Add authentik

flux/cluster/apps/authentik/helm.yaml

@@ -0,0 +1,46 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: authentik
+  namespace: authentik
+spec:
+  interval: 1m0s
+  chart: 
+    spec:
+      # renovate: registryUrl=https://charts.goauthentik.io
+      chart: authentik
+      version: 2022.4.3
+      sourceRef:
+        kind: HelmRepository
+        name: authentik-charts
+        namespace: flux-system
+      interval: 5m
+  valuesFrom:
+    - kind: Secret
+      name: authentik
+      valuesKey: secret_key
+      targetPath: authentik.secret_key
+      optional: false
+  values:
+    image:
+      repository: ghcr.io/goauthentik/server
+      tag: 2022.5.1
+    authentik:
+      error_reporting:
+        enabled: true
+      postgresql:
+        host: "postgres.lxd"
+        name: "authentik"
+        user: "authentik"
+    redis:
+      enabled: true
+      architecture: standalone
+      auth:
+        enabled: false
+    ingress:
+      enabled: true
+      hosts:
+        - host: auth.asraphiel.dev
+          paths:
+            - path: "/"
+              pathType: Prefix

flux/cluster/apps/authentik/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm.yaml

flux/cluster/apps/authentik/secret.yaml

@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: authentik
+  namespace: authentik
+spec:
+  refreshInterval: "5m"
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: authentik
+  data:
+  - secretKey: secret_key
+    remoteRef:
+      key: k8s/authentik
+      property: secret_key

flux/cluster/apps/kustomization.yaml

@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - test
+  - authentik

flux/cluster/base/flux-system/charts/authentik-charts.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: authentik-charts
+  namespace: flux-system
+spec:
+  interval: 15m
+  url: https://charts.goauthentik.io

flux/cluster/base/flux-system/charts/kustomization.yaml

@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - external-secrets-charts.yaml
+  - authentik-charts.yaml

flux/cluster/core/namespaces/authentik.yaml

@@ -0,0 +1,6 @@
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: authentik
+  labels:
+    name: authentik

flux/cluster/core/namespaces/kustomization.yaml

@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
   - test-name.yaml
   - external-secrets.yaml
+  - authentik.yaml

nixos/machines/nginx/default.nix

@@ -50,6 +50,7 @@ in {
     virtualHosts."registry.asraphiel.dev" = proxy "http://registry.lxd:5000/";
     virtualHosts."vaultwarden.asraphiel.dev" = proxy "http://vaultwarden.lxd:8000/";
     virtualHosts."whoami.asraphiel.dev" = k8sProxy;
+    virtualHosts."auth.asraphiel.dev" = k8sProxy;
   };
   security.acme.email = "acme@voidcorp.nl";
   security.acme.acceptTerms = true;

nixos/machines/postgres/default.nix

@@ -17,7 +17,7 @@
       host all all 10.0.0.0/8 trust
       host all all fd42:8db7:2e6b:8e9b:216:3eff::/96 trust
     '';
-    ensureDatabases = [ "gitea" "vault" "vaultwarden" ];
+    ensureDatabases = [ "gitea" "vault" "vaultwarden" "authentik" ];
     ensureUsers = [
       {
         name = "gitea";
@@ -32,6 +32,10 @@
         name = "vaultwarden";
         ensurePermissions = { "DATABASE \"vaultwarden\"" = "ALL PRIVILEGES"; };
       }
+      {
+        name = "authentik";
+        ensurePermissions = { "DATABASE \"authentik\"" = "ALL PRIVILEGES"; };
+      }
     ];
 
     enableTCPIP = true;