{ config, containerCfg, pkgs, lib, builder, name, ... }: let version = "2026.2.2"; serverCfg = config.syscfg.server; authentikData = builder.mkData { name = "authentik"; dir = "authentik"; vars = { AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}"; COOKIE_DOMAIN = "${serverCfg.hostDomain}"; AUTHENTIK_LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.hostDomain)); } // (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.hostDomain}";} else {}) // (if serverCfg.containers?gitea then { GITEA_DOMAIN = "${serverCfg.containers.gitea.subdomain}.${serverCfg.hostDomain}";} else {}) // (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.hostDomain}";} else {}); }; in { sops = true; db = true; paths = [{ path="${serverCfg.configPath}/authentik/media"; owner = "1000:1000"; mode = "0755"; }{ path="${serverCfg.configPath}/authentik/templates"; owner = "1000:1000"; mode = "0755"; }]; containers = { server = builder.mkContainer { subdomain = containerCfg.subdomain; image = "ghcr.io/goauthentik/server:${version}"; port = 9000; secret = name; extraEnv = { AUTHENTIK_REDIS__HOST = builder.host; AUTHENTIK_POSTGRESQL__HOST = builder.host; AUTHENTIK_POSTGRESQL__USER = "authentik_user"; AUTHENTIK_POSTGRESQL__NAME = "authentik_db"; AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false"; AUTHENTIK_EMAIL__HOST = serverCfg.mailDomain; AUTHENTIK_EMAIL__PORT = "587"; AUTHENTIK_EMAIL__USERNAME = "noreply@${serverCfg.hostDomain}"; AUTHENTIK_EMAIL__USE_TLS = "true"; AUTHENTIK_EMAIL__USE_SSL = "false"; AUTHENTIK_EMAIL__TIMEOUT = "10"; AUTHENTIK_EMAIL__FROM = "sso@noreply.${serverCfg.hostDomain}"; AUTHENTIK_DISABLE_UPDATE_CHECK = "true"; AUTHENTIK_POSTGRESQL__SSLMODE = "disable"; }; overrides = { cmd = [ "server" ]; volumes = [ "${serverCfg.configPath}/authentik/media:/media" "${serverCfg.configPath}/authentik/templates:/templates" "${authentikData}:/blueprints/custom:ro" ]; }; }; worker = builder.mkContainer { image = "ghcr.io/goauthentik/server:${version}"; secret = name; extraEnv = { AUTHENTIK_REDIS__HOST = builder.host; AUTHENTIK_POSTGRESQL__HOST = builder.host; AUTHENTIK_POSTGRESQL__USER = "authentik_user"; AUTHENTIK_POSTGRESQL__NAME = "authentik_db"; AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false"; AUTHENTIK_DISABLE_UPDATE_CHECK = "true"; AUTHENTIK_POSTGRESQL__SSLMODE = "disable"; }; overrides = { cmd = [ "worker" ]; volumes = [ "${serverCfg.configPath}/authentik/media:/media" "${serverCfg.configPath}/authentik/templates:/templates" "${authentikData}:/blueprints/custom:ro" ]; }; }; ldap = builder.mkContainer { image = "ghcr.io/goauthentik/ldap:${version}"; secret = name; extraEnv = { AUTHENTIK_HOST = "https://${containerCfg.subdomain}.${serverCfg.hostDomain}"; AUTHENTIK_INSECURE = "false"; }; }; }; setup = { trigger = "worker"; script = pkgs.writeShellScript "setup" '' # Define the command wrapper AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.hostDomain} -u root authentik-worker ak" $AK apply_blueprint /blueprints/custom/authentik.yaml $AK apply_blueprint /blueprints/custom/traefik.yaml $AK apply_blueprint /blueprints/custom/ldap.yaml ${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''} ${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''} ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''} echo "Completed Authentik Setup" ''; }; }