search

nix-community / authentik-nix

Nix flake with package, NixOS module and basic VM test for authentik. Trying to provide an alternative deployment mode to the officially supported docker-compose approach. Not affiliated with or officially supported by the authentik project [maintainer=@willibutz]
MIT License
82 stars 18 forks source link

How to set the SECRET_KEY #3

Closed bee1850 closed 1 year ago

bee1850 commented 1 year ago

Whenever I'm trying to rebuild my nixOS flake the authentik-migrate.service keeps failing. I get the following error messages:

I tried to set the AUTHENTIK_SECRET_KEY variable in the configuration.nix by adding (keytemp contains the output of pwgen -s 50 1) : 

  services.authentik = {
    enable = true;
    settings = {
      authentik_secret_key = "${lib.strings.fileContents ./keytemp}";
    };
  };

resulting in:

cat /etc/authentik/config.yml
authentik_secret_key: 6yrwkZywIBIsqoQ********************SnYdPDGkjQTC***
blueprints_dir: /nix/store/63hrzp6clrdsa7cx3vjlmky1x4fq37pv-authentik-static-workdir-deps/blueprints
postgresql:
  host: ''
  name: authentik
  user: authentik
template_dir: /nix/store/63hrzp6clrdsa7cx3vjlmky1x4fq37pv-authentik-static-workdir-deps/templates

Im puzzled on how to proceed and would really appreciate some help.

bee1850 commented 1 year ago

The Issue was that Authentik does not pass its AUTHENTIK_SECRET_KEY to djangos SECRET_KEY therefor django couldn't start resulting in the error. The solution is fairly simple I just added the following to the configuration.nix

services.authentik = {
    enable = true;
    settings = rec {
     authentik_secret_key = "${lib.strings.fileContents ./keytemp}";
     secret_key = authentik_secret_key;
    };
  };
WilliButz commented 1 year ago

Hey, glad to see that you're trying to use the authentik-nix flake!

Unless the context of the above is just a local test and not intended to be used by anyone, the following should be considered:

The secret key (and other secrets in general) shouldn't be configured directly in the NixOS module, only referenced indirectly (by file path or environment variable name). The reason is that the secrets will inevitably land in the world-readable /nix/store and therefore be accessible to most processes running on both the target machine and on the build host.

There are various way to work around this behavior in a rather fancy way, just to name two of them: https://github.com/Mic92/sops-nix and https://github.com/ryantm/agenix.

However, the minimal approach should be as follows: I just updated the module to include an environmentFile option, which allows for easy referencing of a systemd EnvironmentFile. That environment file should be placed on the host that is running authentik and it only needs to be accessible to root. The secret key (generated with openssl rand -base64 32 for example) can then be specified in the EnvironmentFile simply like this:

AUTHENTIK_SECRET_KEY=abcd....................890=

Placing the EnvironmentFile with the generated secret key on the host, for example under /var/secrets/authentik/authentik-env and setting the option in the module accordingly, enables authentik to read the secret key from its environment:

services.authentik.environmentFile = "/var/secrets/authentik/authentik-env";