{ config, containerCfg, pkgs, lib, builder, name, ... }: let version = "2026.2.2"; serverCfg = config.syscfg.server; authentikData = builder.mkData { name = "authentik"; dir = "authentik"; vars = { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain or "nextcloud"}.${serverCfg.hostDomain}"; AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}"; COOKIE_DOMAIN = "${serverCfg.hostDomain}"; }; }; in { paths = [{ path="${serverCfg.configPath}/authentik/media"; owner = "1000:1000"; mode = "0755"; }{ path="${serverCfg.configPath}/authentik/templates"; owner = "1000:1000"; mode = "0755"; }]; containers = { server = builder.mkContainer { subdomain = containerCfg.subdomain; image = "ghcr.io/goauthentik/server:${version}"; port = 9000; ip = containerCfg.ip; secret = name; extraEnv = { "AUTHENTIK_REDIS__HOST" = builder.host; "AUTHENTIK_POSTGRESQL__HOST" = builder.host; "AUTHENTIK_POSTGRESQL__USER" = "authentik_user"; "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db"; "AUTHENTIK_EMAIL__HOST" = serverCfg.mailDomain; "AUTHENTIK_EMAIL__PORT" = "587"; "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}"; "AUTHENTIK_EMAIL__USE_TLS" = "true"; "AUTHENTIK_EMAIL__USE_SSL" = "false"; "AUTHENTIK_EMAIL__TIMEOUT" = "10"; "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}"; "AUTHENTIK_DISABLE_UPDATE_CHECK" = "true"; "AUTHENTIK_POSTGRESQL__SSLMODE" = "disable"; }; overrides = { cmd = [ "server" ]; ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:9000" ] else []; volumes = [ "${serverCfg.configPath}/authentik/media:/media" "${serverCfg.configPath}/authentik/templates:/templates" "${authentikData}:/blueprints/custom:ro" ]; }; }; worker = builder.mkContainer { image = "ghcr.io/goauthentik/server:${version}"; secret = "authentik"; extraEnv = { "AUTHENTIK_REDIS__HOST" = builder.host; "AUTHENTIK_POSTGRESQL__HOST" = builder.host; "AUTHENTIK_POSTGRESQL__USER" = "authentik_user"; "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db"; "AUTHENTIK_DISABLE_UPDATE_CHECK" = "true"; "AUTHENTIK_POSTGRESQL__SSLMODE" = "disable"; }; # extraOptions = [ "--user=:994" ]; #PODMAN GROUP FOR SOCKET ACCESS overrides = { cmd = [ "worker" ]; volumes = [ "${serverCfg.configPath}/authentik/media:/media" "${serverCfg.configPath}/authentik/templates:/templates" "${authentikData}:/blueprints/custom:ro" # "/var/run/podman/podman.sock:/var/run/docker.sock" #PODMAN GROUP FOR SOCKET ACCESS ]; }; }; }; setup = { trigger = "worker"; script = pkgs.writeShellScript "setup" '' # Define the command wrapper AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.hostDomain} -u root authentik-worker ak" $AK apply_blueprint /blueprints/custom/authentik.yaml $AK apply_blueprint /blueprints/custom/traefik.yaml ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''} echo "Completed Authentik Setup" ''; }; }