diff --git a/modules/server/containers/apps/authentik.nix b/modules/server/containers/apps/authentik.nix index 377da12..b5fafc0 100644 --- a/modules/server/containers/apps/authentik.nix +++ b/modules/server/containers/apps/authentik.nix @@ -79,45 +79,12 @@ in { setup = { - trigger="worker"; + trigger = "worker"; script = pkgs.writeShellScript "setup" '' # Define the command wrapper - AK="${pkgs.podman}/bin/podman --events-backend=none exec -u root authentik-worker ak" - - $AK shell < /dev/null 2>&1; do @@ -71,10 +71,11 @@ in { if [ -z "$INSTALLED" ]; then echo "Running first-time setup..." - # $OCC maintenance:install \ - # --admin-user "admin" \ - # --admin-pass "adminpassword" - + $OCC maintenance:install \ + --admin-user "$DEFAULT_ADMIN_USERNAME" \ + --admin-pass "$DEFAULT_ADMIN_PASSWORD" + fi + if [ -z "$INSTALLED" ]; then echo "Applying Settings..." $OCC config:system:set default_phone_region --value="CH" diff --git a/modules/server/containers/data/authentik/authentik.yaml b/modules/server/containers/data/authentik/authentik.yaml new file mode 100644 index 0000000..f6de384 --- /dev/null +++ b/modules/server/containers/data/authentik/authentik.yaml @@ -0,0 +1,62 @@ +version: 1 +metadata: + name: "Initial User Setup" + labels: + blueprint-type: core +entries: + # Locate the binding for the root user setup flow and disable it + - model: authentik_flows.flowstagebinding + identifiers: + target: "ak-root-user-fill" + attrs: + enabled: false + + # Optionally, disable the default enrollment flow entirely + - model: authentik_flows.flow + identifiers: + slug: "default-enrollment-flow" + attrs: + designation: "enrollment" + enabled: false + # --- GROUPS --- + - model: authentik_core.group + identifiers: + name: "admin" + attrs: + is_superuser: true + + - model: authentik_core.group + identifiers: + name: "cloud" + attrs: + is_superuser: false + + - model: authentik_core.group + identifiers: + name: "dev" + attrs: + is_superuser: false + + - model: authentik_core.group + identifiers: + name: "flix" + attrs: + is_superuser: false + + - model: authentik_core.group + identifiers: + name: "family" + attrs: + is_superuser: false + + # --- ADMIN USERS --- + - model: authentik_core.user + identifiers: + username: !env [DEFAULT_ADMIN_USERNAME] + attrs: + name: !env [DEFAULT_ADMIN_USERNAME] + email: "{{ env('DEFAULT_ADMIN_USERNAME') }}@{{ env('DOMAIN') }}" + password: !env [DEFAULT_ADMIN_PASSWORD] + path: "users" + groups: + - name: "admin" diff --git a/modules/server/containers/default.nix b/modules/server/containers/default.nix index eab0fc0..0e0703a 100644 --- a/modules/server/containers/default.nix +++ b/modules/server/containers/default.nix @@ -57,6 +57,7 @@ in serviceConfig = { Type = "oneshot"; TimeoutStartSec = "360s"; + EnvironmentFile = lib.mkIf (containerSet.setup.envFile != null) containerSet.setup.envFile; ExecStart = "${containerSet.setup.script}"; RemainAfterExit = true; User = "root"; diff --git a/modules/server/sops/default.nix b/modules/server/sops/default.nix index 361d5fe..5cec0d8 100644 --- a/modules/server/sops/default.nix +++ b/modules/server/sops/default.nix @@ -6,7 +6,10 @@ let allApps = lib.unique (listNames ++ containerNames); in{ sops.secrets = { - CUSTOM = { sopsFile = ./server.yaml; }; + CUSTOM = { + mode = "0644"; + sopsFile = ./server.yaml; + }; } // (lib.genAttrs (map (name: lib.toUpper name) allApps) (name: { owner = "postgres"; mode = "0644"; diff --git a/modules/server/sops/server.yaml b/modules/server/sops/server.yaml index c85668e..4f76add 100644 --- a/modules/server/sops/server.yaml +++ b/modules/server/sops/server.yaml @@ -1,4 +1,4 @@ -CUSTOM: ENC[AES256_GCM,data:HYYOJP3ZzRWS,iv:BVwIJzfHzOxbKTrcA0yajCfIJkEjRXcztk3naqiqf6g=,tag:feuz1VIj0QWX7PpQRFO6iw==,type:str] +CUSTOM: ENC[AES256_GCM,data:PqkznntPxY6bbCZWfTubhmrg1VUoKAxk8g+VnjrTOEVDm05nnVVyd7yIoxwtk8AyZGi6xTpmTJGsxrVSdg==,iv:Qn7ml9LHoQk9W0/lVuFtkWdjqBUFDTsZcqbIKfZuvIM=,tag:kTiTQAFnmPkMB9ZQ3omCcA==,type:str] TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str] AUTHENTIK: ENC[AES256_GCM,data:dZ+Kf85ZjaZ82coYNeNOXe5zfD2M9rEeOB6jDNoaKmo3jMABhnha+iBvYJTI2NltkGzymPJQI+JV8F6GdT1l6cqcR8p0nNjQjS1BMk0rR7n8RCp6MazUTJuIjbEq6zEUrA4SXquw5gZDEp4FLo010PhoLaLinHg8OoqzjDsTxdcKevbQWmZeefDBrwXWpz6BlkRIQA3KazVb0w7l1jDTIkozUIWbvtvtk5ccGjzx3b+wCC36QYFcHHtPvFZwMDHzFPVBd90hWc/BwFfvCExONmH0S7GLFTp7I5NsBnWpT0AHUHHc5PlSR2dUy9H2DZ3IkORdNVzOaqESbYKymuWTQBDQuyI9IJdt4Cac0CV9i6p8rFXL6fQyQKZ9djHX8orpyCUeJXqFs8I6et+IzpTeZcmdv/76Q9tomBBi4k4PRMXpeff8Bn02bOSb7RSaj5NVeWxIhZkh3sEXUeva5/yrAYT30mrLpbwzWoCaKrPCPLIcFxvNrYxPUo6kVVz1jSlBurvcKefbreJGqA==,iv:Hj7aBfDLSqRBzueN8b9F9TutpjMESFloqrnirSmnH9U=,tag:1ikt1JvuhIZCx68nh/VzMA==,type:str] NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str] @@ -24,8 +24,8 @@ sops: S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-05-09T10:54:06Z" - mac: ENC[AES256_GCM,data:7isR8oE5Zmx2lwSWaabGVTpWhkNkiHueSn0iVzPiGu8gReeJVlb21n2OO2JduSHMMH1pc+LNrugpRvwlGKK1OlaGPe6nYtEki2jkgn2hwnD7Q/6kTz8GoqGzWyWUbG/Y+1KsMoQb9KgfcKcOh4JLJAyNw+mgeKeD+nhWVTJY8ww=,iv:9k/HQFhM5VKi7PUkLSqk8o5TUg9e/OCs9MdeqZYpKm0=,tag:ZQJBJ60+IYufctZYMa3Oug==,type:str] + lastmodified: "2026-05-10T19:12:54Z" + mac: ENC[AES256_GCM,data:8fTlz4gYNi2grMD7PcvmNDWvXUaVU0XXNKHaCZiYc4K8vIU8CwetMb0Xq4HkfS68uyxv+3GGMexHeNiCjhEMYyja4lLHbsrJ7ypqoyZcHHfvd1aY/tqYwI5LnOaEVNZI34XFrnKdShMyeMQECz/TM9fU7rYzAWUn0E67Z192i/M=,iv:0UvfOUj/tGHIx5OjL15Y5YlrFdYseqt3FRaf6PHxF00=,tag:yVaaFFD3AHwj2QnQwSrINw==,type:str] pgp: - created_at: "2026-05-05T23:46:27Z" enc: |-