sora/nixconfig
1
0
Fork 1
Code Issues 2 Pull Requests Actions Releases Activity

Add authentik blueprints

Browse Source
This commit is contained in:
soraefir
2026-05-10 18:29:53 +02:00
parent 9813e7d49a
commit c637fea0d0
9 changed files with 170 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
modules/server/containers/defs/authentik.nix → modules/server/containers/apps/authentik.nix
View File

@@ -2,6 +2,13 @@
let let
version = "2026.2.2"; version = "2026.2.2";
serverCfg = config.syscfg.server; serverCfg = config.syscfg.server;
authentikData = ${builder.mkData {
name = "authentik"; dir = "authentik"; vars = {
NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain or "nextcloud"}.${serverCfg.hostDomain}";
AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
COOKIE_DOMAIN = "*.${serverCfg.hostDomain}";
};
}};
in { in {
paths = [{ paths = [{
path="${serverCfg.configPath}/authentik/media"; path="${serverCfg.configPath}/authentik/media";
@@ -41,6 +48,7 @@ in {
volumes = [ volumes = [
"${serverCfg.configPath}/authentik/media:/media" "${serverCfg.configPath}/authentik/media:/media"
"${serverCfg.configPath}/authentik/templates:/templates" "${serverCfg.configPath}/authentik/templates:/templates"
"${authentikData}:/blueprints/custom:ro"
]; ];
}; };
}; };
@@ -62,9 +70,24 @@ in {
volumes = [ volumes = [
"${serverCfg.configPath}/authentik/media:/media" "${serverCfg.configPath}/authentik/media:/media"
"${serverCfg.configPath}/authentik/templates:/templates" "${serverCfg.configPath}/authentik/templates:/templates"
"${authentikData}:/blueprints/custom:ro"
# "/var/run/podman/podman.sock:/var/run/docker.sock" #PODMAN GROUP FOR SOCKET ACCESS # "/var/run/podman/podman.sock:/var/run/docker.sock" #PODMAN GROUP FOR SOCKET ACCESS
]; ];
}; };
}; };
}; };
setup = {
trigger="worker";
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper
AK="${pkgs.podman}/bin/podman --events-backend=none exec -u root authentik-worker ak"
$AK blueprint_apply /blueprints/custom/traefik.yaml
${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK blueprint_apply /blueprints/custom/nextcloud.yaml''}
echo "Completed Authentik Setup"
'';
};
} }

0
modules/server/containers/defs/collabora.nix → modules/server/containers/apps/collabora.nix
View File

0
modules/server/containers/defs/etherpad.nix → modules/server/containers/apps/etherpad.nix
View File

66
modules/server/containers/defs/nextcloud.nix → modules/server/containers/apps/nextcloud.nix
View File

