Add user setup script

2026-05-10 21:39:12 +02:00
parent 1b2a724a26
commit 09539b5866
6 changed files with 80 additions and 46 deletions
--- a/modules/server/containers/apps/authentik.nix
+++ b/modules/server/containers/apps/authentik.nix
@@ -79,45 +79,12 @@ in {


  setup = {
-    trigger="worker";
+    trigger = "worker";
    script = pkgs.writeShellScript "setup" ''
      # Define the command wrapper
-      AK="${pkgs.podman}/bin/podman --events-backend=none exec -u root authentik-worker ak"
-
-      $AK shell <<EOF
-from authentik.core.models import Group
-
-groups = ["admin", "cloud"]
-for name in groups:
-  Group.objects.get_or_create(name=name)
-EOF
-      
-      $AK shell <<EOF
-from authentik.core.models import User, Group
-from authentik.managed.models import ManagedObject
-
-# 1. Create the custom admin user
-user, created = User.objects.get_or_create(
-  username="your_admin_name",
-  defaults={
-    "name": "System Administrator",
-    "email": "admin@test.helcel.net",
-    "is_superuser": True,
-    "is_staff": True,
-  }
-)
-user.set_password("your_secure_password")
-user.save()
-
-admin_group = Group.objects.get(name="admin")
-user.ak_groups.add(admin_group)
-
-ManagedObject.objects.get_or_create(
-  identifier="initial-setup-complete",
-  defaults={"model": "authentik_core.user"}
-)
-EOF
+      AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.hostDomain} -u root authentik-worker ak"

+      $AK apply_blueprint /blueprints/custom/authentik.yaml
      $AK apply_blueprint /blueprints/custom/traefik.yaml
      ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}

--- a/modules/server/containers/apps/nextcloud.nix
+++ b/modules/server/containers/apps/nextcloud.nix
@@ -57,10 +57,10 @@ in {
  };

  setup = {
-    trigger="server";
+    trigger = "server";
    script = pkgs.writeShellScript "setup" ''
      # Define the command wrapper
-      OCC="${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php occ"
+      OCC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.hostDomain} -u www-data nextcloud-server php occ"

      echo "Waiting for Nextcloud container to start..."
      until $OCC status > /dev/null 2>&1; do
@@ -71,10 +71,11 @@ in {
      if [ -z "$INSTALLED" ]; then
        echo "Running first-time setup..."
        
-        # $OCC maintenance:install \
-        #   --admin-user "admin" \
-        #   --admin-pass "adminpassword"
-
+        $OCC maintenance:install \
+          --admin-user "$DEFAULT_ADMIN_USERNAME" \
+          --admin-pass "$DEFAULT_ADMIN_PASSWORD"
+      fi
+      if [ -z "$INSTALLED" ]; then
        echo "Applying Settings..."
        
        $OCC config:system:set default_phone_region --value="CH"
--- a/modules/server/containers/data/authentik/authentik.yaml
+++ b/modules/server/containers/data/authentik/authentik.yaml
@@ -0,0 +1,62 @@
+version: 1
+metadata:
+  name: "Initial User Setup"
+  labels:
+    blueprint-type: core
+entries:
+  # Locate the binding for the root user setup flow and disable it
+  - model: authentik_flows.flowstagebinding
+    identifiers:
+      target: "ak-root-user-fill"
+    attrs:
+      enabled: false
+
+  # Optionally, disable the default enrollment flow entirely
+  - model: authentik_flows.flow
+    identifiers:
+      slug: "default-enrollment-flow"
+    attrs:
+      designation: "enrollment"
+      enabled: false
+  # --- GROUPS ---
+  - model: authentik_core.group
+    identifiers:
+      name: "admin"
+    attrs:
+      is_superuser: true
+
+  - model: authentik_core.group
+    identifiers:
+      name: "cloud"
+    attrs:
+      is_superuser: false
+
+  - model: authentik_core.group
+    identifiers:
+      name: "dev"
+    attrs:
+      is_superuser: false
+
+  - model: authentik_core.group
+    identifiers:
+      name: "flix"
+    attrs:
+      is_superuser: false
+
+  - model: authentik_core.group
+    identifiers:
+      name: "family"
+    attrs:
+      is_superuser: false
+
+  # --- ADMIN USERS ---
+  - model: authentik_core.user
+    identifiers:
+      username: !env [DEFAULT_ADMIN_USERNAME]
+    attrs:
+      name: !env [DEFAULT_ADMIN_USERNAME]
+      email: "{{ env('DEFAULT_ADMIN_USERNAME') }}@{{ env('DOMAIN') }}"
+      password: !env [DEFAULT_ADMIN_PASSWORD]
+      path: "users"
+      groups:
+        - name: "admin"
--- a/modules/server/containers/default.nix
+++ b/modules/server/containers/default.nix
@@ -57,6 +57,7 @@ in
          serviceConfig = {
            Type = "oneshot";
            TimeoutStartSec = "360s";
+            EnvironmentFile = lib.mkIf (containerSet.setup.envFile != null) containerSet.setup.envFile;
            ExecStart = "${containerSet.setup.script}";
            RemainAfterExit = true;
            User = "root";