infrastructure/black-start
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add authentik

Browse Source
This commit is contained in:
William Peebles
2026-04-08 11:20:06 -04:00
parent 8c5641e8eb
commit 58bb6ffac4
6 changed files with 231 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

170
kubernetes/charts/authentik.nix Normal file
View File

@@ -0,0 +1,170 @@
{
services.k3s.autoDeployCharts = {
authentik = {
name = "authentik";
version = "2026.2.2";
repo = "https://charts.goauthentik.io";
createNamespace = true;
targetNamespace = "authentik";
hash = "sha256-zgoaiXnO2M410oRVnJpg4KCN81psLSjVqUpV6CYowOU=";
values = {
server = {
replicas = 1;
volumeMounts = [
{
name = "cert-dubyatp-xyz";
readOnly = true;
mountPath = "/certs/dubyatp-xyz";
}
];
volumes = [
{
name = "cert-dubyatp-xyz";
secret = {
defaultMode = 420; # octal 0644
secretName = "cert-dubyatp-xyz";
};
}
];
};
worker = {
replicas = 0;
};
global = {
env = [
{
name = "AUTHENTIK_SECRET_KEY";
valueFrom.secretKeyRef = {
name = "authentik-credentials";
key = "authentik-secret-key";
};
}
{
name = "AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS";
value = "true";
}
{
name = "AUTHENTIK_POSTGRESQL__HOST";
value = "weyma-bs-pgsql-rw.cloudnativepg.svc.cluster.local";
}
{
name = "AUTHENTIK_POSTGRESQL__NAME";
value = "authentik";
}
{
name = "AUTHENTIK_POSTGRESQL__USER";
value = "authentik";
}
{
name = "AUTHENTIK_POSTGRESQL__PASSWORD";
valueFrom.secretKeyRef = {
name = "authentik-db-auth";
key = "password";
};
}
{
name = "AUTHENTIK_EMAIL__FROM";
value = "authentik_dubyatp@em924671.dubyatp.xyz";
}
{
name = "AUTHENTIK_EMAIL__HOST";
value = "mail.smtp2go.com";
}
{
name = "AUTHENTIK_EMAIL__USE_TLS";
value = "true";
}
{
name = "AUTHENTIK_EMAIL__USERNAME";
value = "authentik_dubyatp";
}
{
name = "AUTHENTIK_EMAIL__PASSWORD";
valueFrom.secretKeyRef = {
name = "authentik-credentials";
key = "smtp-password";
};
}
{
name = "AUTHENTIK_EMAIL__TIMEOUT";
value = "30";
}
{
name = "AUTHENTIK_STORAGE__BACKEND";
value = "s3";
}
{
name = "AUTHENTIK_STORAGE__S3__ENDPOINT";
value = "https://weyma-s3.infra.dubyatp.xyz";
}
{
name = "AUTHENTIK_STORAGE__S3__BUCKET_NAME";
value = "authentik-files";
}
{
name = "AUTHENTIK_STORAGE__S3__ACCESS_KEY";
valueFrom.secretKeyRef = {
name = "authentik-files";
key = "AWS_ACCESS_KEY_ID";
};
}
{
name = "AUTHENTIK_STORAGE__S3__SECRET_KEY";
valueFrom.secretKeyRef = {
name = "authentik-files";
key = "AWS_SECRET_ACCESS_KEY";
};
}
];
};
additionalObjects = [
{
apiVersion = "networking.k8s.io/v1";
kind = "Ingress";
metadata.name = "authentik-ingress";
spec = {
ingressClassName = "traefik";
rules = [
{
host = "auth.dubyatp.xyz";
http.paths = [
{
backend.service = {
name = "authentik-server";
port.number = 80;
};
path = "/";
pathType = "Prefix";
}
];
}
{
host = "auth-bs.dubyatp.xyz";
http.paths = [
{
backend.service = {
name = "authentik-server";
port.number = 80;
};
path = "/";
pathType = "Prefix";
}
];
}
];
tls = [
{
hosts = [
"auth.dubyatp.xyz"
"auth-bs.dubyatp.xyz"
];
secretName = "cert-dubyatp-xyz";
}
];
};
}
];
};
};
};
}

