From b11c50d0d1ab6563202b35fc8ebd5c5cc8b4151b Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Tue, 4 Mar 2025 23:45:23 +0000
Subject: [PATCH] totoro: geoipupdate for authentik

---
 ops/nixos/lib/geoipupdate.nix  | 25 +++++++++++++++++++++++++
 ops/nixos/totoro/authentik.nix | 24 +++---------------------
 ops/vault/cfg/config.nix       |  2 +-
 3 files changed, 29 insertions(+), 22 deletions(-)
 create mode 100644 ops/nixos/lib/geoipupdate.nix

diff --git a/ops/nixos/lib/geoipupdate.nix b/ops/nixos/lib/geoipupdate.nix
new file mode 100644
index 0000000000..40e408674e
--- /dev/null
+++ b/ops/nixos/lib/geoipupdate.nix
@@ -0,0 +1,25 @@
+{ depot, pkgs, config, ... }:
+
+{
+  services.geoipupdate = {
+    enable = true;
+    settings = {
+      AccountID = 1135779;
+      LicenseKey = { _secret = config.my.vault.secrets.maxmind-license-key.path; };
+      EditionIDs = [
+        "GeoLite2-ASN"
+        "GeoLite2-City"
+        "GeoLite2-Country"
+      ];
+    };
+  };
+  my.vault.secrets.maxmind-license-key = {
+    restartUnits = ["geoipupdate.service"];
+    group = "root";
+    template = ''
+      {{ with secret "kv/apps/maxmind" -}}
+      {{ .Data.data.licensekey }}
+      {{- end }}
+    '';
+  };
+}
diff --git a/ops/nixos/totoro/authentik.nix b/ops/nixos/totoro/authentik.nix
index c02251a252..e9b3c974e2 100644
--- a/ops/nixos/totoro/authentik.nix
+++ b/ops/nixos/totoro/authentik.nix
@@ -8,22 +8,13 @@ let
     AUTHENTIK_POSTGRESQL__HOST = "";
     AUTHENTIK_STORAGE__MEDIA__FILE__PATH = "/var/lib/authentik/media";
     AUTHENTIK_BLUEPRINTS__DIR = "${depot.nix.pkgs.authentik.server}/share/authentik/blueprints";
+    AUTHENTIK_EVENTS__CONTEXT_PROCESSORS__GEOIP = "/var/lib/GeoIP/GeoLite2-City.mmdb";
+    AUTHENTIK_EVENTS__CONTEXT_PROCESSORS__ASN = "/var/lib/GeoIP/GeoLite2-ASN.mmdb";
     PROMETHEUS_MULTIPROC_DIR = "/tmp";
   };
 in
 {
-  services.geoipupdate = {
-    enable = true;
-    settings = {
-      AccountID = 1135779;
-      LicenseKey = { _secret = config.my.vault.secrets.maxmind-license-key.path; };
-      EditionID = [
-        "GeoLite2-ASN"
-        "GeoLite2-City"
-        "GeoLite2-Country"
-      ];
-    };
-  };
+  imports = [ ../lib/geoipupdate.nix ];
 
   services.nginx.virtualHosts."auth.lukegb.com" = {
     forceSSL = true;
@@ -80,13 +71,4 @@ in
       {{ end }}
     '';
   };
-  my.vault.secrets.maxmind-license-key = {
-    restartUnits = ["geoipupdate.service"];
-    group = "root";
-    template = ''
-      {{ with secret "kv/apps/maxmind" -}}
-      {{ .Data.data.licensekey }}
-      {{- end }}
-    '';
-  };
 }
diff --git a/ops/vault/cfg/config.nix b/ops/vault/cfg/config.nix
index 600c0cabbc..8d55b3e756 100644
--- a/ops/vault/cfg/config.nix
+++ b/ops/vault/cfg/config.nix
@@ -84,7 +84,7 @@
   my.servers.howl.apps = [ "nixbuild" ];
   my.servers.porcorosso.apps = [ "quotesdb" "nixbuild" ];
   my.servers.nausicaa.apps = [ "quotesdb" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" ];
-  my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" "authentik" "ads-b" "nixbuild" "tumblrandom" ];
+  my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" "authentik" "ads-b" "nixbuild" "tumblrandom" "maxmind" ];
   my.servers.clouvider-fra01.apps = [ "deluge" ];
   my.servers.clouvider-lon01.apps = [ "quotesdb" "nixbuild" ];
   my.servers.cofractal-ams01.apps = [ "deluge" "nixbuild" ];