From 9da3485bfd0542e73381adb3386a15cacc92daae Mon Sep 17 00:00:00 2001 From: Eli Ribble Date: Fri, 18 Jul 2025 15:44:34 +0000 Subject: [PATCH] Add the authentik secrets to the authentik module --- .sops.yaml | 2 ++ README.md | 24 ++++++++++++++++++++++++ host/test-corp/configuration.nix | 1 + modules/system/authentik.nix | 22 ++++++++++++++++++++++ modules/system/default.nix | 1 + 5 files changed, 50 insertions(+) create mode 100644 modules/system/authentik.nix diff --git a/.sops.yaml b/.sops.yaml index d6a3241..7452033 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,10 +1,12 @@ keys: - &pazuzu_local age15y4k929zaj9fdg3vd40pa40tgvrgv9mn22xfummn5zxfmkcw5d0st6prjx + - &server_test_corp age1lzzlx60f9ra4evdkn4l9px735mz7uxml5467ptzc4hg3t86gn9mq3ddsxy creation_rules: - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ key_groups: - age: - *pazuzu_local + - *server_test_corp - path_regex: host/pazuzu/secrets/[^/]+\.(yaml|json|env|ini)$ key_groups: - age: diff --git a/README.md b/README.md index 7b520ab..b6fd9eb 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,30 @@ $ digitalocean/create-droplet.sh ### Convert to NixOS with nixos-anywhere +``` +$ nix run github:nix-community/nixos-anywhere -- --flake nixos-anywhere#digitalocean --target-host root@1.2.3.4 +``` + +This will take a while, maybe 20 minutes, but after you'll have a fully-functioning NixOS system with the correct SSH keys. + +### Adding a new host to the secrets + +The host should create its own new ssh host key that lives at `/etc/ssh/ssh_host_ed25519_key.pub`. We're going to convert that into a sops key and add it to our key material. + +On the server you just added run: + +``` +$ nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age' +age1lzzlx60f9ra4evdkn4l9px735mz7uxml5467ptzc4hg3t86gn9mq3ddsxy +``` + +This will produce an age key. Copy that into `.sops.yaml`. You'll want to add it to the list of keys at the top, then add it to any sections that the host should be able to read. Once that's done you'll need to add the key into each secret file's encryption with the following on a dev machine: + +``` +$ nix-shell -p sops --run "sops updatekeys secrets/example.yaml" +``` + +See [the official sops-nix docs](https://github.com/Mic92/sops-nix/blob/master/README.md) for details. ## Successful avenues of exploration diff --git a/host/test-corp/configuration.nix b/host/test-corp/configuration.nix index 080ffab..da3461e 100644 --- a/host/test-corp/configuration.nix +++ b/host/test-corp/configuration.nix @@ -5,6 +5,7 @@ ]; myModules = { + authentik.enable = true; cloud-init.enable = true; do-agent.enable = true; podman.enable = true; diff --git a/modules/system/authentik.nix b/modules/system/authentik.nix new file mode 100644 index 0000000..670d808 --- /dev/null +++ b/modules/system/authentik.nix @@ -0,0 +1,22 @@ +{ pkgs, lib, config, ... }: +with lib; +{ + options.myModules.authentik.enable = mkEnableOption "custom authentik configuration"; + + config = mkIf config.myModules.authentik.enable { + sops.secrets.authentik-env = { + format = "ini"; + group = "authentik"; + mode = "0440"; + owner = "authentik"; + restartUnits = ["authentik"]; + sopsFile = ../../secrets/authentik.ini; + }; + users.groups.authentik = {}; + users.users.authentik = { + group = "authentik"; + isNormalUser = false; + isSystemUser = true; + }; + }; +} diff --git a/modules/system/default.nix b/modules/system/default.nix index 1a47a66..1484759 100644 --- a/modules/system/default.nix +++ b/modules/system/default.nix @@ -1,5 +1,6 @@ { imports = [ + ./authentik.nix ./base.nix ./cloud-init.nix ./do-agent.nix