Update modules/server/containers/apps/authentik.nix

modules/server/containers/apps/authentik.nix

@@ -7,6 +7,7 @@ let
       NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain or "nextcloud"}.${serverCfg.hostDomain}";
       AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
       COOKIE_DOMAIN = "${serverCfg.hostDomain}";
+      AUTHENTIK_LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.hostDomain));
     };
   };
 in {
@@ -29,19 +30,20 @@ in {
       port = 9000;
       secret = name;
       extraEnv = {
-        "AUTHENTIK_REDIS__HOST" = builder.host;
+        AUTHENTIK_REDIS__HOST = builder.host;
-        "AUTHENTIK_POSTGRESQL__HOST" = builder.host;
+        AUTHENTIK_POSTGRESQL__HOST = builder.host;
-        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
+        AUTHENTIK_POSTGRESQL__USER = "authentik_user";
-        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
+        AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
-        "AUTHENTIK_EMAIL__HOST" = serverCfg.mailDomain;
+        AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
-        "AUTHENTIK_EMAIL__PORT" = "587";
+        AUTHENTIK_EMAIL__HOST = serverCfg.mailDomain;
-        "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
+        AUTHENTIK_EMAIL__PORT = "587";
-        "AUTHENTIK_EMAIL__USE_TLS" = "true";
+        AUTHENTIK_EMAIL__USERNAME = "noreply@${serverCfg.hostDomain}";
-        "AUTHENTIK_EMAIL__USE_SSL" = "false";
+        AUTHENTIK_EMAIL__USE_TLS = "true";
-        "AUTHENTIK_EMAIL__TIMEOUT" = "10";
+        AUTHENTIK_EMAIL__USE_SSL = "false";
-        "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
+        AUTHENTIK_EMAIL__TIMEOUT = "10";
-        "AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
+        AUTHENTIK_EMAIL__FROM = "sso@noreply.${serverCfg.hostDomain}";
-        "AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
+        AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
+        AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
       };
       overrides = {
         cmd = [ "server" ];
@@ -58,12 +60,13 @@ in {
       image = "ghcr.io/goauthentik/server:${version}";
       secret = "authentik";
       extraEnv = {
-        "AUTHENTIK_REDIS__HOST" = builder.host;
+        AUTHENTIK_REDIS__HOST = builder.host;
-        "AUTHENTIK_POSTGRESQL__HOST" = builder.host;
+        AUTHENTIK_POSTGRESQL__HOST = builder.host;
-        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
+        AUTHENTIK_POSTGRESQL__USER = "authentik_user";
-        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
+        AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
-        "AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
+        AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
-        "AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
+        AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
+        AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
       };
       overrides = {
         cmd = [ "worker" ];
@@ -74,8 +77,20 @@ in {
         ];
       };
     };
-  };
 
+    ldap = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      image = "ghcr.io/goauthentik/ldap:${version}";
+      secret = name;
+      extraEnv = {
+        "AUTHENTIK_HOST" = "http://${builder.host}:9000"; 
+        "AUTHENTIK_INSECURE" = "false"; 
+      };
+      overrides = {
+        ports = [ "389:3389" "636:6636" ];
+      };
+    };
+  };
 
   setup = {
     trigger = "worker";
@@ -85,6 +100,7 @@ in {
 
       $AK apply_blueprint /blueprints/custom/authentik.yaml
       $AK apply_blueprint /blueprints/custom/traefik.yaml
+      $AK apply_blueprint /blueprints/custom/ldap.yaml
       ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
 
       echo "Completed Authentik Setup"