sora/nixconfig
1
0
Fork 1
Code Issues 2 Pull Requests Actions Releases Activity

Add user setup script

Browse Source
This commit is contained in:
soraefir
2026-05-10 21:39:12 +02:00
parent 1b2a724a26
commit 09539b5866
6 changed files with 80 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
modules/server/containers/apps/authentik.nix
View File

@@ -79,45 +79,12 @@ in {
setup = { setup = {
trigger="worker"; trigger = "worker";
script = pkgs.writeShellScript "setup" '' script = pkgs.writeShellScript "setup" ''
# Define the command wrapper # Define the command wrapper
AK="${pkgs.podman}/bin/podman --events-backend=none exec -u root authentik-worker ak" AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.hostDomain} -u root authentik-worker ak"
$AK shell <<EOF
from authentik.core.models import Group
groups = ["admin", "cloud"]
for name in groups:
Group.objects.get_or_create(name=name)
EOF
$AK shell <<EOF
from authentik.core.models import User, Group
from authentik.managed.models import ManagedObject
# 1. Create the custom admin user
user, created = User.objects.get_or_create(
username="your_admin_name",
defaults={
"name": "System Administrator",
"email": "admin@test.helcel.net",
"is_superuser": True,
"is_staff": True,
}
)
user.set_password("your_secure_password")
user.save()
admin_group = Group.objects.get(name="admin")
user.ak_groups.add(admin_group)
ManagedObject.objects.get_or_create(
identifier="initial-setup-complete",
defaults={"model": "authentik_core.user"}
)
EOF
$AK apply_blueprint /blueprints/custom/authentik.yaml
$AK apply_blueprint /blueprints/custom/traefik.yaml $AK apply_blueprint /blueprints/custom/traefik.yaml
${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''} ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}

13
modules/server/containers/apps/nextcloud.nix
View File

@@ -57,10 +57,10 @@ in {
}; };
setup = { setup = {
trigger="server"; trigger = "server";
script = pkgs.writeShellScript "setup" '' script = pkgs.writeShellScript "setup" ''
# Define the command wrapper # Define the command wrapper
OCC="${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php occ" OCC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.hostDomain} -u www-data nextcloud-server php occ"
echo "Waiting for Nextcloud container to start..." echo "Waiting for Nextcloud container to start..."
until $OCC status > /dev/null 2>&1; do until $OCC status > /dev/null 2>&1; do
@@ -71,10 +71,11 @@ in {
if [ -z "$INSTALLED" ]; then if [ -z "$INSTALLED" ]; then
echo "Running first-time setup..." echo "Running first-time setup..."
# $OCC maintenance:install \ $OCC maintenance:install \
# --admin-user "admin" \ --admin-user "$DEFAULT_ADMIN_USERNAME" \
# --admin-pass "adminpassword" --admin-pass "$DEFAULT_ADMIN_PASSWORD"
fi
if [ -z "$INSTALLED" ]; then
echo "Applying Settings..." echo "Applying Settings..."
$OCC config:system:set default_phone_region --value="CH" $OCC config:system:set default_phone_region --value="CH"

62
modules/server/containers/data/authentik/authentik.yaml Normal file
View File

@@ -0,0 +1,62 @@
version: 1
metadata:
name: "Initial User Setup"
labels:
blueprint-type: core
entries:
# Locate the binding for the root user setup flow and disable it
- model: authentik_flows.flowstagebinding
identifiers:
target: "ak-root-user-fill"
attrs:
enabled: false
# Optionally, disable the default enrollment flow entirely
- model: authentik_flows.flow
identifiers:
slug: "default-enrollment-flow"
attrs:
designation: "enrollment"
enabled: false
# --- GROUPS ---
- model: authentik_core.group
identifiers:
name: "admin"
attrs:
is_superuser: true
- model: authentik_core.group
identifiers:
name: "cloud"
attrs:
is_superuser: false
- model: authentik_core.group
identifiers:
name: "dev"
attrs:
is_superuser: false
- model: authentik_core.group
identifiers:
name: "flix"
attrs:
is_superuser: false
- model: authentik_core.group
identifiers:
name: "family"
attrs:
is_superuser: false
# --- ADMIN USERS ---
- model: authentik_core.user
identifiers:
username: !env [DEFAULT_ADMIN_USERNAME]
attrs:
name: !env [DEFAULT_ADMIN_USERNAME]
email: "{{ env('DEFAULT_ADMIN_USERNAME') }}@{{ env('DOMAIN') }}"
password: !env [DEFAULT_ADMIN_PASSWORD]
path: "users"
groups:
- name: "admin"

1
modules/server/containers/default.nix
View File

@@ -57,6 +57,7 @@ in
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
TimeoutStartSec = "360s"; TimeoutStartSec = "360s";
EnvironmentFile = lib.mkIf (containerSet.setup.envFile != null) containerSet.setup.envFile;
ExecStart = "${containerSet.setup.script}"; ExecStart = "${containerSet.setup.script}";
RemainAfterExit = true; RemainAfterExit = true;
User = "root"; User = "root";

5
modules/server/sops/default.nix
View File

@@ -6,7 +6,10 @@ let
allApps = lib.unique (listNames ++ containerNames); allApps = lib.unique (listNames ++ containerNames);
in{ in{
sops.secrets = { sops.secrets = {
CUSTOM = { sopsFile = ./server.yaml; }; CUSTOM = {
mode = "0644";
sopsFile = ./server.yaml;
};
} // (lib.genAttrs (map (name: lib.toUpper name) allApps) (name: { } // (lib.genAttrs (map (name: lib.toUpper name) allApps) (name: {
owner = "postgres"; owner = "postgres";
mode = "0644"; mode = "0644";

