Replace Authelia with Authentik

2025-02-10 22:51:18 +01:00 · 2025-02-10 22:51:18 +01:00 · 81b553c8b0
commit 81b553c8b0
parent b09ce94621
13 changed files with 117 additions and 313 deletions
--- a/modules/authelia.nix
+++ b/modules/authelia.nix
@ -1,227 +0,0 @@
-{
-  nixhelm,
-  system,
-  config,
-  lib,
-  ...
-}: {
-  options.authelia.enable = lib.mkEnableOption "authelia";
-
-  config = lib.mkIf config.authelia.enable {
-    kubernetes = {
-      helm.releases.authelia = {
-        chart = nixhelm.chartsDerivations.${system}.authelia.authelia;
-        includeCRDs = true;
-        namespace = "authelia";
-
-        values = {
-          pod = {
-            kind = "Deployment";
-            replicas = 1;
-
-            extraVolumes = [
-              {
-                name = "data";
-                persistentVolumeClaim.claimName = "data";
-              }
-            ];
-
-            extraVolumeMounts = [
-              {
-                name = "data";
-                mountPath = "/storage";
-              }
-            ];
-          };
-
-          secret.additionalSecrets.authelia.items = [
-            {
-              key = "storage";
-              path = "storage";
-            }
-            {
-              key = "session";
-              path = "session";
-            }
-            {
-              key = "users";
-              path = "users";
-            }
-            {
-              key = "smtpPassword";
-              path = "smtpPassword";
-            }
-            {
-              key = "oidc_hmac_secret";
-              path = "oidc_hmac_secret";
-            }
-            {
-              key = "oidc_jwk_rs256_private";
-              path = "oidc.jwk.RS256.pem";
-            }
-            {
-              key = "freshrss_client_secret";
-              path = "freshrss_client_secret";
-            }
-            {
-              key = "hedgedoc_client_secret";
-              path = "hedgedoc_client_secret";
-            }
-          ];
-
-          configMap = {
-            identity_providers.oidc = {
-              enabled = true;
-
-              hmac_secret = {
-                secret_name = "authelia";
-                path = "oidc_hmac_secret";
-              };
-
-              jwks = [
-                {
-                  algorithm = "RS256";
-                  key.path = "/secrets/authelia/oidc.jwk.RS256.pem";
-                }
-              ];
-
-              clients = [
-                {
-                  client_id = "HDp48U5TaX-3gWKNEfHx5ea2C7gfaQm-OsSWREq4WTzln56IBGy.rT61lq9rF-LTZFlWOd44";
-                  client_name = "FreshRSS";
-                  client_secret.path = "/secrets/authelia/freshrss_client_secret";
-                  public = false;
-                  authorization_policy = "two_factor";
-                  redirect_uris = ["https://freshrss.griffin-mermaid.ts.net/i/oidc/"];
-                  scopes = ["openid" "groups" "email" "profile"];
-                  userinfo_signed_response_alg = "none";
-                  token_endpoint_auth_method = "client_secret_basic";
-                  consent_mode = "implicit";
-                }
-                {
-                  client_id = "ZZI33JnLIuGk58HPkN_YEfETxNTz-1Mq--YPu9Sa6Y39BwykY0GDmxBVn1w9X70fIHT09xHq";
-                  client_name = "HedgeDoc";
-                  client_secret.path = "/secrets/authelia/hedgedoc_client_secret";
-                  public = false;
-                  authorization_policy = "two_factor";
-                  redirect_uris = ["https://md.kun.is/auth/oauth2/callback"];
-                  scopes = ["openid" "profile" "email" "groups"];
-                  userinfo_signed_response_alg = "none";
-                  token_endpoint_auth_method = "client_secret_post";
-                  consent_mode = "implicit";
-                }
-              ];
-            };
-
-            access_control = {
-              default_policy = "one_factor";
-
-              rules = [
-                {
-                  domain = "cyberchef.kun.is";
-                  policy = "two_factor";
-                }
-              ];
-            };
-
-            authentication_backend = {
-              password_reset.disable = true;
-              ldap.enabled = false;
-
-              file = {
-                enabled = true;
-                path = "/secrets/authelia/users";
-                search.email = true;
-                password.algorithm = "argon2";
-              };
-            };
-
-            storage = {
-              encryption_key = {
-                secret_name = "authelia";
-                path = "storage";
-              };
-
-              local = {
