GithubHelp home page GithubHelp logo

bonusplay / authentik-nix Goto Github PK

View Code? Open in Web Editor NEW

This project forked from nix-community/authentik-nix

1.0 0.0 0.0 389 KB

Nix flake with package, NixOS module and basic VM test for authentik. Trying to provide an alternative deployment mode to the officially supported docker-compose approach. Not affiliated with or officially supported by the authentik project [maintainer=@willibutz]

License: MIT License

Nix 100.00%

authentik-nix's Introduction

authentik-nix

A Nix flake providing a package, NixOS module and basic VM test for authentik

Important Note

Please note that this project is not directly affiliated with the official authentik project. Most importantly this means that there is no official support for this packaging and deployment approach. Therefore, please refrain from opening issues for the official project when running into problems with this flake. Feel free to open issues here. If in doubt, please open an issue here first so we can make sure that it's not directly related to this packaging/deployment approach before escalating to the official project.

Overview

  • flake.nix This flake provides packages (server, worker, outposts, ...) as outputs, a NixOS module and a simple VM integration test for the module.
  • module.nix The NixOS module configures authentik services, redis and (by default) a local postgres instance. The upstream default authentik configuration can be partially overridden by setting desired parameters under services.authentik.settings.
  • poetry2nix-python-overrides.nix contains overrides and fixes for building the python env
  • minimal-vmtest.nix A minimal NixOS VM test. Confirms that the services configured by the module start and manually goes through the initial setup flow. Some screenshots are taken during test execution to confirm that the frontend is rendered correctly.
  • components An overridable scope, including the individual authentik components. An example for how to create a custom scope is provided in override-scope.nix.

Usage

Example configuration:

{
  services.authentik = {
    enable = true;
    # The environmentFile needs to be on the target host!
    # Best use something like sops-nix or agenix to manage it
    environmentFile = "/run/secrets/authentik/authentik-env";
    settings = {
      email = {
        host = "smtp.example.com";
        port = 587;
        username = "[email protected]";
        use_tls = true;
        use_ssl = false;
        from = "[email protected]";
      };
      disable_startup_analytics = true;
      avatars = "initials";
    };
  };
}

EnvironmentFile for secrets

The environmentFile option references a systemd EnvironmentFile, that needs to be placed on the same host as authentik and should only be accessible to root. Secrets can be specified in this environment file without causing them to be placed in the world-readable /nix/store. Note that pkgs.writeText and similar tooling also causes secrets to be placed in the /nix/store.

After generating a secret key for authentik, for example using openssl rand -base64 32 the file's contents should look like this:

AUTHENTIK_SECRET_KEY=<generated secret key>
AUTHENTIK_EMAIL__PASSWORD=<smtp password>

Better alternatives to managing the environment file manually on the authentik host might be https://github.com/Mic92/sops-nix or https://github.com/ryantm/agenix , depending on your use case.

With flakes

Add authentik-nix to your flake, import the module and configure it. Relevant sections of the flake:

# flake.nix
{
  inputs.authentik-nix = {
    url = "github:nix-community/authentik-nix";

    ## optional overrides. Note that using a different version of nixpkgs can cause issues, especially with python dependencies
    # inputs.nixpkgs.follows = "nixpkgs"
    # inputs.flake-parts.follows = "flake-parts"
  };

  outputs = inputs@{ ... }: {

    ## regular NixOS example
    #
    # nixosConfigurations = {
    #   authentik-host = inputs.nixpkgs.lib.nixosSystem {
    #     system = "x86_64-linux";
    #     modules = [
    #       inputs.authentik-nix.nixosModules.default
    #       {
    #         services.authentik = {
    #           # ... further configuration; see example configuration above
    #         };
    #       }
    #     ];
    #   };
    # };

    ## Colmena example
    #
    # colmena = {
    #   meta.specialArgs.inputs = { inherit (inputs) authentik-nix; };
    #
    #   authentik-host = { inputs, ... }: {
    #     imports = [ inputs.authentik-nix.nixosModules.default ];
    #
    #     services.authentik = {
    #       # ... further configuration; see example configuration above
    #     };
    #   };
    # };
  };
}

Without flakes

All packages, modules and tests are available via flake-compat and may be used without flakes. This requires some extra work, but this example NixOS configuration may help you to get started:

# configuration.nix
{ ... }:
let
  authentik-version = "2024.2.3";
  authentik-nix-src = builtins.fetchTarball {
    url = "https://github.com/nix-community/authentik-nix/archive/version/${authentik-version}.tar.gz";
    sha256 = "15b9a2csd2m3vwhj3xc24nrqnj1hal60jrd69splln0ynbnd9ki4";
  };
  authentik-nix = import authentik-nix-src;
in
{
  imports = [
    authentik-nix.nixosModules.default
  ];

  services.authentik = {
    # ...
  };

  system.stateVersion = "23.11";
}

Nginx + Let's Encrypt

Example configuration:

{
  services.authentik = {
    # other authentik options as in the example configuration at the top
    nginx = {
      enable = true;
      enableACME = true;
      host = "auth.example.com";
    };
  };
}

The configuration above configures authentik to auto-discover the Let's Encrypt certificate and key. Initial auto-discovery might take a while because the authentik certificate discovery task runs once per hour.

Testing

To run the tests execute the following:

nix flake check --print-build-logs

License

This project is released under the terms of the MIT License. See LICENSE. Consult the upstream project for information about authentik licensing.

authentik-nix's People

Contributors

willibutz avatar fpletz avatar marcelcoding avatar shokinn avatar ma27 avatar xanderio avatar

Stargazers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.