From ce635e415c1d8c77aa6e0416211847e1dd0edad7 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 11 Feb 2025 22:49:43 +0100 Subject: [PATCH] Configure Authentik auth to Immich Fix secret substituion for Authentik --- modules/authentik.nix | 32 +++++++++++++++++++++++--------- secrets.yml | 6 ++++-- 2 files changed, 27 insertions(+), 11 deletions(-) diff --git a/modules/authentik.nix b/modules/authentik.nix index d29c715..ad09497 100644 --- a/modules/authentik.nix +++ b/modules/authentik.nix @@ -16,28 +16,42 @@ values = { authentik = { - secret_key = "ref+sops://secrets.yml#/authentik/secret_key"; - postgresql.password = "ref+sops://secrets.yml#/authentik/postgresql_password"; + email = { + host = "mail.smtp2go.com"; + port = 2525; + from = "Authentik authentik@kun.is"; + }; }; postgresql = { enabled = true; auth.password = "ref+sops://secrets.yml#/authentik/postgresql_password"; primary.persistence.existingClaim = "db"; + primary.extraEnvVarsSecret = "postgresql-env"; }; redis = { enabled = true; master.persistence.existingClaim = "redis"; }; + }; + }; - email = { - host = "mail.smtp2go.com"; - port = 2525; - username = "ref+sops://secrets.yml#/smtp2go/username"; - password = "ref+sops://secrets.yml#/smtp2go/password"; - from = "Authentik "; - }; + resources = let + env = { + AUTHENTIK_POSTGRESQL__PASSWORD.value = "ref+sops://secrets.yml#/authentik/postgresql_password"; + AUTHENTIK_SECRET_KEY.value = "ref+sops://secrets.yml#/authentik/secret_key"; + AUTHENTIK_EMAIL__USERNAME.value = "ref+sops://secrets.yml#/smtp2go/username"; + AUTHENTIK_EMAIL__PASSWORD.value = "ref+sops://secrets.yml#/smtp2go/password"; + }; + in { + secrets.postgresql-env.stringData = { + POSTGRES_PASSWORD = "ref+sops://secrets.yml#/authentik/postgresql_password"; + }; + + deployments = { + authentik-server.spec.template.spec.containers.server.env = env; + authentik-worker.spec.template.spec.containers.worker.env = env; }; }; }; diff --git a/secrets.yml b/secrets.yml index 55b771f..01ef5e8 100644 --- a/secrets.yml +++ b/secrets.yml @@ -46,6 +46,8 @@ authentik: client_secret: ENC[AES256_GCM,data:GgF+gQt8olzKUzGMDL6mh6UWDv49OPDH5tB/gboWkFd7Njc1SrSkqf71gQryOcPQ0vpXrh0nK1z6ZjMpmDEA5ohTwWymeLCgwNtJSAMHZ1VlZ2aQZr70r3KtAxKjmTiT5flUYnxS79fCF43BveSMGeAshRCvQmYCdi43sP2E4To=,iv:DzsIRPiMzxaqVrjaHMVKWgOR0asZQzWf8EE1nxRSJmk=,tag:79bo7EzVq9tvL6ap6jfV+Q==,type:str] forgejo: client_secret: ENC[AES256_GCM,data:I0LBIrsPuARFEcvu0sKhIbkEYxLhZrwpRfPls3KDARu5rnfwgbJ6AVtfMmcAIM9ISFzXykoyMXossHo1i23N90PsHdl2t580EffhJ+q/UUfCIk7/rX/6CXlcb8WHdab4ymN5r9jEsgD3mAWX55IehU96ZKGRKRhxSIowCIYRhyQ=,iv:1wQDGCDhSu0s+IqXULiHmRiKGTLRvOjwsYaNMCWfkjg=,tag:p1mwks0KP9lhbciTIv3/Dw==,type:str] + immich: + client_secret: ENC[AES256_GCM,data:KrsaLLsjfQsyNQzvQF/pCLj1dhi8tr/OdToY7WczvPUUQKMtSk//oxsiPike/HoVEuCUp+j7UlTfIRPF2xUcPPvw7pkcLhQhcot79aieI1ciIeLZ1Q5svsPrqDBmDY7g65jkzA9vjM9VLTsx4Dx/1vGHDqo7I12qadEQlKAuhhQ=,iv:3icAM7sVe2HlmosbP7VPbcF4SRz/mlbzdQ1gENR9TRs=,tag:O8TCN7NltNpDGoG3T8Ds1w==,type:str] smtp2go: username: ENC[AES256_GCM,data:BEr7Rq7rlGvfYEpY/ZXnhM2eClnHdqU81A==,iv:dwYD5h+C5bzS9ikUgxQ51+jRQ32TtDy2PhDbd1tpS8Q=,tag:CjjLDz5n4H28qi8jWf9S4w==,type:str] password: ENC[AES256_GCM,data:Yys6qy6DRYo16+X+Uj9oa9otjaKBnHOtIQ==,iv:G7H9mxsODShFoVlNMwuV8O18NBG/7LTFDFdqnH83YkE=,tag:hSlYp27QMoPZwiKBqyOpKA==,type:str] @@ -73,8 +75,8 @@ sops: azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68 UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-11T13:15:47Z" - mac: ENC[AES256_GCM,data:IzXlag5LcmeuH43IdsTJ6pflQYr8B4GqQYXtC385E5oqnnYHUVa27zo8XZEmaL6O9ooDOmcq1rtlZaPIMgawbvfbT2r31C9Z4zuAz50ogypOKuAh+/KeKO5an9YqySM/mrFWujpVk+kExurS+BwKvgLGvKxcRrznWgqjVOEPiiE=,iv:7frEopY+a36KGfCW2/obTOym4RV5sutqKXoiszZ+OJY=,tag:w/8c0Xic/zF22qSXyC+j6A==,type:str] + lastmodified: "2025-02-11T17:44:56Z" + mac: ENC[AES256_GCM,data:YR0UTMbTjiByzocy9CTSn/veADgundo37Y8Z7MOL1HpvnaCnSiYlYRh70ODRaM73F3SaKgzPW0INKUy6T8kMq/HxlGrrIv331yG88LltR6xkalRBhP3h3mhkW75Px9iXNj8KFE4Q/eUp+Ds2/7gFo/oRryDngXoPPBqgBFupr/U=,iv:TmpXbrFY2XmBA2XwCIy6Vgbj0W0Rcn4GrJ0Ra7tSXiY=,tag:coymhw3aTjbTIAmEDdiHkw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4