-                enabled = true;
-                path = "/storage/database.sqlite";
-              };
-            };
-
-            session = {
-              encryption_key = {
-                secret_name = "authelia";
-                path = "session";
-              };
-
-              cookies = [
-                {
-                  domain = "kun.is";
-                  subdomain = "auth";
-                }
-              ];
-            };
-
-            notifier = {
-              filesystem.enabled = false;
-
-              smtp = {
-                enabled = true;
-                address = "submission://mail.smtp2go.com:2525";
-                identifier = "auth.kun.is";
-                sender = "Authelia <authelia@kun.is>";
-                username = "uxY88HYzbBTAoWYm4PUxpT76u";
-
-                password = {
-                  secret_name = "authelia";
-                  path = "smtpPassword";
-                };
-              };
-            };
-          };
-        };
-      };
-
-      resources = {
-        deployments.authelia.spec = {
-          strategy = {
-            type = "RollingUpdate";
-
-            rollingUpdate = {
-              maxSurge = lib.mkForce 0;
-              maxUnavailable = lib.mkForce 1;
-            };
-          };
-        };
-
-        secrets.authelia.stringData = {
-          storage = "ref+sops://secrets.yml#/authelia/encryption_keys/storage";
-          session = "ref+sops://secrets.yml#/authelia/encryption_keys/session";
-          smtpPassword = "ref+sops://secrets.yml#/authelia/smtpPassword";
-          users = "ref+sops://secrets.yml#/authelia/users";
-          oidc_hmac_secret = "ref+sops://secrets.yml#/authelia/oidc/hmac_secret";
-          oidc_jwk_rs256_private = "ref+sops://secrets.yml#/authelia/oidc/jwk_rs256/private";
-          oidc_jwk_rs256_public = "ref+sops://secrets.yml#/authelia/oidc/jwk_rs256/public";
-          freshrss_client_secret = "ref+sops://secrets.yml#/freshrss/oidc/client_secret/digest";
-          hedgedoc_client_secret = "ref+sops://secrets.yml#/hedgedoc/oidc/client_secret/digest";
-        };
-      };
-    };
-
-    lab = {
-      ingresses.authelia = {
-        host = "auth.kun.is";
-
-        service = {
-          name = "authelia";
-          portName = "http";
-        };
-      };
-
-      longhorn.persistentVolumeClaim.data = {
-        volumeName = "authelia";
-        storage = "100Mi";
-      };
-    };
-  };
-}
--- a/modules/authentik.nix
+++ b/modules/authentik.nix
@ -0,0 +1,78 @@
+{
+  nixhelm,
+  system,
+  config,
+  lib,
+  ...
+}: {
+  options.authentik.enable = lib.mkEnableOption "authentik";
+
+  config = lib.mkIf config.authentik.enable {
+    kubernetes = {
+      helm.releases.authentik = {
+        chart = nixhelm.chartsDerivations.${system}.authentik.authentik;
+        includeCRDs = true;
+        namespace = "authentik";
+
+        values = {
+          authentik = {
+            secret_key = "ref+sops://secrets.yml#/authentik/secret_key";
+            postgresql.password = "ref+sops://secrets.yml#/authentik/postgresql_password";
+          };
+
+          postgresql = {
+            enabled = true;
+            auth.password = "ref+sops://secrets.yml#/authentik/postgresql_password";
+            primary.persistence.existingClaim = "db";
+          };
+
+          redis = {
+            enabled = true;
+            master.persistence.existingClaim = "redis";
+          };
+
+          email = {
+            host = "mail.smtp2go.com";
+            port = 2525;
+            username = "ref+sops://secrets.yml#/smtp2go/username";
+            password = "ref+sops://secrets.yml#/smtp2go/password";
+            from = "Authentik <authentik@kun.is>";
+          };
+        };
+      };
+    };
+
+    lab = {
+      longhorn.persistentVolumeClaim = {
+        db = {
+          volumeName = "authentik-db";
+          storage = "10Gi";
+        };
+
+        redis = {
+          volumeName = "authentik-redis";
+          storage = "5Gi";
+        };
+      };
+
+      ingresses.authentik = {
+        host = "authentik.kun.is";
+
+        service = {
+          name = "authentik-server";
+          portName = "http";
+        };
+      };
+
+      tailscaleIngresses = {
+        tailscale-authentik = {
+          host = "authentik";
+          service = {
+            name = "authentik-server";
+            portName = "http";
+          };
+        };
+      };
+    };
+  };
+}
--- a/modules/bootstrap-default.nix
+++ b/modules/bootstrap-default.nix
@ -62,7 +62,7 @@
          minecraft = {};
          tailscale = {};
          ntfy = {};
-          authelia = {};
+          authentik = {};
        };

