Add authentik blueprints

2026-05-10 18:29:53 +02:00
parent 9813e7d49a
commit c637fea0d0
9 changed files with 170 additions and 25 deletions
--- a/modules/server/containers/apps/authentik.nix
+++ b/modules/server/containers/apps/authentik.nix
@@ -0,0 +1,93 @@
+{ config, containerCfg, pkgs, lib, builder, name, ... }:
+let 
+  version = "2026.2.2";
+  serverCfg = config.syscfg.server;
+  authentikData = ${builder.mkData { 
+    name = "authentik"; dir = "authentik"; vars = {
+      NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain or "nextcloud"}.${serverCfg.hostDomain}";
+      AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
+      COOKIE_DOMAIN = "*.${serverCfg.hostDomain}";
+    };
+  }};
+in {
+  paths = [{
+    path="${serverCfg.configPath}/authentik/media";
+    owner = "1000:1000";
+    mode = "0755";
+  }{
+    path="${serverCfg.configPath}/authentik/templates";
+    owner = "1000:1000";
+    mode = "0755";
+  }];
+
+  containers = {
+    server = builder.mkContainer {
+      subdomain = containerCfg.subdomain;
+      image = "ghcr.io/goauthentik/server:${version}";
+      port = containerCfg.port;
+      ip = containerCfg.ip;
+      secret = name;
+      extraEnv = {
+        "AUTHENTIK_REDIS__HOST" = builder.host;
+        "AUTHENTIK_POSTGRESQL__HOST" = builder.host;
+        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
+        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
+        "AUTHENTIK_EMAIL__HOST" = serverCfg.mailDomain;
+        "AUTHENTIK_EMAIL__PORT" = "587";
+        "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
+        "AUTHENTIK_EMAIL__USE_TLS" = "true";
+        "AUTHENTIK_EMAIL__USE_SSL" = "false";
+        "AUTHENTIK_EMAIL__TIMEOUT" = "10";
+        "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
+        "AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
+        "AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
+      };
+      overrides = {
+        cmd = [ "server" ];
+        ports = if containerCfg.pubPort!=null && containerCfg.port!=null then [ "${toString containerCfg.pubPort}:${toString containerCfg.port}" ] else [];
+        volumes = [
+          "${serverCfg.configPath}/authentik/media:/media"
+          "${serverCfg.configPath}/authentik/templates:/templates"
+          "${authentikData}:/blueprints/custom:ro"
+        ];
+      };
+    };
+
+    worker = builder.mkContainer {
+      image = "ghcr.io/goauthentik/server:${version}";
+      secret = "authentik";
+      extraEnv = {
+        "AUTHENTIK_REDIS__HOST" = builder.host;
+        "AUTHENTIK_POSTGRESQL__HOST" = builder.host;
+        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
+        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
+        "AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
+        "AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
+      };
+      # extraOptions = [ "--user=:994" ]; #PODMAN GROUP FOR SOCKET ACCESS
+      overrides = {
+        cmd = [ "worker" ];
+        volumes = [
+          "${serverCfg.configPath}/authentik/media:/media"
+          "${serverCfg.configPath}/authentik/templates:/templates"
+          "${authentikData}:/blueprints/custom:ro"
+          # "/var/run/podman/podman.sock:/var/run/docker.sock" #PODMAN GROUP FOR SOCKET ACCESS
+        ];
+      };
+    };
+  };
+
+
+  setup = {
+    trigger="worker";
+    script = pkgs.writeShellScript "setup" ''
+      # Define the command wrapper
+      AK="${pkgs.podman}/bin/podman --events-backend=none exec -u root authentik-worker ak"
+
+      $AK blueprint_apply /blueprints/custom/traefik.yaml
+      ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK blueprint_apply /blueprints/custom/nextcloud.yaml''}
+
+      echo "Completed Authentik Setup"
+      '';
+  };
+}