tamipes/authentik-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

module: provide option to specify EnvironmentFile for secrets

Browse source 
The systemd service module references the module's environmentFile in a
list to allow for merging with EnvironmentFiles injected elsewhere.
This commit is contained in:
WilliButz 2023-10-04 14:47:29 +02:00
parent cd00a35204
commit 251d78a7f2
No known key found for this signature in database
GPG key ID: FB0513677AB15BEA
2 changed files with 50 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

42
module.nix
View file

@ -13,6 +13,7 @@ let
mkMerge; mkMerge;
inherit (lib.options) inherit (lib.options)
mdDoc
mkEnableOption mkEnableOption
mkOption; mkOption;
@ -45,11 +46,48 @@ in
type = types.bool; type = types.bool;
default = true; default = true;
}; };
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/secrets/authentik/authentik-env";
description = mdDoc ''
Environment file as defined in {manpage}`systemd.exec(5)`.
Secrets may be passed to the service without adding them to the world-readable
/nix/store, by specifying the desied secrets as environment variables according
to the authentic documentation.
```
# example content
AUTHENTIK_SECRET_KEY=<secret key>
AUTHENTIK_EMAIL__PASSWORD=<smtp password>
```
'';
};
}; };
# LDAP oupost # LDAP oupost
authentik-ldap = { authentik-ldap = {
enable = mkEnableOption "authentik LDAP outpost"; enable = mkEnableOption "authentik LDAP outpost";
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/secrets/authentik-ldap/authentik-ldap-env";
description = mdDoc ''
Environment file as defined in {manpage}`systemd.exec(5)`.
Secrets may be passed to the service without adding them to the world-readable
/nix/store, by specifying the desied secrets as environment variables according
to the authentic documentation.
```
# example content
AUTHENTIK_TOKEN=<token from authentik for this outpost>
```
'';
};
}; };
}; };
@ -101,6 +139,7 @@ in
DynamicUser = true; DynamicUser = true;
User = "authentik"; User = "authentik";
ExecStart = "${cfg.authentikComponents.migrate}/bin/migrate.py"; ExecStart = "${cfg.authentikComponents.migrate}/bin/migrate.py";
EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
}; };
}; };
authentik-worker = { authentik-worker = {
@ -114,6 +153,7 @@ in
User = "authentik"; User = "authentik";
# TODO maybe make this configurable # TODO maybe make this configurable
ExecStart = "${cfg.authentikComponents.celery}/bin/celery -A authentik.root.celery worker -Ofair --max-tasks-per-child=1 --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events"; ExecStart = "${cfg.authentikComponents.celery}/bin/celery -A authentik.root.celery worker -Ofair --max-tasks-per-child=1 --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events";
EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
}; };
}; };
authentik = { authentik = {
@ -140,6 +180,7 @@ in
WorkingDirectory = "%S/authentik"; WorkingDirectory = "%S/authentik";
DynamicUser = true; DynamicUser = true;
ExecStart = "${cfg.authentikComponents.gopkgs}/bin/server"; ExecStart = "${cfg.authentikComponents.gopkgs}/bin/server";
EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
}; };
}; };
}; };
@ -163,6 +204,7 @@ in
WorkingDirectory = "%t/authentik-ldap"; WorkingDirectory = "%t/authentik-ldap";
DynamicUser = true; DynamicUser = true;
ExecStart = "${config.services.authentik.authentikComponents.gopkgs}/bin/ldap"; ExecStart = "${config.services.authentik.authentikComponents.gopkgs}/bin/ldap";
EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
}; };
}; };
})) }))

21
test.nix
View file

@ -2,8 +2,10 @@
, nixosModules , nixosModules
}: }:
let let
# use a root-owned EnvironmentFile in production instead (systemd.services.<name>.serviceConfig.EnvironmentFile) # use a root-owned EnvironmentFile in production instead (services.authentik.environmentFile)
authentiksecret = "thissecretwillbeinthenixstore"; authentik-env = pkgs.writeText "authentik-test-secret-env" ''
AUTHENTIK_SECRET_KEY=thissecretwillbeinthenixstore
'';
in in
pkgs.nixosTest { pkgs.nixosTest {
name = "authentik"; name = "authentik";
@ -19,17 +21,10 @@ pkgs.nixosTest {
"${pkgs.path}/nixos/tests/common/x11.nix" "${pkgs.path}/nixos/tests/common/x11.nix"
]; ];
services.authentik.enable = true; services.authentik = {
enable = true;
systemd.services.authentik-migrate.serviceConfig.Environment = [ environmentFile = authentik-env;
"AUTHENTIK_SECRET_KEY=${authentiksecret}" };
];
systemd.services.authentik-worker.serviceConfig.Environment = [
"AUTHENTIK_SECRET_KEY=${authentiksecret}"
];
systemd.services.authentik.serviceConfig.Environment = [
"AUTHENTIK_SECRET_KEY=${authentiksecret}"
];
services.xserver.enable = true; services.xserver.enable = true;
test-support.displayManager.auto.user = "alice"; test-support.displayManager.auto.user = "alice";