nginx

2026-05-07 00:03:43 +02:00
parent 7d80478e83
commit 8092bac6b7
3 changed files with 47 additions and 4 deletions
--- a/modules/server/containers/defs/authentik.nix
+++ b/modules/server/containers/defs/authentik.nix
@@ -13,9 +13,8 @@ in {
  }];

  containers = {
-
    server = builder.mkContainer {
-      subdomain = "sso";
+      subdomain = containerCfg.subdomain;
      image = "ghcr.io/goauthentik/server:latest";
      port = containerCfg.port;
      ip = containerCfg.ip;
@@ -33,7 +32,6 @@ in {
        "AUTHENTIK_EMAIL__TIMEOUT" = "10";
        "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
      };
-
      overrides = {
        cmd = [ "server" ];
        ports = [ "9999:${toString containerCfg.port}" ];
@@ -45,7 +43,6 @@ in {
    };

    worker = builder.mkContainer {
-      subdomain = "sso";
      image = "ghcr.io/goauthentik/server:latest";
      secret = "authentik";
      extraEnv = {
--- a/modules/server/nginx/default.nix
+++ b/modules/server/nginx/default.nix
@@ -0,0 +1,45 @@
+{ config, lib, ... }:
+let
+  cfg = config.syscfg.server;
+  containers = cfg.containers; 
+  
+  # Function to convert your container config into an NGINX vhost
+  mkVhost = name: container: {
+    forceSSL = true;
+    useACMEHost = "${cfg.hostDomain}";
+    locations."/" = {
+      proxyPass = "http://${container.ip}:${toString container.port}";
+      proxyWebsockets = true; # Recommended for modern apps
+    };
+  };
+in {
+
+
+security.acme = {
+  acceptTerms = true;
+  defaults.email = "admin@domain.org";
+
+  certs."${cfg.hostDomain}" = {
+    domain = "*.${cfg.hostDomain}";
+    extraDomainNames = [ "${cfg.hostDomain}" ]; # Adds the root too
+    dnsProvider = "cloudflare"; # Change to your provider
+    # File containing your API token (e.g. CLOUDFLARE_DNS_API_TOKEN=...)
+    credentialsFile = "/var/lib/secrets/acme-dns.env";
+    group = "nginx"; 
+  };
+};
+
+  services.nginx = {
+    enable = true;
+    
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = lib.mapAttrs' (name: value: 
+      lib.nameValuePair "${value.subdomain}.${cfg.hostDomain}" (mkVhost name value)
+    ) cfg;
+  };
+
+  # Open the firewall
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}