diff --git a/modules/server/containers/builder.nix b/modules/server/containers/builder.nix new file mode 100644 index 0000000..b7de7a2 --- /dev/null +++ b/modules/server/containers/builder.nix @@ -0,0 +1,28 @@ +{ config, lib, serverCfg }: +{ image, secret ? "" +, subdomain ? "", ip ? "", port ? 0 +, extraEnv ? { }, extraLabels ? { } +, overrides ? { } +}: +let base = { + inherit image; + + environmentFiles = if secret !="" then [ config.sops.secrets."${lib.toUpper secret}".path ] else []; + environment = {} // extraEnv; + + labels = if subdomain!="" then ({ + "traefik.enable" = "true"; + "traefik.http.routers.${subdomain}.entrypoints" = "web-secure"; + "traefik.http.routers.${subdomain}.rule" = "Host(`${subdomain}.${serverCfg.hostDomain}`)"; + "traefik.http.routers.${subdomain}.tls" = "true"; + } // lib.optionalAttrs (port != 0) { + "traefik.http.services.${subdomain}.loadbalancer.server.port" = toString port; + }) else { + "traefik.enable" = "false"; + } // extraLabels; + + extraOptions = [ + "--add-host=host.containers.internal:host-gateway" + ] ++ lib.optional (ip != "") "--ip=${ip}"; +}; +in lib.recursiveUpdate base overrides // { host = "host.containers.internal"; } \ No newline at end of file diff --git a/modules/server/containers/default.nix b/modules/server/containers/default.nix index b503ccb..1660165 100644 --- a/modules/server/containers/default.nix +++ b/modules/server/containers/default.nix @@ -1,9 +1,10 @@ { config, pkgs, lib, ... }: let + mkContainer = import ./mkContainer.nix { inherit config lib serverCfg; }; cfg = config.syscfg.server.containers; enabledConfigs = lib.filterAttrs (name: c: c.enable) cfg; containerSetsList = lib.mapAttrsToList (name: containerCfg: - let defs = import (./defs + "/${name}.nix") {inherit config pkgs lib containerCfg;}; + let defs = import (./defs + "/${name}.nix") {inherit config pkgs lib containerCfg mkContainer;}; in{ containers = lib.mapAttrs' (cName: cValue: lib.nameValuePair "${name}-${cName}" cValue diff --git a/modules/server/containers/defs/authentik.nix b/modules/server/containers/defs/authentik.nix index ee115cb..90bfa7d 100644 --- a/modules/server/containers/defs/authentik.nix +++ b/modules/server/containers/defs/authentik.nix @@ -1,4 +1,4 @@ -{ config, containerCfg, pkgs, lib, ... }: +{ config, containerCfg, pkgs, lib, mkContainer, ... }: let serverCfg = config.syscfg.server; in { @@ -14,21 +14,18 @@ in { containers = { - server = { + server = mkContainer { + subdomain = "sso"; image = "ghcr.io/goauthentik/server:latest"; - volumes = [ - "${serverCfg.dataPath}/authentik/media:/media" - "${serverCfg.dataPath}/authentik/templates:/templates" - ]; - environmentFiles = [ - config.sops.secrets."AUTHENTIK".path - ]; - environment = { - "AUTHENTIK_REDIS__HOST" = "host.containers.internal"; - "AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal"; + port = containerCfg.port; + ip = containerCfg.ip; + secret = "authentik"; + extraEnv = { + "AUTHENTIK_REDIS__HOST" = mkContainer.host; + "AUTHENTIK_POSTGRESQL__HOST" = mkContainer.host; "AUTHENTIK_POSTGRESQL__USER" = "authentik_user"; "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db"; - "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}"; + "AUTHENTIK_EMAIL__HOST" = serverCfg.mailDomain; "AUTHENTIK_EMAIL__PORT" = "587"; "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}"; "AUTHENTIK_EMAIL__USE_TLS" = "true"; @@ -36,43 +33,39 @@ in { "AUTHENTIK_EMAIL__TIMEOUT" = "10"; "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}"; }; - labels = { - "traefik.enable" = "true"; - "traefik.http.routers.sso.entrypoints" = "web-secure"; - "traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)"; - "traefik.http.routers.sso.tls" = "true"; - "traefik.http.services.sso.loadbalancer.server.port" = "${toString containerCfg.port}"; + + overrides = { + cmd = [ "server" ]; + ports = [ "9999:${toString containerCfg.port}" ]; + volumes = [ + "${serverCfg.dataPath}/authentik/media:/media" + "${serverCfg.dataPath}/authentik/templates:/templates" + ]; }; - cmd = [ "server" ]; - extraOptions = [ - "--add-host=host.containers.internal:host-gateway" - "--ip=${containerCfg.ip}" - ]; - ports = [ - "9999:${toString containerCfg.port}" - ]; }; - worker = { + worker = mkContainer { + subdomain = "sso"; image = "ghcr.io/goauthentik/server:latest"; - volumes = [ - "${serverCfg.dataPath}/authentik/media:/media" - "${serverCfg.dataPath}/authentik/templates:/templates" - "/var/run/docker.sock:/var/run/docker.sock" - ]; - environmentFiles = [ - config.sops.secrets."AUTHENTIK".path - ]; - environment = { - "AUTHENTIK_REDIS__HOST" = "host.containers.internal"; - "AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal"; + port = containerCfg.port; + ip = containerCfg.ip; + secret = "authentik"; + extraEnv = { + "AUTHENTIK_REDIS__HOST" = mkContainer.host; + "AUTHENTIK_POSTGRESQL__HOST" = mkContainer.host; "AUTHENTIK_POSTGRESQL__USER" = "authentik_user"; "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db"; }; - extraOptions = [ - "--add-host=host.containers.internal:host-gateway" - ]; - cmd = [ "worker" ]; + + overrides = { + cmd = [ "worker" ]; + ports = [ "9999:${toString containerCfg.port}" ]; + volumes = [ + "${serverCfg.dataPath}/authentik/media:/media" + "${serverCfg.dataPath}/authentik/templates:/templates" + "/var/run/docker.sock:/var/run/docker.sock" + ]; + }; }; }; }