@@ -44,7 +44,7 @@ in {
"traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true"; "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
}; };
extraOptions = [ extraOptions = [
"--tmpfs=/tmp:rw,noexec,nosuid,size=256m" "--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
]; ];
overrides = { overrides = {
ports = if containerCfg.pubPort!=null && containerCfg.port!=null then [ "${toString containerCfg.pubPort}:${toString containerCfg.port}" ] else []; ports = if containerCfg.pubPort!=null && containerCfg.port!=null then [ "${toString containerCfg.pubPort}:${toString containerCfg.port}" ] else [];
@@ -85,18 +85,19 @@ in {
$OCC config:system:set default_locale --value="en_CH" $OCC config:system:set default_locale --value="en_CH"
echo "Applying Apps..." echo "Applying Apps..."
$OCC app:disable activity $OCC app:disable activity || true
$OCC app:disable app_api $OCC app:disable app_api || true
$OCC app:disable comments $OCC app:disable comments || true
$OCC app:disable firstrunwizard $OCC app:disable firstrunwizard || true
$OCC config:system:set show_first_run_wizard --type=bool --value=false $OCC config:system:set show_first_run_wizard --type=bool --value=false
$OCC app:disable nextcloud_announcements $OCC app:disable nextcloud_announcements || true
$OCC app:disable oauth2 $OCC app:disable oauth2 || true
$OCC app:disable recommendations $OCC app:disable recommendations || true
$OCC app:disable sharebymail $OCC app:disable sharebymail || true
$OCC app:disable support $OCC app:disable support || true
$OCC app:disable updatenotification $OCC app:disable survey_client || true
$OCC app:disable user_status $OCC app:disable updatenotification || true
$OCC app:disable user_status || true
$OCC app:install calendar || true $OCC app:install calendar || true
$OCC app:install calendar || true $OCC app:install calendar || true
@@ -110,11 +111,15 @@ in {
$OCC app:install ownpad || true $OCC app:install ownpad || true
$OCC app:install previewgenerator || true $OCC app:install previewgenerator || true
$OCC app:install richdocuments || true $OCC app:install richdocuments || true
${lib.optionalString (serverCfg.containers ? collabora == false) ''$OCC app:install richdocumentscode || true''}
# $OCC app:install side_menu || true # $OCC app:install side_menu || true
$OCC app:install spreed || true $OCC app:install spreed || true
# $OCC app:install user_saml || true ${lib.optionalString (serverCfg.containers ? authentik) ''$OCC app:install user_saml || true''}
echo "Applying Apps Settings..." echo "Applying Apps Settings..."
$OCC config:system:set enabledPreviewProviders --value='["OC\\Preview\\Movie", "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\HEIC", "OC\\Preview\\RAW"]' --type=json
$OCC config:app:set cospend allow_federation --value="yes"
${lib.optionalString (serverCfg.containers ? ethercalc) '' ${lib.optionalString (serverCfg.containers ? ethercalc) ''
$OCC config:app:set ownpad ownpad_ethercalc_enable --value="yes" $OCC config:app:set ownpad ownpad_ethercalc_enable --value="yes"
$OCC config:app:set ownpad ownpad_ethercalc_host --value="https:\/\/${serverCfg.containers.ethercalc.subdomain}.${serverCfg.hostDomain}" $OCC config:app:set ownpad ownpad_ethercalc_host --value="https:\/\/${serverCfg.containers.ethercalc.subdomain}.${serverCfg.hostDomain}"
@@ -126,17 +131,44 @@ in {
${lib.optionalString (serverCfg.containers ? collabora) '' ${lib.optionalString (serverCfg.containers ? collabora) ''
$OCC config:app:set richdocuments wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}/" $OCC config:app:set richdocuments wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}/"
$OCC config:app:set richdocuments public_wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}" $OCC config:app:set richdocuments public_wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}"
$OCC config:app:set richdocuments wopi_allowlist --value="10.0.0.0/8"
''}
${lib.optionalString (serverCfg.containers ? authentik) ''
$OCC saml:config:set --general-idp0_display_name="authentik"
$OCC saml:config:set --general-uid_mapping="http://schemas.goauthentik.io/2021/02/saml/username"
$OCC saml:config:set --idp-entityId="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}"
$OCC saml:config:set --idp-singleSignOnService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/application/saml/${containerCfg.subdomain}/sso/binding/redirect/"
$OCC saml:config:set --idp-singleLogoutService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/application/saml/${containerCfg.subdomain}/slo/binding/redirect/"
$OCC saml:config:set --idp-x509cert="MII..."
$OCC saml:config:set --saml-attribute-mapping-displayName_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
$OCC saml:config:set --saml-attribute-mapping-email_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
$OCC saml:config:set --saml-attribute-mapping-group_mapping="http://schemas.xmlsoap.org/claims/Group"
$OCC saml:config:set --general-group_provisioning="0"
$OCC config:app:set user_saml general-require_provisioning_groups --value="0"
# $OCC saml:config:set --general-allowed_groups="cloud,admin"
''} ''}
# configure side_menu ... # configure side_menu ...
# configure user_saml (HOW ?) FOLDERS=$($OCC teamfolders:list --format=json)
${builtins.concatStringsSep "\n" (map (name: ''
$OCC config:system:set enabledPreviewProviders --value='["OC\\Preview\\Movie", "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\HEIC", "OC\\Preview\\RAW"]' --type=json if ! echo "$FOLDERS" | grep -q '"name":"${name}"'; then
$OCC teamfolders:create "${name}"
fi
'') containerCfg.extra.teamFolders or [])}
SERVERS=$($OCC federation:list-servers --format=json)
${builtins.concatStringsSep "\n" (map (domain: ''
if ! echo "$SERVERS" | grep -q "${domain}"; then
$OCC federation:add-server "https://${domain}"
fi
'') containerCfg.extra.federatedServers or [])}
$OCC config:app:set systemtags allow_user_creating --value="no"
echo "Applying Theme..." echo "Applying Theme..."
$OCC config:app:set theming url --value="https://${containerCfg.subdomain}.${serverCfg.hostDomain}" $OCC config:app:set theming url --value="https://${containerCfg.subdomain}.${serverCfg.hostDomain}"
${lib.optionalString (containerCfg.extra ? name) ''$OCC config:app:set theming name --value="${containerCfg.extra.name}"''} ${lib.optionalString (containerCfg.extra ? name) ''$OCC config:app:set theming name --value="${containerCfg.extra.name}"''}
${lib.optionalString (containerCfg.extra ? slogan) ''$OCC config:app:set theming slogan --value="${containerCfg.extra.slogan}"''} ${lib.optionalString (containerCfg.extra ? slogan) ''$OCC config:app:set theming slogan --value="${containerCfg.extra.slogan}"''}
$OCC config:app:set theming color --value="${serverCfg.colorScheme.palette.base0C}" $OCC config:app:set theming background_color --value="${serverCfg.colorScheme.palette.base0C}"
$OCC config:app:set theming primary_color --value="${serverCfg.colorScheme.palette.base0C}"
#$OCC theming:config logo {serverCfg.colorScheme.logo} #$OCC theming:config logo {serverCfg.colorScheme.logo}
#$OCC theming:config logoheader {serverCfg.colorScheme.logo} #$OCC theming:config logoheader {serverCfg.colorScheme.logo}

