
||||
name = "cert-dubyatp-xyz";
|
||||
secret = {
|
||||
defaultMode = 420; # octal 0644
|
||||
secretName = "cert-dubyatp-xyz";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
worker = {
|
||||
replicas = 0;
|
||||
};
|
||||
global = {
|
||||
env = [
|
||||
{
|
||||
name = "AUTHENTIK_SECRET_KEY";
|
||||
valueFrom.secretKeyRef = {
|
||||
name = "authentik-credentials";
|
||||
key = "authentik-secret-key";
|
||||
};
|
||||
}
|
||||
{
|
||||
name = "AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS";
|
||||
value = "true";
|
||||
}
|
||||
{
|
||||
name = "AUTHENTIK_POSTGRESQL__HOST";
|
||||
value = "weyma-bs-pgsql-rw.cloudnativepg.svc.cluster.local";
|
||||
}
|
||||
{
|
||||
name = "AUTHENTIK_POSTGRESQL__NAME";
|
||||
value = "authentik";
|
||||
}
|
||||
{
|
||||
name = "AUTHENTIK_POSTGRESQL__USER";
|
||||
value = "authentik";
|
||||
}
|
||||
{
|
||||
name = "AUTHENTIK_POSTGRESQL__PASSWORD";
|
||||
valueFrom.secretKeyRef = {
|
||||
name = "authentik-db-auth";
|
||||
key = "password";
|
||||
};
|
||||
}
|
||||
{
|
||||
name = "AUTHENTIK_EMAIL__FROM";
|
||||
value = "authentik_dubyatp@em924671.dubyatp.xyz";
|
||||
}
|
||||
{
|
||||
name = "AUTHENTIK_EMAIL__HOST";
|
||||
value = "mail.smtp2go.com";
|
||||
}
|
||||
{
|
||||
name = "AUTHENTIK_EMAIL__USE_TLS";
|
||||
value = "true";
|
||||
}
|
||||
{
|
||||
name = "AUTHENTIK_EMAIL__USERNAME";
|
||||
value = "authentik_dubyatp";
|
||||
}
|
||||
{
|
||||
name = "AUTHENTIK_EMAIL__PASSWORD";
|
||||
valueFrom.secretKeyRef = {
|
||||
name = "authentik-credentials";
|
||||
key = "smtp-password";
|
||||
};
|
||||
}
|
||||
{
|
||||
name = "AUTHENTIK_EMAIL__TIMEOUT";
|
||||
value = "30";
|
||||
}
|
||||
{
|
||||
name = "AUTHENTIK_STORAGE__BACKEND";
|
||||
value = "s3";
|
||||
}
|
||||
{
|
||||
name = "AUTHENTIK_STORAGE__S3__ENDPOINT";
|
||||
value = "https://weyma-s3.infra.dubyatp.xyz";
|
||||
}
|
||||
{
|
||||
name = "AUTHENTIK_STORAGE__S3__BUCKET_NAME";
|
||||
value = "authentik-files";
|
||||
}
|
||||
{
|
||||
name = "AUTHENTIK_STORAGE__S3__ACCESS_KEY";
|
||||
valueFrom.secretKeyRef = {
|
||||
name = "authentik-files";
|
||||
key = "AWS_ACCESS_KEY_ID";
|
||||
};
|
||||
}
|
||||
{
|
||||
name = "AUTHENTIK_STORAGE__S3__SECRET_KEY";
|
||||
valueFrom.secretKeyRef = {
|
||||
name = "authentik-files";
|
||||
key = "AWS_SECRET_ACCESS_KEY";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
additionalObjects = [
|
||||
{
|
||||
apiVersion = "networking.k8s.io/v1";
|
||||
kind = "Ingress";
|
||||
metadata.name = "authentik-ingress";
|
||||
spec = {
|
||||
ingressClassName = "traefik";
|
||||
rules = [
|
||||
{
|
||||
host = "auth.dubyatp.xyz";
|
||||
http.paths = [
|
||||
{
|
||||
backend.service = {
|
||||
name = "authentik-server";
|
||||
port.number = 80;
|
||||
};
|
||||
path = "/";
|
||||
pathType = "Prefix";
|
||||
}
|
||||
];
|
||||
}
|
||||
{
|
||||
host = "auth-bs.dubyatp.xyz";
|
||||
http.paths = [
|
||||
{
|
||||
backend.service = {
|
||||
name = "authentik-server";
|
||||
port.number = 80;
|
||||
};
|
||||
path = "/";
|
||||
pathType = "Prefix";
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
tls = [
|
||||
{
|
||||
hosts = [
|
||||
"auth.dubyatp.xyz"
|
||||
"auth-bs.dubyatp.xyz"
|
||||
];
|
||||
secretName = "cert-dubyatp-xyz";
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -2,5 +2,6 @@
|
||||
imports = [
|
||||
./cloudnativepg.nix
|
||||
./cert-manager.nix
|
||||
./authentik.nix
|
||||
];
|
||||
}
|
||||
40
kubernetes/secrets/authentik/authentik-credentials.nix
Normal file
40
kubernetes/secrets/authentik/authentik-credentials.nix
Normal file
@@ -0,0 +1,40 @@
|
||||
{ config, ... }:
|
||||
{
|
||||
sops.templates."authentik-credentials.yaml" = {
|
||||
mode = "0444";
|
||||
content = ''
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: authentik-credentials
|
||||
namespace: authentik
|
||||
type: Opaque
|
||||
stringData:
|
||||
admin-password: ${config.sops.placeholder.authentik_admin_password}
|
||||
authentik-secret-key: ${config.sops.placeholder.authentik_secret_key}
|
||||
replication-password: ${config.sops.placeholder.authentik_replication_password}
|
||||
smtp-password: ${config.sops.placeholder.authentik_smtp_password}
|
||||
user-password: ${config.sops.placeholder.authentik_user_password}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: authentik-db-auth
|
||||
namespace: authentik
|
||||
type: Opaque
|
||||
stringData:
|
||||
password: ${config.sops.placeholder.authentik_db_password}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: authentik-files
|
||||
namespace: authentik
|
||||
type: Opaque
|
||||
stringData:
|
||||
AWS_ACCESS_KEY_ID: ${config.sops.placeholder.authentik_files_keyid}
|
||||
AWS_SECRET_ACCESS_KEY: ${config.sops.placeholder.authentik_files_keysecret}
|
||||
'';
|
||||
path = "/var/lib/rancher/k3s/server/manifests/secrets/authentik-credentials.yaml";
|
||||
};
|
||||
}
|
||||
@@ -3,5 +3,6 @@
|
||||
./cloudnativepg/s3-backup-creds.nix
|
||||
./cloudnativepg/weyma-pgsql-replication.nix
|
||||
./cert-manager/cloudflare-api-token.nix
|
||||
./authentik/authentik-credentials.nix
|
||||
];
|
||||
}
|
||||
Reference in New Issue
Block a user