home/kubernetes-deployments
2
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

Configure Authentik auth to Immich

Browse source 
Fix secret substituion for Authentik
This commit is contained in:
Pim Kunis 2025-02-11 22:49:43 +01:00
parent 63d30455a9
commit ce635e415c
2 changed files with 27 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
modules/authentik.nix
View file

@ -16,28 +16,42 @@
values = {
authentik = {
secret_key = "ref+sops://secrets.yml#/authentik/secret_key";
postgresql.password = "ref+sops://secrets.yml#/authentik/postgresql_password";
email = {
host = "mail.smtp2go.com";
port = 2525;
from = "Authentik authentik@kun.is";
};
};
postgresql = {
enabled = true;
auth.password = "ref+sops://secrets.yml#/authentik/postgresql_password";
primary.persistence.existingClaim = "db";
primary.extraEnvVarsSecret = "postgresql-env";
};
redis = {
enabled = true;
master.persistence.existingClaim = "redis";
};
};
};
email = {
host = "mail.smtp2go.com";
port = 2525;
username = "ref+sops://secrets.yml#/smtp2go/username";
password = "ref+sops://secrets.yml#/smtp2go/password";
from = "Authentik <authentik@kun.is>";
};
resources = let
env = {
AUTHENTIK_POSTGRESQL__PASSWORD.value = "ref+sops://secrets.yml#/authentik/postgresql_password";
AUTHENTIK_SECRET_KEY.value = "ref+sops://secrets.yml#/authentik/secret_key";
AUTHENTIK_EMAIL__USERNAME.value = "ref+sops://secrets.yml#/smtp2go/username";
AUTHENTIK_EMAIL__PASSWORD.value = "ref+sops://secrets.yml#/smtp2go/password";
};
in {
secrets.postgresql-env.stringData = {
POSTGRES_PASSWORD = "ref+sops://secrets.yml#/authentik/postgresql_password";
};
deployments = {
authentik-server.spec.template.spec.containers.server.env = env;
authentik-worker.spec.template.spec.containers.worker.env = env;
};
};
};

6
secrets.yml
View file

@ -46,6 +46,8 @@ authentik:
client_secret: ENC[AES256_GCM,data:GgF+gQt8olzKUzGMDL6mh6UWDv49OPDH5tB/gboWkFd7Njc1SrSkqf71gQryOcPQ0vpXrh0nK1z6ZjMpmDEA5ohTwWymeLCgwNtJSAMHZ1VlZ2aQZr70r3KtAxKjmTiT5flUYnxS79fCF43BveSMGeAshRCvQmYCdi43sP2E4To=,iv:DzsIRPiMzxaqVrjaHMVKWgOR0asZQzWf8EE1nxRSJmk=,tag:79bo7EzVq9tvL6ap6jfV+Q==,type:str]
forgejo:
client_secret: ENC[AES256_GCM,data:I0LBIrsPuARFEcvu0sKhIbkEYxLhZrwpRfPls3KDARu5rnfwgbJ6AVtfMmcAIM9ISFzXykoyMXossHo1i23N90PsHdl2t580EffhJ+q/UUfCIk7/rX/6CXlcb8WHdab4ymN5r9jEsgD3mAWX55IehU96ZKGRKRhxSIowCIYRhyQ=,iv:1wQDGCDhSu0s+IqXULiHmRiKGTLRvOjwsYaNMCWfkjg=,tag:p1mwks0KP9lhbciTIv3/Dw==,type:str]
immich:
client_secret: ENC[AES256_GCM,data:KrsaLLsjfQsyNQzvQF/pCLj1dhi8tr/OdToY7WczvPUUQKMtSk//oxsiPike/HoVEuCUp+j7UlTfIRPF2xUcPPvw7pkcLhQhcot79aieI1ciIeLZ1Q5svsPrqDBmDY7g65jkzA9vjM9VLTsx4Dx/1vGHDqo7I12qadEQlKAuhhQ=,iv:3icAM7sVe2HlmosbP7VPbcF4SRz/mlbzdQ1gENR9TRs=,tag:O8TCN7NltNpDGoG3T8Ds1w==,type:str]
smtp2go:
username: ENC[AES256_GCM,data:BEr7Rq7rlGvfYEpY/ZXnhM2eClnHdqU81A==,iv:dwYD5h+C5bzS9ikUgxQ51+jRQ32TtDy2PhDbd1tpS8Q=,tag:CjjLDz5n4H28qi8jWf9S4w==,type:str]
password: ENC[AES256_GCM,data:Yys6qy6DRYo16+X+Uj9oa9otjaKBnHOtIQ==,iv:G7H9mxsODShFoVlNMwuV8O18NBG/7LTFDFdqnH83YkE=,tag:hSlYp27QMoPZwiKBqyOpKA==,type:str]
@ -73,8 +75,8 @@ sops:
azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68
UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-11T13:15:47Z"
mac: ENC[AES256_GCM,data:IzXlag5LcmeuH43IdsTJ6pflQYr8B4GqQYXtC385E5oqnnYHUVa27zo8XZEmaL6O9ooDOmcq1rtlZaPIMgawbvfbT2r31C9Z4zuAz50ogypOKuAh+/KeKO5an9YqySM/mrFWujpVk+kExurS+BwKvgLGvKxcRrznWgqjVOEPiiE=,iv:7frEopY+a36KGfCW2/obTOym4RV5sutqKXoiszZ+OJY=,tag:w/8c0Xic/zF22qSXyC+j6A==,type:str]
lastmodified: "2025-02-11T17:44:56Z"
mac: ENC[AES256_GCM,data:YR0UTMbTjiByzocy9CTSn/veADgundo37Y8Z7MOL1HpvnaCnSiYlYRh70ODRaM73F3SaKgzPW0INKUy6T8kMq/HxlGrrIv331yG88LltR6xkalRBhP3h3mhkW75Px9iXNj8KFE4Q/eUp+Ds2/7gFo/oRryDngXoPPBqgBFupr/U=,iv:TmpXbrFY2XmBA2XwCIy6Vgbj0W0Rcn4GrJ0Ra7tSXiY=,tag:coymhw3aTjbTIAmEDdiHkw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4