0
modules/server/containers/defs/traefik.nix → modules/server/containers/apps/traefik.nix
View File

6
modules/server/containers/builder.nix
View File

@@ -33,5 +33,11 @@ let
in lib.recursiveUpdate base overrides; in lib.recursiveUpdate base overrides;
in { in {
mkContainer = builder; mkContainer = builder;
mkData = { name, dir, var?{} }: pkgs.runCommand name vars ''
export PATH="${pkgs.buildPackages.substituteAll}/bin:$PATH"
mkdir -p $out
cp -r ./data/${dir}/. $out/
find $out -type f -exec substituteAllInPlace {} +
'';
host = "host.containers.internal"; host = "host.containers.internal";
} }

49
modules/server/containers/data/authentik/nextcloud.yaml Normal file
View File

@@ -0,0 +1,49 @@
version: 1
metadata:
name: nextcloud-saml-setup
entries:
# 1. Create the SAML Provider
- model: authentik_providers_saml.samlprovider
identifiers:
name: Nextcloud SAML
attrs:
authorization_flow:
!Find [
authentik_flows.flow,
[slug, default-provider-authorization-explicit-consent],
]
# Adjust these URLs to match your Nextcloud domain
acs_url: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/acs
audience: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/metadata
issuer: https://@AUTHENTIK_DOMAIN@
sp_binding: post
# Map the attributes for Name, Email, and Groups
property_mappings:
- !Find [
authentik_core.propertymapping,
[managed, goauthentik.io/providers/saml/ms-name],
]
- !Find [
authentik_core.propertymapping,
[managed, goauthentik.io/providers/saml/ms-email],
]
- !Find [
authentik_core.propertymapping,
[managed, goauthentik.io/providers/saml/ms-groups],
]
# Select your signing certificate (default is usually self-signed)
signing_kp:
!Find [
authentik_crypto.certificatekeypair,
[name, "authentik Self-signed Certificate"],
]
# 2. Create the Application
- model: authentik_core.application
identifiers:
slug: nextcloud
attrs:
name: Nextcloud
provider:
!Find [authentik_providers_saml.samlprovider, [name, Nextcloud SAML]]
group: "Cloud Services"

35
modules/server/containers/data/authentik/traefik.yaml Normal file
View File

@@ -0,0 +1,35 @@
version: 1
metadata:
name: domain-wide-proxy-setup
entries:
# 1. The Provider
- model: authentik_providers_proxy.proxyprovider
identifiers:
name: Domain Wide Proxy
attrs:
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-explicit-consent]]
# For domain-wide, external_host must be the root domain or the auth domain
external_host: https://@AUTHENTIK_DOMAIN@
# This allows the cookie to work across *.@COOKIE_DOMAIN@
cookie_domain: @COOKIE_DOMAIN@
mode: forward_auth
intercept_header_auth: true
# 2. The Application (Required to link the provider)
- model: authentik_core.application
identifiers:
slug: authentik-proxy-root
attrs:
name: "Domain Auth Provider"
provider: !Find [authentik_providers_proxy.proxyprovider, [name, Domain Wide Proxy]]
# 3. Add to Outpost
- model: authentik_outposts.outpost
identifiers:
name: authentik Embedded Outpost
attrs:
providers:
- !Find [authentik_providers_proxy.proxyprovider, [name, Domain Wide Proxy]]

10
modules/server/containers/default.nix
View File

@@ -4,15 +4,15 @@ let
builder = import ./builder.nix { inherit config lib serverCfg; }; builder = import ./builder.nix { inherit config lib serverCfg; };
enabledConfigs = lib.filterAttrs (name: c: c.enable) serverCfg.containers; enabledConfigs = lib.filterAttrs (name: c: c.enable) serverCfg.containers;
containerSetsList = lib.mapAttrsToList (name: containerCfg: containerSetsList = lib.mapAttrsToList (name: containerCfg:
let defs = import (./defs + "/${name}.nix") {inherit config pkgs lib containerCfg builder name;}; let apps = import (./apps + "/${name}.nix") {inherit config pkgs lib containerCfg builder name;};
in{ in{
name = name; name = name;
containers = lib.mapAttrs' (cName: cValue: containers = lib.mapAttrs' (cName: cValue:
lib.nameValuePair "${name}-${cName}" cValue lib.nameValuePair "${name}-${cName}" cValue
) defs.containers; ) apps.containers;
paths = defs.paths or []; paths = apps.paths or [];
setup = defs.setup or null; setup = apps.setup or null;
cron = defs.cron or []; cron = apps.cron or [];
} }
) enabledConfigs; ) enabledConfigs;
mergedContainers = lib.attrsets.mergeAttrsList (lib.map(e: e.containers) containerSetsList); mergedContainers = lib.attrsets.mergeAttrsList (lib.map(e: e.containers) containerSetsList);