1
kubernetes/charts/default.nix
View File

@@ -2,5 +2,6 @@
imports = [ imports = [
./cloudnativepg.nix ./cloudnativepg.nix
./cert-manager.nix ./cert-manager.nix
./authentik.nix
]; ];
} }

40
kubernetes/secrets/authentik/authentik-credentials.nix Normal file
View File

@@ -0,0 +1,40 @@
{ config, ... }:
{
sops.templates."authentik-credentials.yaml" = {
mode = "0444";
content = ''
apiVersion: v1
kind: Secret
metadata:
name: authentik-credentials
namespace: authentik
type: Opaque
stringData:
admin-password: ${config.sops.placeholder.authentik_admin_password}
authentik-secret-key: ${config.sops.placeholder.authentik_secret_key}
replication-password: ${config.sops.placeholder.authentik_replication_password}
smtp-password: ${config.sops.placeholder.authentik_smtp_password}
user-password: ${config.sops.placeholder.authentik_user_password}
---
apiVersion: v1
kind: Secret
metadata:
name: authentik-db-auth
namespace: authentik
type: Opaque
stringData:
password: ${config.sops.placeholder.authentik_db_password}
---
apiVersion: v1
kind: Secret
metadata:
name: authentik-files
namespace: authentik
type: Opaque
stringData:
AWS_ACCESS_KEY_ID: ${config.sops.placeholder.authentik_files_keyid}
AWS_SECRET_ACCESS_KEY: ${config.sops.placeholder.authentik_files_keysecret}
'';
path = "/var/lib/rancher/k3s/server/manifests/secrets/authentik-credentials.yaml";
};
}

1
kubernetes/secrets/default.nix
View File

@@ -3,5 +3,6 @@
./cloudnativepg/s3-backup-creds.nix ./cloudnativepg/s3-backup-creds.nix
./cloudnativepg/weyma-pgsql-replication.nix ./cloudnativepg/weyma-pgsql-replication.nix
./cert-manager/cloudflare-api-token.nix ./cert-manager/cloudflare-api-token.nix
./authentik/authentik-credentials.nix
]; ];
} }

9
security/sops.nix
View File

@@ -23,6 +23,15 @@
weyma_pgsql_replication_tls_key = {}; weyma_pgsql_replication_tls_key = {};
cloudflare_api_token = {}; cloudflare_api_token = {};
authentik_admin_password = {};
authentik_secret_key = {};
authentik_replication_password = {};
authentik_smtp_password = {};
authentik_user_password = {};
authentik_db_password = {};
authentik_files_keyid = {};
authentik_files_keysecret = {};
}; };
}; };
} }