        nodes =
@ -126,8 +126,9 @@
        minecraft.storage = "1Gi";
        ntfy.storage = "300Mi";
        deluge.storage = "500Mi";
-        authelia.storage = "100Mi";
        keepassxc.storage = "100Mi";
+        authentik-db.storage = "10Gi";
+        authentik-redis.storage = "5Gi";
      };

      tailscaleIngresses.tailscale-longhorn = {
--- a/modules/cyberchef.nix
+++ b/modules/cyberchef.nix
@ -31,8 +31,6 @@
          targetPort = "web";
        };
      };
-
-      ingresses.cyberchef.metadata.annotations."traefik.ingress.kubernetes.io/router.middlewares" = "kube-system-forwardauth-authelia@kubernetescrd";
    };

    lab.ingresses.cyberchef = {
--- a/modules/default.nix
+++ b/modules/default.nix
@ -29,6 +29,6 @@
    ./tailscale.nix
    ./ntfy.nix
    ./minecraft.nix
-    ./authelia.nix
+    ./authentik.nix
  ];
 }
--- a/modules/freshrss.nix
+++ b/modules/freshrss.nix
@ -37,13 +37,12 @@
                ADMIN_EMAIL.value = "pim@kunis.nl";
                PUBLISHED_PORT.value = "443";
                OIDC_ENABLED.value = "1";
-                OIDC_PROVIDER_METADATA_URL.value = "https://auth.kun.is/.well-known/openid-configuration";
-                OIDC_CLIENT_ID.value = "HDp48U5TaX-3gWKNEfHx5ea2C7gfaQm-OsSWREq4WTzln56IBGy.rT61lq9rF-LTZFlWOd44";
-                OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/freshrss/oidc/client_secret/password";
-                OIDC_CLIENT_CRYPTO_KEY.value = "ref+sops://secrets.yml#/freshrss/oidc/crypto_key";
-                OIDC_REMOTE_USER_CLAIM.value = "preferred_username";
-                OIDC_SCOPES.value = "openid groups email profile";
-                OIDC_X_FORWARDED_HEADERS.value = "X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";
+                OIDC_PROVIDER_METADATA_URL.value = "https://authentik.kun.is/application/o/freshrss/.well-known/openid-configuration";
+                OIDC_CLIENT_ID.value = "5J2L7Ufq4KMayQ8qrqxHCslxHWL2SXNMKJmsbbiQ";
+                OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authentik/oauth2/freshrss/client_secret";
+                OIDC_CLIENT_CRYPTO_KEY.value = "ref+sops://secrets.yml#/freshrss/oidc_crypto_key";
+                OIDC_SCOPES.value = "openid email profile";
+                OIDC_X_FORWARDED_HEADERS.value = "X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host";

                ADMIN_PASSWORD.valueFrom.secretKeyRef = {
                  name = "server";
--- a/modules/hedgedoc.nix
+++ b/modules/hedgedoc.nix
@ -54,18 +54,16 @@
                  CMD_PROTOCOL_USESSL.value = "true";
                  CMD_CSP_ENABLE.value = "false";

-                  CMD_OAUTH2_PROVIDERNAME.value = "Authelia";
-                  CMD_OAUTH2_AUTHORIZATION_URL.value = "https://auth.kun.is/api/oidc/authorization";
-                  CMD_OAUTH2_TOKEN_URL.value = "https://auth.kun.is/api/oidc/token";
-                  CMD_OAUTH2_USER_PROFILE_URL.value = "https://auth.kun.is/api/oidc/userinfo";
-                  CMD_OAUTH2_CLIENT_ID.value = "ZZI33JnLIuGk58HPkN_YEfETxNTz-1Mq--YPu9Sa6Y39BwykY0GDmxBVn1w9X70fIHT09xHq";
-                  CMD_OAUTH2_CLIENT_SECRET.value = "ref+sops://secrets.yml#/hedgedoc/oidc/client_secret/password";
-                  CMD_OAUTH2_SCOPE.value = "openid email profile groups";
+                  CMD_OAUTH2_PROVIDERNAME.value = "Authentik";
+                  CMD_OAUTH2_CLIENT_ID.value = "ZF56062l4BPnq2INv2zaO9cEiE6sAj7CrxbWhExj";
+                  CMD_OAUTH2_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authentik/oauth2/hedgedoc/client_secret";
+                  CMD_OAUTH2_SCOPE.value = "openid email profile";
+                  CMD_OAUTH2_USER_PROFILE_URL.value = "https://authentik.kun.is/application/o/userinfo/";
+                  CMD_OAUTH2_TOKEN_URL.value = "https://authentik.kun.is/application/o/token/";
+                  CMD_OAUTH2_AUTHORIZATION_URL.value = "https://authentik.kun.is/application/o/authorize/";
                  CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR.value = "preferred_username";
                  CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR.value = "name";
                  CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR.value = "email";
-                  CMD_OAUTH2_ROLES_CLAIM.value = "groups";
-                  CMD_OAUTH2_ACCESS_ROLE.value = "hedgedoc";

                  CMD_DB_URL.valueFrom.secretKeyRef = {
                    name = "hedgedoc";
--- a/modules/traefik.nix
+++ b/modules/traefik.nix
@ -61,24 +61,6 @@
          };
        };
      };
-
-      middlewares.forwardauth-authelia = {
-        metadata.labels = {
-          "app.kubernetes.io/instance" = "authelia";
-          "app.kubernetes.io/name" = "authelia";
-        };
-
-        spec.forwardAuth = {
-          address = "http://authelia.authelia.svc.cluster.local/api/authz/forward-auth";
-
-          authResponseHeaders = [
-            "Remote-User"
-            "Remote-Groups"
-            "Remote-Email"
-            "Remote-Name"
-          ];
-        };
-      };
    };

    lab = {