diff --git a/modules/server/containers/default.nix b/modules/server/containers/default.nix index 28061a9..0fa2c39 100644 --- a/modules/server/containers/default.nix +++ b/modules/server/containers/default.nix @@ -8,7 +8,7 @@ let inherit (containerCfg) port special_param; } ) enabledConfigs; - mergedContainers = lib.attrsets.mergeAttrsList containerSetsList; + mergedContainers = lib.attrsets.mergeAttrsList (lib.map(e: e.containers) containerSetsList); in { config = lib.mkIf ( enabledConfigs != {} ) { diff --git a/modules/server/containers/defs/authentik.nix b/modules/server/containers/defs/authentik.nix index 222ae2f..1e85664 100644 --- a/modules/server/containers/defs/authentik.nix +++ b/modules/server/containers/defs/authentik.nix @@ -1,79 +1,82 @@ { config, pkgs, lib, ... }: let serverCfg = config.syscfg.server; in { - auth_postgresql = { - image = "postgres:14-alpine"; - hostname = "auth_postgresql"; - volumes = [ ]; - environment = { - POSTGRES_PASSWORD = "/run/secrets/AUTHENTIK_POSTGRESQL__PASSWORD"; - POSTGRES_USER = "authentik"; - POSTGRES_DB = "authentik"; + systemd.tmfiles.rules = [ + "d ${serverCfg.dataPath}/authentik/media 0755 root root -" + "d ${serverCfg.dataPath}/authentik/template 0755 root root -" + ]; + containers = { + auth_postgresql = { + image = "postgres:14-alpine"; + hostname = "auth_postgresql"; + volumes = [ ]; + environment = { + POSTGRES_PASSWORD = "/run/secrets/AUTHENTIK_POSTGRESQL__PASSWORD"; + POSTGRES_USER = "authentik"; + POSTGRES_DB = "authentik"; + }; }; - labels = { "traefik.enable" = "false"; }; - }; - auth_redis = { - image = "redis:alpine"; - hostname = "auth_redis"; - volumes = [ ]; - environment = { }; - labels = { "traefik.enable" = "false"; }; - }; + auth_redis = { + image = "redis:alpine"; + hostname = "auth_redis"; + volumes = [ ]; + environment = { }; + }; - auth_server = { - image = "ghcr.io/goauthentik/server:latest"; - hostname = "auth_server"; - volumes = [ - "${serverCfg.dataPath}/authentik/media:/media" - "${serverCfg.dataPath}/authentik/templates:/templates" - ]; - environment = { - "AUTHENTIK_REDIS__HOST" = "auth_redis"; - "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql"; - "AUTHENTIK_POSTGRESQL__USER" = "authentik"; - "AUTHENTIK_POSTGRESQL__NAME" = "authentik"; - "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD"; - "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY"; - "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}"; - "AUTHENTIK_EMAIL__PORT" = "587"; - "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}"; - "AUTHENTIK_EMAIL__PASSWORD" = "AUTHENTIK_EMAIL_PASSWORD"; - "AUTHENTIK_EMAIL__USE_TLS" = "true"; - "AUTHENTIK_EMAIL__USE_SSL" = "false"; - "AUTHENTIK_EMAIL__TIMEOUT" = "10"; - "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}"; + auth_server = { + image = "ghcr.io/goauthentik/server:latest"; + hostname = "auth_server"; + volumes = [ + "${serverCfg.dataPath}/authentik/media:/media" + "${serverCfg.dataPath}/authentik/templates:/templates" + ]; + environment = { + "AUTHENTIK_REDIS__HOST" = "auth_redis"; + "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql"; + "AUTHENTIK_POSTGRESQL__USER" = "authentik"; + "AUTHENTIK_POSTGRESQL__NAME" = "authentik"; + "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD"; + "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY"; + "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}"; + "AUTHENTIK_EMAIL__PORT" = "587"; + "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}"; + "AUTHENTIK_EMAIL__PASSWORD" = "AUTHENTIK_EMAIL_PASSWORD"; + "AUTHENTIK_EMAIL__USE_TLS" = "true"; + "AUTHENTIK_EMAIL__USE_SSL" = "false"; + "AUTHENTIK_EMAIL__TIMEOUT" = "10"; + "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}"; + }; + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.sso.entrypoints" = "web-secure"; + "traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)"; + "traefik.http.routers.sso.tls" = "true"; + "traefik.http.services.sso.loadbalancer.server.port" = "9000"; + }; + cmd = [ "server" ]; + ports = [ + "9999:9000" + ]; }; - labels = { - "traefik.enable" = "true"; - "traefik.http.routers.sso.entrypoints" = "web-secure"; - "traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)"; - "traefik.http.routers.sso.tls" = "true"; - "traefik.http.services.sso.loadbalancer.server.port" = "9000"; - }; - cmd = [ "server" ]; - ports = [ - "9999:9000" - ]; - }; - auth_worker = { - image = "ghcr.io/goauthentik/server:latest"; - hostname = "auth_worker"; - volumes = [ - "${serverCfg.dataPath}/authentik/media:/media" - "${serverCfg.dataPath}/authentik/templates:/templates" - "/var/run/docker.sock:/var/run/docker.sock" - ]; - environment = { - "AUTHENTIK_REDIS__HOST" = "auth_redis"; - "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql"; - "AUTHENTIK_POSTGRESQL__USER" = "authentik"; - "AUTHENTIK_POSTGRESQL__NAME" = "authentik"; - "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD"; - "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY"; + auth_worker = { + image = "ghcr.io/goauthentik/server:latest"; + hostname = "auth_worker"; + volumes = [ + "${serverCfg.dataPath}/authentik/media:/media" + "${serverCfg.dataPath}/authentik/templates:/templates" + "/var/run/docker.sock:/var/run/docker.sock" + ]; + environment = { + "AUTHENTIK_REDIS__HOST" = "auth_redis"; + "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql"; + "AUTHENTIK_POSTGRESQL__USER" = "authentik"; + "AUTHENTIK_POSTGRESQL__NAME" = "authentik"; + "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD"; + "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY"; + }; + cmd = [ "worker" ]; }; - labels = { "traefik.enable" = "false"; }; - cmd = [ "worker" ]; }; }