sora/nixconfig
1
0
Fork 1
Code Issues 2 Pull Requests Actions Releases Activity
Files
1b2a724a263b7dc7ea4d5ead4a2e0d2811481c9e
nixconfig/modules/server/containers/apps/authentik.nix
soraefir 1b2a724a26 Fix idp & co, add base ak setup
2026-05-10 20:42:19 +02:00

128 lines
4.1 KiB
Nix
Raw Blame History

{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "2026.2.2";
serverCfg = config.syscfg.server;
authentikData = builder.mkData {
name = "authentik"; dir = "authentik"; vars = {
NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain or "nextcloud"}.${serverCfg.hostDomain}";
AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
COOKIE_DOMAIN = "*.${serverCfg.hostDomain}";
};
};
in {
paths = [{
path="${serverCfg.configPath}/authentik/media";
owner = "1000:1000";
mode = "0755";
}{
path="${serverCfg.configPath}/authentik/templates";
owner = "1000:1000";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/goauthentik/server:${version}";
port = containerCfg.port;
ip = containerCfg.ip;
secret = name;
extraEnv = {
"AUTHENTIK_REDIS__HOST" = builder.host;
"AUTHENTIK_POSTGRESQL__HOST" = builder.host;
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
"AUTHENTIK_EMAIL__HOST" = serverCfg.mailDomain;
"AUTHENTIK_EMAIL__PORT" = "587";
"AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
"AUTHENTIK_EMAIL__USE_TLS" = "true";
"AUTHENTIK_EMAIL__USE_SSL" = "false";
"AUTHENTIK_EMAIL__TIMEOUT" = "10";
"AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
"AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
"AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
};
overrides = {
cmd = [ "server" ];
ports = if containerCfg.pubPort!=null && containerCfg.port!=null then [ "${toString containerCfg.pubPort}:${toString containerCfg.port}" ] else [];
volumes = [
"${serverCfg.configPath}/authentik/media:/media"
"${serverCfg.configPath}/authentik/templates:/templates"
"${authentikData}:/blueprints/custom:ro"
];
};
};
worker = builder.mkContainer {
image = "ghcr.io/goauthentik/server:${version}";
secret = "authentik";
extraEnv = {
"AUTHENTIK_REDIS__HOST" = builder.host;
"AUTHENTIK_POSTGRESQL__HOST" = builder.host;
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
"AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
"AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
};
# extraOptions = [ "--user=:994" ]; #PODMAN GROUP FOR SOCKET ACCESS
overrides = {
cmd = [ "worker" ];
volumes = [
"${serverCfg.configPath}/authentik/media:/media"
"${serverCfg.configPath}/authentik/templates:/templates"
"${authentikData}:/blueprints/custom:ro"
# "/var/run/podman/podman.sock:/var/run/docker.sock" #PODMAN GROUP FOR SOCKET ACCESS
];
};
};
};
setup = {
trigger="worker";
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper
AK="${pkgs.podman}/bin/podman --events-backend=none exec -u root authentik-worker ak"
$AK shell <<EOF
from authentik.core.models import Group
groups = ["admin", "cloud"]
for name in groups:
Group.objects.get_or_create(name=name)
EOF
$AK shell <<EOF
from authentik.core.models import User, Group
from authentik.managed.models import ManagedObject
# 1. Create the custom admin user
user, created = User.objects.get_or_create(
username="your_admin_name",
defaults={
"name": "System Administrator",
"email": "admin@test.helcel.net",
"is_superuser": True,
"is_staff": True,
}
)
user.set_password("your_secure_password")
user.save()
admin_group = Group.objects.get(name="admin")
user.ak_groups.add(admin_group)
ManagedObject.objects.get_or_create(
identifier="initial-setup-complete",
defaults={"model": "authentik_core.user"}
)
EOF
$AK apply_blueprint /blueprints/custom/traefik.yaml
${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
echo "Completed Authentik Setup"
'';
};
}
Reference in New Issue View Git Blame Copy Permalink