Refactor
This commit is contained in:
soraefir
@@ -16,99 +16,104 @@ let
|
||||
// (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";} else {});
|
||||
};
|
||||
in {
|
||||
sops = true;
|
||||
db = true;
|
||||
paths = [{
|
||||
path="${serverCfg.path.config}/authentik";
|
||||
owner = "1000:1000";
|
||||
dirs = ["media" "templates"];
|
||||
mode = "0755";
|
||||
}];
|
||||
|
||||
containers = {
|
||||
server = builder.mkContainer {
|
||||
subdomain = containerCfg.subdomain;
|
||||
image = "ghcr.io/goauthentik/server:${version}";
|
||||
port = 9000;
|
||||
secret = name;
|
||||
extraEnv = {
|
||||
AUTHENTIK_REDIS__HOST = builder.host;
|
||||
AUTHENTIK_POSTGRESQL__HOST = builder.host;
|
||||
AUTHENTIK_POSTGRESQL__USER = "authentik_user";
|
||||
AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
|
||||
AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
|
||||
AUTHENTIK_EMAIL__HOST = serverCfg.mailDomain;
|
||||
AUTHENTIK_EMAIL__PORT = "587";
|
||||
AUTHENTIK_EMAIL__USERNAME = "noreply@${serverCfg.domain}";
|
||||
AUTHENTIK_EMAIL__USE_TLS = "true";
|
||||
AUTHENTIK_EMAIL__USE_SSL = "false";
|
||||
AUTHENTIK_EMAIL__TIMEOUT = "10";
|
||||
AUTHENTIK_EMAIL__FROM = "sso@noreply.${serverCfg.domain}";
|
||||
AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
|
||||
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
|
||||
};
|
||||
overrides = {
|
||||
environmentFiles = [ config.sops.secrets."AUTHENTIK".path config.sops.secrets."CUSTOM".path ] ;
|
||||
|
||||
cmd = [ "server" ];
|
||||
volumes = [
|
||||
"${serverCfg.path.config}/authentik/media:/media"
|
||||
"${serverCfg.path.config}/authentik/templates:/templates"
|
||||
"${authentikData}:/blueprints/custom:ro"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
worker = builder.mkContainer {
|
||||
image = "ghcr.io/goauthentik/server:${version}";
|
||||
secret = name;
|
||||
extraEnv = {
|
||||
AUTHENTIK_REDIS__HOST = builder.host;
|
||||
AUTHENTIK_POSTGRESQL__HOST = builder.host;
|
||||
AUTHENTIK_POSTGRESQL__USER = "authentik_user";
|
||||
AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
|
||||
AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
|
||||
AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
|
||||
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
|
||||
};
|
||||
overrides = {
|
||||
cmd = [ "worker" ];
|
||||
volumes = [
|
||||
"${serverCfg.path.config}/authentik/media:/media"
|
||||
"${serverCfg.path.config}/authentik/templates:/templates"
|
||||
"${authentikData}:/blueprints/custom:ro"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
ldap = builder.mkContainer {
|
||||
image = "ghcr.io/goauthentik/ldap:${version}";
|
||||
secret = name;
|
||||
extraEnv = {
|
||||
AUTHENTIK_HOST = "https://${containerCfg.subdomain}.${serverCfg.domain}";
|
||||
AUTHENTIK_INSECURE = "false";
|
||||
};
|
||||
};
|
||||
requires = {
|
||||
secrets = [ name ];
|
||||
databases = [ name ];
|
||||
};
|
||||
|
||||
setup = {
|
||||
trigger = "worker";
|
||||
script = pkgs.writeShellScript "setup" ''
|
||||
# Define the command wrapper
|
||||
AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u root authentik-worker ak"
|
||||
runtime = {
|
||||
paths = [{
|
||||
path="${serverCfg.path.config}/authentik";
|
||||
owner = "1000:1000";
|
||||
dirs = ["media" "templates"];
|
||||
mode = "0755";
|
||||
}];
|
||||
|
||||
$AK apply_blueprint /blueprints/custom/authentik.yaml
|
||||
$AK apply_blueprint /blueprints/custom/traefik.yaml
|
||||
$AK apply_blueprint /blueprints/custom/ldap.yaml
|
||||
containers = {
|
||||
server = builder.mkContainer {
|
||||
subdomain = containerCfg.subdomain;
|
||||
image = "ghcr.io/goauthentik/server:${version}";
|
||||
port = 9000;
|
||||
secret = name;
|
||||
extraEnv = {
|
||||
