diff --git a/flake.nix b/flake.nix index cde6b3a..ce319d2 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,16 @@ { description = "A simple system flake using some Aux defaults"; + nixConfig = { + extra-substituters = [ + "https://nix-community.cachix.org" + ]; + extra-trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + + inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; home-manager = { @@ -230,6 +240,15 @@ "${inputs.self}/systems" "${inputs.self}/services" { + microvm = { + volumes = [ + { + mountPoint = "/media"; + image = "/var/lib/microvms/authentik/media.img"; + size = 2048; + } + ]; + }; services.vm = { enable = true; hostname = "authentik"; diff --git a/services/grafana/default.nix b/services/grafana/default.nix index e975055..fe3b57b 100644 --- a/services/grafana/default.nix +++ b/services/grafana/default.nix @@ -23,6 +23,25 @@ in root_url = "https://logs.le43.eu"; serve_from_sub_path = false; }; + auth = { + signout_redirect_url = https://authentik.le43.eu/application/o/grafana/end-session/; + oauth_auto_login = true; + }; + "oauth.generic_oauth" = { + name = "authentik"; + enabled = true; + client_id = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy"; + client_secret = "\$__file{/run/secrets/grafana/client_secret}"; + scopes = [ + "openid" + "email" + "profile" + ]; + auth_url = "https://authentik.le43.eu/application/o/authorize/"; + token_url = "https://authentik.le43.eu/application/o/token/"; + api_url = "https://authentik.le43.eu/application/o/userinfo/"; + role_attribute_path = "contains(groups, 'admin') && 'Admin' || 'Viewer'"; + }; }; }; services.prometheus = {