12
security/sops_nix.yaml
View File

@@ -3,6 +3,14 @@ pw_root: ENC[AES256_GCM,data:hbPcqxEFhdH4Y6KOFFCMfujL0B9uHzmNAwNNK4qLEVE=,iv:Xrw
cnpg_s3_backup_key: ENC[AES256_GCM,data:zaMuxcu2XwgkmhkYnYKeZQQwRzSEJGPT2662B7k5JHzCH4e1TEEd+A==,iv:Na2iAuqgx8UNnDvXvP3N+csqVZFTsDwqR6OKeO/b/GY=,tag:jHeFVdRdTwk83XG6T1TwGA==,type:str] cnpg_s3_backup_key: ENC[AES256_GCM,data:zaMuxcu2XwgkmhkYnYKeZQQwRzSEJGPT2662B7k5JHzCH4e1TEEd+A==,iv:Na2iAuqgx8UNnDvXvP3N+csqVZFTsDwqR6OKeO/b/GY=,tag:jHeFVdRdTwk83XG6T1TwGA==,type:str]
weyma_pgsql_replication_tls_key: ENC[AES256_GCM,data:WHCH9DJMa5/L9BCNAyfYUmgptCLu+NVtEIDjjPeb7adDUfz/fDwAUB7TOXBf19AyXaCD4NTw4IVm6UVp9/8azpAVyQ5uR5R0X3eVYAEdIHUQdOPVQsCmIQTAMwih2G41QedM3Q+gA/JRIqxX+DwtH44Celb069VmiGmlzwLbvPt9d9ZREs3KKr7p/GvVoa2atMk74/qLAKSmkAP9yZJ3q5azmmQ5/skECWmvRJ4prr/uUpIzzMIIQ6kyaafE3sKf8s/+rlsb+zT+6T527OX54xmp0QCDPQuqhEiuFvLXnqxiDwcgZ+QWbFQwj5ubCU++F3GtasCec5/wTSKa26MgNd7DvSwpQH0vdxszOoxStxNAXSouIevwFdKsvAZP60x3jWs+BcFry+cFlVrAMp5NmQ==,iv:JN+9SeyIx4kJfTiuFucLp8cKCEGeWvd3DbNeMsfeVms=,tag:GSkGD1kRmzruG0bWmxa+xA==,type:str] weyma_pgsql_replication_tls_key: ENC[AES256_GCM,data:WHCH9DJMa5/L9BCNAyfYUmgptCLu+NVtEIDjjPeb7adDUfz/fDwAUB7TOXBf19AyXaCD4NTw4IVm6UVp9/8azpAVyQ5uR5R0X3eVYAEdIHUQdOPVQsCmIQTAMwih2G41QedM3Q+gA/JRIqxX+DwtH44Celb069VmiGmlzwLbvPt9d9ZREs3KKr7p/GvVoa2atMk74/qLAKSmkAP9yZJ3q5azmmQ5/skECWmvRJ4prr/uUpIzzMIIQ6kyaafE3sKf8s/+rlsb+zT+6T527OX54xmp0QCDPQuqhEiuFvLXnqxiDwcgZ+QWbFQwj5ubCU++F3GtasCec5/wTSKa26MgNd7DvSwpQH0vdxszOoxStxNAXSouIevwFdKsvAZP60x3jWs+BcFry+cFlVrAMp5NmQ==,iv:JN+9SeyIx4kJfTiuFucLp8cKCEGeWvd3DbNeMsfeVms=,tag:GSkGD1kRmzruG0bWmxa+xA==,type:str]
cloudflare_api_token: ENC[AES256_GCM,data:luEm0zRdyUgOe4VxJ6IrTlKSf5tk4ayQn7MwbImvn2Eswzq4tXdCsQ==,iv:BoI/p2n5+RIfL6KsiOViv5RlhpCkP5ylEOf7eRBjxcw=,tag:dxN1qRoaYnCoBepWSmBRBQ==,type:str] cloudflare_api_token: ENC[AES256_GCM,data:luEm0zRdyUgOe4VxJ6IrTlKSf5tk4ayQn7MwbImvn2Eswzq4tXdCsQ==,iv:BoI/p2n5+RIfL6KsiOViv5RlhpCkP5ylEOf7eRBjxcw=,tag:dxN1qRoaYnCoBepWSmBRBQ==,type:str]
authentik_admin_password: ENC[AES256_GCM,data:TiuxIguDfhI3e+6GdqTLfqNUZ7ZigV8E4gj6Goqozgg=,iv:uVzCa6VQucQY5as3S+75r+0IGBqoFmPxUPqkjRr2KpA=,tag:pEYGLzIu8Dg4/XB3JXfn7w==,type:str]
authentik_secret_key: ENC[AES256_GCM,data:A3GKlCYuTW3nVezQ5TuI/eBbaBQLy43tqbgibTkrZiU=,iv:z4sBa9EESqYIv1IWx63dHvKSpQ7RVejsFhXFW45dTU8=,tag:PikzndBzaEmUBTcy0O+lnQ==,type:str]
