update to nixos 25.05

author: Max Audron <audron@cocaine.farm> 2025-07-31 15:33:56 +0200
committer: Max Audron <audron@cocaine.farm> 2025-07-31 15:33:56 +0200
commit: c487d1c96d791c0ce8e5e5ab98de826fafb892c1 (patch)
tree: 043a530b0ff44a64f89b0cbed0ec259df4650d1b /modules
parent: add more monitoring exporters and scrapers (diff)
5 files changed, 32 insertions, 88 deletions
diff --git a/modules/authentik/default.nix b/modules/authentik/default.nix
index bc9d4e0..dc87336 100644
--- a/modules/authentik/default.nix
+++ b/modules/authentik/default.nix
@@ -5,91 +5,37 @@ with self.lib.nginx;
 let version = "2025.6.4";
 in
 {
-  virtualisation.oci-containers.backend = "podman";
-  virtualisation.oci-containers.containers = {
-    authentik-redis = {
-      image = "docker.io/library/redis:alpine";
-      cmd = [ "--save" "60" "1" "--loglevel" "warning" ];
-      autoStart = true;
-      volumes = [
-        "/var/lib/authentik/redis:/data"
-      ];
-      ports = [
-        "10.10.0.1:6379:6379"
-      ];
-    };
-    authentik-server = {
-      image = "ghcr.io/goauthentik/server:${version}";
-      environmentFiles = [ "/etc/secrets/authentik/container.env" ];
-      cmd = [ "server" ];
-      autoStart = true;
-      ports = [
-        # "10.10.0.1:9000:9000"
-        "10.10.0.1:9443:9443"
-      ];
-    };
-    authentik-worker = {
-      image = "ghcr.io/goauthentik/server:${version}";
-      environmentFiles = [ "/etc/secrets/authentik/container.env" ];
-      cmd = [ "worker" ];
-      autoStart = true;
-      volumes = [
-        "/var/lib/authentik/media:/media"
-        "/var/lib/authentik/certs:/certs"
-        "/var/lib/authentik/templates:/templates"
-      ];
-    };
-    authentik-ldap = {
-      image = "ghcr.io/goauthentik/ldap:${version}";
-      environmentFiles = [ "/etc/secrets/authentik/ldap.env" ];
-      autoStart = true;
-      extraOptions = [ "-m=1000m" ];
-      ports = [
-        "389:3389"
-        "636:6636"
-      ];
-    };
-    authentik-proxy = {
-      image = "ghcr.io/goauthentik/proxy:${version}";
-      environmentFiles = [ "/etc/secrets/authentik/proxy.env" ];
-      autoStart = true;
-      ports = [
-        "10.10.0.1:9444:9443"
-      ];
+  services.authentik = {
+    enable = true;
+    createDatabase = false;
+
+    # The environmentFile needs to be on the target host!
+    # Best use something like sops-nix or agenix to manage it
+    environmentFile = "/etc/secrets/authentik/container.env";
+    settings = {
+      # email = {
+      #   host = "smtp.example.com";
+      #   port = 587;
+      #   username = "authentik@example.com";
+      #   use_tls = true;
+      #   use_ssl = false;
+      #   from = "authentik@example.com";
+      # };
+      disable_startup_analytics = true;
+      avatars = "initials";
     };
   };
 
-  # services.authentik = {
-  #   enable = true;
-  #   createDatabase = false;
-  #
-  #   # The environmentFile needs to be on the target host!
-  #   # Best use something like sops-nix or agenix to manage it
-  #   environmentFile = "/etc/secrets/authentik/container.env";
-  #   settings = {
-  #     # email = {
-  #     #   host = "smtp.example.com";
-  #     #   port = 587;
-  #     #   username = "authentik@example.com";
-  #     #   use_tls = true;
-  #     #   use_ssl = false;
-  #     #   from = "authentik@example.com";
-  #     # };
-  #     disable_startup_analytics = true;
-  #     avatars = "initials";
-  #   };
-  # };
-  #
-  #
-  # services.authentik-ldap = {
-  #   enable = true;
-  #   environmentFile = "/etc/secrets/authentik/ldap.env";
-  # };
-  #
-  # services.authentik-proxy = {
-  #   enable = true;
-  #   environmentFile = "/etc/secrets/authentik/proxy.env";
-  # };
+
+  services.authentik-ldap = {
+    enable = true;
+    environmentFile = "/etc/secrets/authentik/ldap.env";
+  };
+
+  services.authentik-proxy = {
+    enable = true;
+    environmentFile = "/etc/secrets/authentik/proxy.env";
+  };
 
   # networking.firewall.allowedTCPPorts = [ 389 636 ];
 
diff --git a/modules/common/networking.nix b/modules/common/networking.nix
index 009610a..9829672 100644
--- a/modules/common/networking.nix
+++ b/modules/common/networking.nix
@@ -7,6 +7,7 @@
     tempAddresses = "disabled";
     interfaces.eth0.useDHCP = true;
     nameservers = [ "1.1.1.1" "8.8.8.8" ];
+    search = [ "wg.vapor.systems" ];
 
     dhcpcd.extraConfig = ''
       nohook resolv.conf
diff --git a/modules/default.nix b/modules/default.nix
index 3855e4b..59faed7 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -33,4 +33,5 @@
   pastor = import ./pastor;
 
   monitoring = import ./monitoring;
+  monitoring-node = import ./monitoring/node-exporter.nix;
 }
diff --git a/modules/wireguard/default.nix b/modules/wireguard/default.nix
index 6738b29..733bd80 100644
--- a/modules/wireguard/default.nix
+++ b/modules/wireguard/default.nix
@@ -41,6 +41,8 @@ with lib; {
         };
       };
 
+      networking.firewall.allowedUDPPorts = mkIf config.wireguard.enable [ 51820 ];
+
       networking.wireguard.interfaces = mkIf config.wireguard.enable {
         wg0 = with { ifname = "wg0"; }; {
           ips = [
diff --git a/modules/zfs/default.nix b/modules/zfs/default.nix
index fb2f063..75018ea 100644
--- a/modules/zfs/default.nix
+++ b/modules/zfs/default.nix
@@ -64,12 +64,6 @@
       options = [ "zfsutil" ];
     };
 
-    "/var/lib/docker" = {
-      device = "rpool/root/var/lib/docker";
-      fsType = "zfs";
-      options = [ "zfsutil" ];
-    };
-
     "/var/lib/containers" = {
       device = "rpool/root/var/lib/containers";
       fsType = "zfs";
author	Max Audron <audron@cocaine.farm>	2025-07-31 15:33:56 +0200
committer	Max Audron <audron@cocaine.farm>	2025-07-31 15:33:56 +0200
commit	c487d1c96d791c0ce8e5e5ab98de826fafb892c1 (patch)
tree	043a530b0ff44a64f89b0cbed0ec259df4650d1b /modules
parent	add more monitoring exporters and scrapers (diff)