From 7e62883e66275e57533b39a7375079c2582c820d Mon Sep 17 00:00:00 2001 From: sora-ext Date: Wed, 13 May 2026 17:30:10 +0200 Subject: [PATCH] Update modules/server/containers/apps/authentik.nix --- modules/server/containers/apps/authentik.nix | 56 +++++++++++++------- 1 file changed, 36 insertions(+), 20 deletions(-) diff --git a/modules/server/containers/apps/authentik.nix b/modules/server/containers/apps/authentik.nix index 9179a9c..910db27 100644 --- a/modules/server/containers/apps/authentik.nix +++ b/modules/server/containers/apps/authentik.nix @@ -7,6 +7,7 @@ let NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain or "nextcloud"}.${serverCfg.hostDomain}"; AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}"; COOKIE_DOMAIN = "${serverCfg.hostDomain}"; + AUTHENTIK_LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.hostDomain)); }; }; in { @@ -29,19 +30,20 @@ in { port = 9000; secret = name; extraEnv = { - "AUTHENTIK_REDIS__HOST" = builder.host; - "AUTHENTIK_POSTGRESQL__HOST" = builder.host; - "AUTHENTIK_POSTGRESQL__USER" = "authentik_user"; - "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db"; - "AUTHENTIK_EMAIL__HOST" = serverCfg.mailDomain; - "AUTHENTIK_EMAIL__PORT" = "587"; - "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}"; - "AUTHENTIK_EMAIL__USE_TLS" = "true"; - "AUTHENTIK_EMAIL__USE_SSL" = "false"; - "AUTHENTIK_EMAIL__TIMEOUT" = "10"; - "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}"; - "AUTHENTIK_DISABLE_UPDATE_CHECK" = "true"; - "AUTHENTIK_POSTGRESQL__SSLMODE" = "disable"; + AUTHENTIK_REDIS__HOST = builder.host; + AUTHENTIK_POSTGRESQL__HOST = builder.host; + AUTHENTIK_POSTGRESQL__USER = "authentik_user"; + AUTHENTIK_POSTGRESQL__NAME = "authentik_db"; + AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false"; + AUTHENTIK_EMAIL__HOST = serverCfg.mailDomain; + AUTHENTIK_EMAIL__PORT = "587"; + AUTHENTIK_EMAIL__USERNAME = "noreply@${serverCfg.hostDomain}"; + AUTHENTIK_EMAIL__USE_TLS = "true"; + AUTHENTIK_EMAIL__USE_SSL = "false"; + AUTHENTIK_EMAIL__TIMEOUT = "10"; + AUTHENTIK_EMAIL__FROM = "sso@noreply.${serverCfg.hostDomain}"; + AUTHENTIK_DISABLE_UPDATE_CHECK = "true"; + AUTHENTIK_POSTGRESQL__SSLMODE = "disable"; }; overrides = { cmd = [ "server" ]; @@ -58,12 +60,13 @@ in { image = "ghcr.io/goauthentik/server:${version}"; secret = "authentik"; extraEnv = { - "AUTHENTIK_REDIS__HOST" = builder.host; - "AUTHENTIK_POSTGRESQL__HOST" = builder.host; - "AUTHENTIK_POSTGRESQL__USER" = "authentik_user"; - "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db"; - "AUTHENTIK_DISABLE_UPDATE_CHECK" = "true"; - "AUTHENTIK_POSTGRESQL__SSLMODE" = "disable"; + AUTHENTIK_REDIS__HOST = builder.host; + AUTHENTIK_POSTGRESQL__HOST = builder.host; + AUTHENTIK_POSTGRESQL__USER = "authentik_user"; + AUTHENTIK_POSTGRESQL__NAME = "authentik_db"; + AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false"; + AUTHENTIK_DISABLE_UPDATE_CHECK = "true"; + AUTHENTIK_POSTGRESQL__SSLMODE = "disable"; }; overrides = { cmd = [ "worker" ]; @@ -74,8 +77,20 @@ in { ]; }; }; - }; + ldap = builder.mkContainer { + subdomain = containerCfg.subdomain; + image = "ghcr.io/goauthentik/ldap:${version}"; + secret = name; + extraEnv = { + "AUTHENTIK_HOST" = "http://${builder.host}:9000"; + "AUTHENTIK_INSECURE" = "false"; + }; + overrides = { + ports = [ "389:3389" "636:6636" ]; + }; + }; + }; setup = { trigger = "worker"; @@ -85,6 +100,7 @@ in { $AK apply_blueprint /blueprints/custom/authentik.yaml $AK apply_blueprint /blueprints/custom/traefik.yaml + $AK apply_blueprint /blueprints/custom/ldap.yaml ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''} echo "Completed Authentik Setup"