diff --git a/modules/server/containers/default.nix b/modules/server/containers/default.nix index 5354d9c..28061a9 100644 --- a/modules/server/containers/default.nix +++ b/modules/server/containers/default.nix @@ -1,27 +1,20 @@ { config, pkgs, lib, ... }: let - # enabledContainers = lib.filterAttrs (name: cfg: cfg.enable) config.syscfg.server.containers; - # containerImports = { - # cloud = import ./defs/cloud.nix; - # authentik = import ./defs/authentik.nix; - # }; - containerDir = ./defs; - allFiles = builtins.readDir containerDir; - enabledNames = lib.filterAttrs (name: cfg: cfg.enable) config.syscfg.server.containers; - activeContainers = lib.mapAttrs (name: cfg: - let - fileName = "${name}.nix"; - in - if builtins.hasAttr fileName allFiles - then import (containerDir + "/${fileName}") - else throw "Container config for '${name}' enabled, but ${containerDir}/${fileName} does not exist!" - ) enabledNames; + cfg = config.syscfg.server.containers; + enabledConfigs = lib.filterAttrs (name: c: c.enable) cfg; + containerSetsList = lib.mapAttrsToList (name: containerCfg: + import (./defs + "/${name}.nix") { + inherit config pkgs lib ; + inherit (containerCfg) port special_param; + } + ) enabledConfigs; + mergedContainers = lib.attrsets.mergeAttrsList containerSetsList; in { - config = lib.mkIf ( enabledNames != {} ) { + config = lib.mkIf ( enabledConfigs != {} ) { virtualisation.oci-containers = { backend = "podman"; - containers = activeContainers; + containers = mergedContainers; }; }; } \ No newline at end of file diff --git a/modules/server/containers/defs/authentik.nix b/modules/server/containers/defs/authentik.nix index 1dfd981..222ae2f 100644 --- a/modules/server/containers/defs/authentik.nix +++ b/modules/server/containers/defs/authentik.nix @@ -1,104 +1,79 @@ { config, pkgs, lib, ... }: let serverCfg = config.syscfg.server; in { - project.name = "authentik"; - - networks = { - internal = { - name = lib.mkForce "internal"; - internal = true; - }; - external = { - name = lib.mkForce "external"; - internal = false; + auth_postgresql = { + image = "postgres:14-alpine"; + hostname = "auth_postgresql"; + volumes = [ ]; + environment = { + POSTGRES_PASSWORD = "/run/secrets/AUTHENTIK_POSTGRESQL__PASSWORD"; + POSTGRES_USER = "authentik"; + POSTGRES_DB = "authentik"; }; + labels = { "traefik.enable" = "false"; }; }; - services = { + auth_redis = { + image = "redis:alpine"; + hostname = "auth_redis"; + volumes = [ ]; + environment = { }; + labels = { "traefik.enable" = "false"; }; + }; - auth_postgresql.service = { - image = "postgres:14-alpine"; - container_name = "auth_postgresql"; - restart = "unless-stopped"; - networks = [ "internal" ]; - volumes = [ ]; - environment = { - POSTGRES_PASSWORD = "/run/secrets/AUTHENTIK_POSTGRESQL__PASSWORD"; - POSTGRES_USER = "authentik"; - POSTGRES_DB = "authentik"; - }; + auth_server = { + image = "ghcr.io/goauthentik/server:latest"; + hostname = "auth_server"; + volumes = [ + "${serverCfg.dataPath}/authentik/media:/media" + "${serverCfg.dataPath}/authentik/templates:/templates" + ]; + environment = { + "AUTHENTIK_REDIS__HOST" = "auth_redis"; + "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql"; + "AUTHENTIK_POSTGRESQL__USER" = "authentik"; + "AUTHENTIK_POSTGRESQL__NAME" = "authentik"; + "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD"; + "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY"; + "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}"; + "AUTHENTIK_EMAIL__PORT" = "587"; + "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}"; + "AUTHENTIK_EMAIL__PASSWORD" = "AUTHENTIK_EMAIL_PASSWORD"; + "AUTHENTIK_EMAIL__USE_TLS" = "true"; + "AUTHENTIK_EMAIL__USE_SSL" = "false"; + "AUTHENTIK_EMAIL__TIMEOUT" = "10"; + "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}"; }; + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.sso.entrypoints" = "web-secure"; + "traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)"; + "traefik.http.routers.sso.tls" = "true"; + "traefik.http.services.sso.loadbalancer.server.port" = "9000"; + }; + cmd = [ "server" ]; + ports = [ + "9999:9000" + ]; + }; - auth_redis.service = { - image = "redis:alpine"; - container_name = "auth_redis"; - restart = "unless-stopped"; - networks = [ "internal" ]; - volumes = [ ]; - environment = { }; - labels = { "traefik.enable" = "false"; }; - }; - - auth_server.service = { - image = "ghcr.io/goauthentik/server:latest"; - container_name = "auth_server"; - restart = "unless-stopped"; - networks = [ "internal" "external" ]; - volumes = [ - "${serverCfg.dataPath}/authentik/media:/media" - "${serverCfg.dataPath}/authentik/templates:/templates" - ]; - environment = { - "AUTHENTIK_REDIS__HOST" = "auth_redis"; - "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql"; - "AUTHENTIK_POSTGRESQL__USER" = "authentik"; - "AUTHENTIK_POSTGRESQL__NAME" = "authentik"; - "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD"; - "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY"; - "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}"; - "AUTHENTIK_EMAIL__PORT" = "587"; - "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}"; - "AUTHENTIK_EMAIL__PASSWORD" = "AUTHENTIK_EMAIL_PASSWORD"; - "AUTHENTIK_EMAIL__USE_TLS" = "true"; - "AUTHENTIK_EMAIL__USE_SSL" = "false"; - "AUTHENTIK_EMAIL__TIMEOUT" = "10"; - "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}"; - }; - labels = { - "traefik.enable" = "true"; - "traefik.http.routers.sso.entrypoints" = "web-secure"; - "traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)"; - "traefik.http.routers.sso.tls" = "true"; - "traefik.http.services.sso.loadbalancer.server.port" = "9000"; - "traefik.docker.network" = "external"; - }; - command = "server"; - ports = [ - "9999:9000" # host:container - ]; - }; - - auth_worker.service = { - image = "ghcr.io/goauthentik/server:latest"; - container_name = "auth_worker"; - restart = "unless-stopped"; - networks = [ "internal" ]; - volumes = [ - "${serverCfg.dataPath}/authentik/media:/media" - "${serverCfg.dataPath}/authentik/templates:/templates" - "/var/run/docker.sock:/var/run/docker.sock" - ]; - environment = { - "AUTHENTIK_REDIS__HOST" = "auth_redis"; - "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql"; - "AUTHENTIK_POSTGRESQL__USER" = "authentik"; - "AUTHENTIK_POSTGRESQL__NAME" = "authentik"; - "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD"; - "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY"; - }; - labels = { "traefik.enable" = "false"; }; - command = "worker"; - user = "root"; + auth_worker = { + image = "ghcr.io/goauthentik/server:latest"; + hostname = "auth_worker"; + volumes = [ + "${serverCfg.dataPath}/authentik/media:/media" + "${serverCfg.dataPath}/authentik/templates:/templates" + "/var/run/docker.sock:/var/run/docker.sock" + ]; + environment = { + "AUTHENTIK_REDIS__HOST" = "auth_redis"; + "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql"; + "AUTHENTIK_POSTGRESQL__USER" = "authentik"; + "AUTHENTIK_POSTGRESQL__NAME" = "authentik"; + "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD"; + "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY"; }; + labels = { "traefik.enable" = "false"; }; + cmd = [ "worker" ]; }; } diff --git a/systems/sandbox/cfg.nix b/systems/sandbox/cfg.nix index 8ce2c68..12e6d2a 100644 --- a/systems/sandbox/cfg.nix +++ b/systems/sandbox/cfg.nix @@ -30,7 +30,7 @@ dbHost = "localhost"; containers = { - cloud = {enable = true;}; + #cloud = {enable = true;}; authentik = {enable = true;}; }; };