totoro: geoipupdate for authentik

2025-03-04 23:45:23 +00:00 · 2025-03-04 23:45:23 +00:00 · b11c50d0d1
commit b11c50d0d1
parent 1d47b3177d
3 changed files with 29 additions and 22 deletions
--- a/ops/nixos/lib/geoipupdate.nix
+++ b/ops/nixos/lib/geoipupdate.nix
@ -0,0 +1,25 @@
+{ depot, pkgs, config, ... }:
+
+{
+  services.geoipupdate = {
+    enable = true;
+    settings = {
+      AccountID = 1135779;
+      LicenseKey = { _secret = config.my.vault.secrets.maxmind-license-key.path; };
+      EditionIDs = [
+        "GeoLite2-ASN"
+        "GeoLite2-City"
+        "GeoLite2-Country"
+      ];
+    };
+  };
+  my.vault.secrets.maxmind-license-key = {
+    restartUnits = ["geoipupdate.service"];
+    group = "root";
+    template = ''
+      {{ with secret "kv/apps/maxmind" -}}
+      {{ .Data.data.licensekey }}
+      {{- end }}
+    '';
+  };
+}
--- a/ops/nixos/totoro/authentik.nix
+++ b/ops/nixos/totoro/authentik.nix
@ -8,22 +8,13 @@ let
    AUTHENTIK_POSTGRESQL__HOST = "";
    AUTHENTIK_STORAGE__MEDIA__FILE__PATH = "/var/lib/authentik/media";
    AUTHENTIK_BLUEPRINTS__DIR = "${depot.nix.pkgs.authentik.server}/share/authentik/blueprints";
+    AUTHENTIK_EVENTS__CONTEXT_PROCESSORS__GEOIP = "/var/lib/GeoIP/GeoLite2-City.mmdb";
+    AUTHENTIK_EVENTS__CONTEXT_PROCESSORS__ASN = "/var/lib/GeoIP/GeoLite2-ASN.mmdb";
    PROMETHEUS_MULTIPROC_DIR = "/tmp";
  };
 in
 {
-  services.geoipupdate = {
-    enable = true;
-    settings = {
-      AccountID = 1135779;
-      LicenseKey = { _secret = config.my.vault.secrets.maxmind-license-key.path; };
-      EditionID = [
-        "GeoLite2-ASN"
-        "GeoLite2-City"
-        "GeoLite2-Country"
-      ];
-    };
-  };
+  imports = [ ../lib/geoipupdate.nix ];

  services.nginx.virtualHosts."auth.lukegb.com" = {
    forceSSL = true;
@ -80,13 +71,4 @@ in
      {{ end }}
    '';
  };
-  my.vault.secrets.maxmind-license-key = {
-    restartUnits = ["geoipupdate.service"];
-    group = "root";
-    template = ''
-      {{ with secret "kv/apps/maxmind" -}}
-      {{ .Data.data.licensekey }}
-      {{- end }}
-    '';
-  };
 }
--- a/ops/vault/cfg/config.nix
+++ b/ops/vault/cfg/config.nix
@ -84,7 +84,7 @@
  my.servers.howl.apps = [ "nixbuild" ];
  my.servers.porcorosso.apps = [ "quotesdb" "nixbuild" ];
  my.servers.nausicaa.apps = [ "quotesdb" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" ];
-  my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" "authentik" "ads-b" "nixbuild" "tumblrandom" ];
+  my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" "authentik" "ads-b" "nixbuild" "tumblrandom" "maxmind" ];
  my.servers.clouvider-fra01.apps = [ "deluge" ];
  my.servers.clouvider-lon01.apps = [ "quotesdb" "nixbuild" ];
  my.servers.cofractal-ams01.apps = [ "deluge" "nixbuild" ];