6
modules/server/sops/server.yaml
View File

@@ -1,4 +1,4 @@
CUSTOM: ENC[AES256_GCM,data:HYYOJP3ZzRWS,iv:BVwIJzfHzOxbKTrcA0yajCfIJkEjRXcztk3naqiqf6g=,tag:feuz1VIj0QWX7PpQRFO6iw==,type:str] CUSTOM: ENC[AES256_GCM,data:PqkznntPxY6bbCZWfTubhmrg1VUoKAxk8g+VnjrTOEVDm05nnVVyd7yIoxwtk8AyZGi6xTpmTJGsxrVSdg==,iv:Qn7ml9LHoQk9W0/lVuFtkWdjqBUFDTsZcqbIKfZuvIM=,tag:kTiTQAFnmPkMB9ZQ3omCcA==,type:str]
TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str] TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str]
AUTHENTIK: ENC[AES256_GCM,data:dZ+Kf85ZjaZ82coYNeNOXe5zfD2M9rEeOB6jDNoaKmo3jMABhnha+iBvYJTI2NltkGzymPJQI+JV8F6GdT1l6cqcR8p0nNjQjS1BMk0rR7n8RCp6MazUTJuIjbEq6zEUrA4SXquw5gZDEp4FLo010PhoLaLinHg8OoqzjDsTxdcKevbQWmZeefDBrwXWpz6BlkRIQA3KazVb0w7l1jDTIkozUIWbvtvtk5ccGjzx3b+wCC36QYFcHHtPvFZwMDHzFPVBd90hWc/BwFfvCExONmH0S7GLFTp7I5NsBnWpT0AHUHHc5PlSR2dUy9H2DZ3IkORdNVzOaqESbYKymuWTQBDQuyI9IJdt4Cac0CV9i6p8rFXL6fQyQKZ9djHX8orpyCUeJXqFs8I6et+IzpTeZcmdv/76Q9tomBBi4k4PRMXpeff8Bn02bOSb7RSaj5NVeWxIhZkh3sEXUeva5/yrAYT30mrLpbwzWoCaKrPCPLIcFxvNrYxPUo6kVVz1jSlBurvcKefbreJGqA==,iv:Hj7aBfDLSqRBzueN8b9F9TutpjMESFloqrnirSmnH9U=,tag:1ikt1JvuhIZCx68nh/VzMA==,type:str] AUTHENTIK: ENC[AES256_GCM,data:dZ+Kf85ZjaZ82coYNeNOXe5zfD2M9rEeOB6jDNoaKmo3jMABhnha+iBvYJTI2NltkGzymPJQI+JV8F6GdT1l6cqcR8p0nNjQjS1BMk0rR7n8RCp6MazUTJuIjbEq6zEUrA4SXquw5gZDEp4FLo010PhoLaLinHg8OoqzjDsTxdcKevbQWmZeefDBrwXWpz6BlkRIQA3KazVb0w7l1jDTIkozUIWbvtvtk5ccGjzx3b+wCC36QYFcHHtPvFZwMDHzFPVBd90hWc/BwFfvCExONmH0S7GLFTp7I5NsBnWpT0AHUHHc5PlSR2dUy9H2DZ3IkORdNVzOaqESbYKymuWTQBDQuyI9IJdt4Cac0CV9i6p8rFXL6fQyQKZ9djHX8orpyCUeJXqFs8I6et+IzpTeZcmdv/76Q9tomBBi4k4PRMXpeff8Bn02bOSb7RSaj5NVeWxIhZkh3sEXUeva5/yrAYT30mrLpbwzWoCaKrPCPLIcFxvNrYxPUo6kVVz1jSlBurvcKefbreJGqA==,iv:Hj7aBfDLSqRBzueN8b9F9TutpjMESFloqrnirSmnH9U=,tag:1ikt1JvuhIZCx68nh/VzMA==,type:str]
NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str] NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str]
@@ -24,8 +24,8 @@ sops:
S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA== d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-05-09T10:54:06Z" lastmodified: "2026-05-10T19:12:54Z"
mac: ENC[AES256_GCM,data:7isR8oE5Zmx2lwSWaabGVTpWhkNkiHueSn0iVzPiGu8gReeJVlb21n2OO2JduSHMMH1pc+LNrugpRvwlGKK1OlaGPe6nYtEki2jkgn2hwnD7Q/6kTz8GoqGzWyWUbG/Y+1KsMoQb9KgfcKcOh4JLJAyNw+mgeKeD+nhWVTJY8ww=,iv:9k/HQFhM5VKi7PUkLSqk8o5TUg9e/OCs9MdeqZYpKm0=,tag:ZQJBJ60+IYufctZYMa3Oug==,type:str] mac: ENC[AES256_GCM,data:8fTlz4gYNi2grMD7PcvmNDWvXUaVU0XXNKHaCZiYc4K8vIU8CwetMb0Xq4HkfS68uyxv+3GGMexHeNiCjhEMYyja4lLHbsrJ7ypqoyZcHHfvd1aY/tqYwI5LnOaEVNZI34XFrnKdShMyeMQECz/TM9fU7rYzAWUn0E67Z192i/M=,iv:0UvfOUj/tGHIx5OjL15Y5YlrFdYseqt3FRaf6PHxF00=,tag:yVaaFFD3AHwj2QnQwSrINw==,type:str]
pgp: pgp:
- created_at: "2026-05-05T23:46:27Z" - created_at: "2026-05-05T23:46:27Z"
enc: |- enc: |-