AUTHENTIK_REDIS__HOST = builder.host;
|
||||
AUTHENTIK_POSTGRESQL__HOST = builder.host;
|
||||
AUTHENTIK_POSTGRESQL__USER = "authentik_user";
|
||||
AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
|
||||
AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
|
||||
AUTHENTIK_EMAIL__HOST = serverCfg.mailDomain;
|
||||
AUTHENTIK_EMAIL__PORT = "587";
|
||||
AUTHENTIK_EMAIL__USERNAME = "noreply@${serverCfg.domain}";
|
||||
AUTHENTIK_EMAIL__USE_TLS = "true";
|
||||
AUTHENTIK_EMAIL__USE_SSL = "false";
|
||||
AUTHENTIK_EMAIL__TIMEOUT = "10";
|
||||
AUTHENTIK_EMAIL__FROM = "sso@noreply.${serverCfg.domain}";
|
||||
AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
|
||||
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
|
||||
};
|
||||
overrides = {
|
||||
environmentFiles = [ config.sops.secrets."AUTHENTIK".path config.sops.secrets."CUSTOM".path ] ;
|
||||
|
||||
cmd = [ "server" ];
|
||||
volumes = [
|
||||
"${serverCfg.path.config}/authentik/media:/media"
|
||||
"${serverCfg.path.config}/authentik/templates:/templates"
|
||||
"${authentikData}:/blueprints/custom:ro"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''}
|
||||
${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
|
||||
${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
|
||||
${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''}
|
||||
${lib.optionalString (serverCfg.containers ? freshrss) ''$AK apply_blueprint /blueprints/custom/freshrss.yaml''}
|
||||
${lib.optionalString (serverCfg.containers ? homepage) ''$AK apply_blueprint /blueprints/custom/homepage.yaml''}
|
||||
worker = builder.mkContainer {
|
||||
image = "ghcr.io/goauthentik/server:${version}";
|
||||
secret = name;
|
||||
extraEnv = {
|
||||
AUTHENTIK_REDIS__HOST = builder.host;
|
||||
AUTHENTIK_POSTGRESQL__HOST = builder.host;
|
||||
AUTHENTIK_POSTGRESQL__USER = "authentik_user";
|
||||
AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
|
||||
AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
|
||||
AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
|
||||
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
|
||||
};
|
||||
overrides = {
|
||||
cmd = [ "worker" ];
|
||||
volumes = [
|
||||
"${serverCfg.path.config}/authentik/media:/media"
|
||||
"${serverCfg.path.config}/authentik/templates:/templates"
|
||||
"${authentikData}:/blueprints/custom:ro"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
echo "Completed Authentik Setup"
|
||||
ldap = builder.mkContainer {
|
||||
image = "ghcr.io/goauthentik/ldap:${version}";
|
||||
secret = name;
|
||||
extraEnv = {
|
||||
AUTHENTIK_HOST = "https://${containerCfg.subdomain}.${serverCfg.domain}";
|
||||
AUTHENTIK_INSECURE = "false";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
setup = {
|
||||
trigger = "worker";
|
||||
script = pkgs.writeShellScript "setup" ''
|
||||
# Define the command wrapper
|
||||
AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.domain} -u root authentik-worker ak"
|
||||
|
||||
$AK apply_blueprint /blueprints/custom/authentik.yaml
|
||||
$AK apply_blueprint /blueprints/custom/traefik.yaml
|
||||
$AK apply_blueprint /blueprints/custom/ldap.yaml
|
||||
|
||||
${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''}
|
||||
${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
|
||||
${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
|
||||
${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''}
|
||||
${lib.optionalString (serverCfg.containers ? freshrss) ''$AK apply_blueprint /blueprints/custom/freshrss.yaml''}
|
||||
${lib.optionalString (serverCfg.containers ? homepage) ''$AK apply_blueprint /blueprints/custom/homepage.yaml''}
|
||||
|
||||
echo "Completed Authentik Setup"
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user