Add the authentik secrets to the authentik module

2025-07-18 15:44:34 +00:00 · 2025-07-18 15:44:34 +00:00 · 9da3485bfd
commit 9da3485bfd
parent 859ae228d6
5 changed files with 50 additions and 0 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,10 +1,12 @@
 keys:
  - &pazuzu_local age15y4k929zaj9fdg3vd40pa40tgvrgv9mn22xfummn5zxfmkcw5d0st6prjx
+  - &server_test_corp age1lzzlx60f9ra4evdkn4l9px735mz7uxml5467ptzc4hg3t86gn9mq3ddsxy
 creation_rules:
  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
    key_groups:
    - age:
      - *pazuzu_local
+      - *server_test_corp
  - path_regex: host/pazuzu/secrets/[^/]+\.(yaml|json|env|ini)$
    key_groups:
    - age:
--- a/README.md
+++ b/README.md
@ -44,6 +44,30 @@ $ digitalocean/create-droplet.sh

 ### Convert to NixOS with nixos-anywhere

+```
+$ nix run github:nix-community/nixos-anywhere -- --flake nixos-anywhere#digitalocean --target-host root@1.2.3.4
+```
+
+This will take a while, maybe 20 minutes, but after you'll have a fully-functioning NixOS system with the correct SSH keys.
+
+### Adding a new host to the secrets
+
+The host should create its own new ssh host key that lives at `/etc/ssh/ssh_host_ed25519_key.pub`. We're going to convert that into a sops key and add it to our key material.
+
+On the server you just added run:
+
+```
+$ nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+age1lzzlx60f9ra4evdkn4l9px735mz7uxml5467ptzc4hg3t86gn9mq3ddsxy
+```
+
+This will produce an age key. Copy that into `.sops.yaml`. You'll want to add it to the list of keys at the top, then add it to any sections that the host should be able to read. Once that's done you'll need to add the key into each secret file's encryption with the following on a dev machine:
+
+```
+$ nix-shell -p sops --run "sops updatekeys secrets/example.yaml"
+```
+
+See [the official sops-nix docs](https://github.com/Mic92/sops-nix/blob/master/README.md) for details.

 ## Successful avenues of exploration

--- a/host/test-corp/configuration.nix
+++ b/host/test-corp/configuration.nix
@ -5,6 +5,7 @@
 	];

 	myModules = {
+		authentik.enable = true;
 		cloud-init.enable = true;
 		do-agent.enable = true;
 		podman.enable = true;
--- a/modules/system/authentik.nix
+++ b/modules/system/authentik.nix
@ -0,0 +1,22 @@
+{ pkgs, lib, config, ... }:
+with lib;
+{
+	options.myModules.authentik.enable = mkEnableOption "custom authentik configuration";
+
+	config = mkIf config.myModules.authentik.enable {
+		sops.secrets.authentik-env = {
+			format = "ini";
+			group = "authentik";
+			mode = "0440";
+			owner = "authentik";
+			restartUnits = ["authentik"];
+			sopsFile = ../../secrets/authentik.ini;
+		};
+		users.groups.authentik = {};
+		users.users.authentik = {
+			group = "authentik";
+			isNormalUser = false;
+			isSystemUser = true;
+		};
+	};
+}
--- a/modules/system/default.nix
+++ b/modules/system/default.nix
@ -1,5 +1,6 @@
 {
 	imports = [
+		./authentik.nix
 		./base.nix
 		./cloud-init.nix
 		./do-agent.nix