sora/nixconfig
1
0
Fork 0
Code Issues 2 Pull Requests Actions Releases Activity

fix containers

Browse Source
This commit is contained in:
soraefir
2026-05-04 23:43:29 +02:00
parent c779c1760b
commit d626c13572
3 changed files with 79 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
modules/server/containers/default.nix
View File

@@ -1,27 +1,20 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
# enabledContainers = lib.filterAttrs (name: cfg: cfg.enable) config.syscfg.server.containers; cfg = config.syscfg.server.containers;
# containerImports = { enabledConfigs = lib.filterAttrs (name: c: c.enable) cfg;
# cloud = import ./defs/cloud.nix; containerSetsList = lib.mapAttrsToList (name: containerCfg:
# authentik = import ./defs/authentik.nix; import (./defs + "/${name}.nix") {
# }; inherit config pkgs lib ;
containerDir = ./defs; inherit (containerCfg) port special_param;
allFiles = builtins.readDir containerDir; }
enabledNames = lib.filterAttrs (name: cfg: cfg.enable) config.syscfg.server.containers; ) enabledConfigs;
activeContainers = lib.mapAttrs (name: cfg: mergedContainers = lib.attrsets.mergeAttrsList containerSetsList;
let
fileName = "${name}.nix";
in
if builtins.hasAttr fileName allFiles
then import (containerDir + "/${fileName}")
else throw "Container config for '${name}' enabled, but ${containerDir}/${fileName} does not exist!"
) enabledNames;
in in
{ {
config = lib.mkIf ( enabledNames != {} ) { config = lib.mkIf ( enabledConfigs != {} ) {
virtualisation.oci-containers = { virtualisation.oci-containers = {
backend = "podman"; backend = "podman";
containers = activeContainers; containers = mergedContainers;
}; };
}; };
} }

159
modules/server/containers/defs/authentik.nix
View File

@@ -1,104 +1,79 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let serverCfg = config.syscfg.server; let serverCfg = config.syscfg.server;
in { in {
project.name = "authentik"; auth_postgresql = {
image = "postgres:14-alpine";
networks = { hostname = "auth_postgresql";
internal = { volumes = [ ];
name = lib.mkForce "internal"; environment = {
internal = true; POSTGRES_PASSWORD = "/run/secrets/AUTHENTIK_POSTGRESQL__PASSWORD";
}; POSTGRES_USER = "authentik";
external = { POSTGRES_DB = "authentik";
name = lib.mkForce "external";
internal = false;
}; };
labels = { "traefik.enable" = "false"; };
}; };
services = { auth_redis = {
image = "redis:alpine";
hostname = "auth_redis";
volumes = [ ];
environment = { };
labels = { "traefik.enable" = "false"; };
};
auth_postgresql.service = { auth_server = {
image = "postgres:14-alpine"; image = "ghcr.io/goauthentik/server:latest";
container_name = "auth_postgresql"; hostname = "auth_server";
restart = "unless-stopped"; volumes = [
networks = [ "internal" ]; "${serverCfg.dataPath}/authentik/media:/media"
volumes = [ ]; "${serverCfg.dataPath}/authentik/templates:/templates"
environment = { ];
POSTGRES_PASSWORD = "/run/secrets/AUTHENTIK_POSTGRESQL__PASSWORD"; environment = {
POSTGRES_USER = "authentik"; "AUTHENTIK_REDIS__HOST" = "auth_redis";
POSTGRES_DB = "authentik"; "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql";
}; "AUTHENTIK_POSTGRESQL__USER" = "authentik";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik";
"AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD";
"AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
"AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
"AUTHENTIK_EMAIL__PORT" = "587";
"AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
"AUTHENTIK_EMAIL__PASSWORD" = "AUTHENTIK_EMAIL_PASSWORD";
"AUTHENTIK_EMAIL__USE_TLS" = "true";
"AUTHENTIK_EMAIL__USE_SSL" = "false";
"AUTHENTIK_EMAIL__TIMEOUT" = "10";
"AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
}; };
labels = {
"traefik.enable" = "true";
"traefik.http.routers.sso.entrypoints" = "web-secure";
"traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
"traefik.http.routers.sso.tls" = "true";
"traefik.http.services.sso.loadbalancer.server.port" = "9000";
};
cmd = [ "server" ];
ports = [
"9999:9000"
];
};
auth_redis.service = { auth_worker = {
image = "redis:alpine"; image = "ghcr.io/goauthentik/server:latest";
container_name = "auth_redis"; hostname = "auth_worker";
restart = "unless-stopped"; volumes = [
networks = [ "internal" ]; "${serverCfg.dataPath}/authentik/media:/media"
volumes = [ ]; "${serverCfg.dataPath}/authentik/templates:/templates"
environment = { }; "/var/run/docker.sock:/var/run/docker.sock"
labels = { "traefik.enable" = "false"; }; ];
}; environment = {
"AUTHENTIK_REDIS__HOST" = "auth_redis";
auth_server.service = { "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql";
image = "ghcr.io/goauthentik/server:latest"; "AUTHENTIK_POSTGRESQL__USER" = "authentik";
container_name = "auth_server"; "AUTHENTIK_POSTGRESQL__NAME" = "authentik";
restart = "unless-stopped"; "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD";
networks = [ "internal" "external" ]; "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
volumes = [
"${serverCfg.dataPath}/authentik/media:/media"
"${serverCfg.dataPath}/authentik/templates:/templates"
];
environment = {
"AUTHENTIK_REDIS__HOST" = "auth_redis";
"AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql";
"AUTHENTIK_POSTGRESQL__USER" = "authentik";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik";
"AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD";
"AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
"AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
"AUTHENTIK_EMAIL__PORT" = "587";
"AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
"AUTHENTIK_EMAIL__PASSWORD" = "AUTHENTIK_EMAIL_PASSWORD";
"AUTHENTIK_EMAIL__USE_TLS" = "true";
"AUTHENTIK_EMAIL__USE_SSL" = "false";
"AUTHENTIK_EMAIL__TIMEOUT" = "10";
"AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.sso.entrypoints" = "web-secure";
"traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
"traefik.http.routers.sso.tls" = "true";
"traefik.http.services.sso.loadbalancer.server.port" = "9000";
"traefik.docker.network" = "external";
};
command = "server";
ports = [
"9999:9000" # host:container
];
};
auth_worker.service = {
image = "ghcr.io/goauthentik/server:latest";
container_name = "auth_worker";
restart = "unless-stopped";
networks = [ "internal" ];
volumes = [
"${serverCfg.dataPath}/authentik/media:/media"
"${serverCfg.dataPath}/authentik/templates:/templates"
"/var/run/docker.sock:/var/run/docker.sock"
];
environment = {
"AUTHENTIK_REDIS__HOST" = "auth_redis";
"AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql";
"AUTHENTIK_POSTGRESQL__USER" = "authentik";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik";
"AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD";
"AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
};
labels = { "traefik.enable" = "false"; };
command = "worker";
user = "root";
}; };
labels = { "traefik.enable" = "false"; };
cmd = [ "worker" ];
}; };
} }

2
systems/sandbox/cfg.nix
View File

@@ -30,7 +30,7 @@
dbHost = "localhost"; dbHost = "localhost";
containers = { containers = {
cloud = {enable = true;}; #cloud = {enable = true;};
authentik = {enable = true;}; authentik = {enable = true;};
}; };
}; };