authentik_replication_password: ENC[AES256_GCM,data:CXPdevPPexbK2BCCpa50EHrL3g8bQCBW/8AAMd3XppA=,iv:9L7J3NJ5b9ZDczYHTZ3LFHfURhogxCAKyIPneTuKjuw=,tag:m0BY8rYVrVF3NGsjzsOW+A==,type:str]
authentik_smtp_password: ENC[AES256_GCM,data:l0vfN1QxHWlu321XQvccpw==,iv:1nT8d+xDTZE3UOnXdAC2O72SOImeE8WRQlzM58do+9g=,tag:B9u/96C7fNbYNjIpTYLSAA==,type:str]
authentik_user_password: ENC[AES256_GCM,data:BJdiJouByTIoXYL3xn7zn6czVuXHheDdRKXKrM22PlE=,iv:0qvfgfHxUzFJGpDViMOzIDLjBwONvgUePNTE1lOKoQ8=,tag:K+8dgVwTZ+JA7yY07xoNdg==,type:str]
authentik_db_password: ENC[AES256_GCM,data:mAYOax2eC3E4lPsseD/bjPlOnL7pFavXbfArETKy,iv:hb/VBLKNc8yU6viSWm1ds4v24kpbndbKjwf4xN5/Ha8=,tag:T22wPtEvJXWfohP/lyU9YQ==,type:str]
authentik_files_keyid: ENC[AES256_GCM,data:342mVrO6ezaKAxDBWpnoFV2K5ZI=,iv:hCdivaMnEKl1zTC8BO+3EjdEPUDF0SHlev4N1tjprRo=,tag:zhiP0fZCW061HCyn6y8blw==,type:str]
authentik_files_keysecret: ENC[AES256_GCM,data:KlYmsEsvINbyzoHRuru7asAysw5c9XJPdTb+YF/hb256AifG7zfp0Q==,iv:AXV6xolmQZtHzE1FmGAuLwgg3i/mMqiTWNwnXKCUNE0=,tag:frd3kvOu91hjRljUeXViNQ==,type:str]
sops: sops:
age: age:
- recipient: age1usxppyy4nfqtlvlvj5fgcwze6yy3yyvuqadrcmwwtt5dtctfkfrqzuk5w3 - recipient: age1usxppyy4nfqtlvlvj5fgcwze6yy3yyvuqadrcmwwtt5dtctfkfrqzuk5w3
@@ -14,7 +22,7 @@ sops:
Q1VUZnpnOUh2SVQ2RC9XOG5qUTVzeWMKd4nZfXETJi1tbRrUDb938mk+OOnIru9t Q1VUZnpnOUh2SVQ2RC9XOG5qUTVzeWMKd4nZfXETJi1tbRrUDb938mk+OOnIru9t
F66KTiCc7akLC165G1ywBMShMPi5K+X9vRzGfmzUmwOHh2f4tZLBHA== F66KTiCc7akLC165G1ywBMShMPi5K+X9vRzGfmzUmwOHh2f4tZLBHA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-19T22:11:05Z" lastmodified: "2026-04-08T14:52:06Z"
mac: ENC[AES256_GCM,data:E5PsFbu3XLpqAX3x3EFEkFd9XgUeaZraSmYhjItCoAmIZE7qy1/10j2B72tGtDC0GQ5o/0cC0mkjkHqUJZjdmGUTQ2+dKC1rSBDpOsrLEMPqKgxsfxXYRRWK1zqK0tlIhDcGECWAvcq9oIArZ5yMQB88dYIZ+u/AX5PHOLvDH6Y=,iv:KP8BAqyrNzk7VwZrtJBXtpQ79ySBwQzMs3hd8S42yLc=,tag:i0USZC6KkZuoHoNjHY2rGg==,type:str] mac: ENC[AES256_GCM,data:vV04hhnzD7pFbTV3CRxFzg26cOlzWh8AxyjYRBxL8nwmk+v47ApNqciuVzYPaw8jjvPN9qWAZuEqbY2ZApQnzhDiSFAm7mxviZSpOFPL1AxEz40iweuFt/Q9C6pqtOR2cRDu5lti6HSsafbsKSi2rDlh6ycDn8A/dclvpJ1oMV0=,iv:oFA2uWg1opYYRoMvGuHrY8+Kz1x2AmOdYCKJl+V9bSY=,tag:dntYsHiwUHxEig+sNLxICA==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.12.2 version: 3.12.2