sora/nixconfig
1
0
Fork 1
Code Issues 2 Pull Requests Actions Releases Activity
Files
7bd5ceacd97b9c8c833ae3b594c4be125f623c05
nixconfig/modules/server/containers/apps/authentik.nix
soraefir 7bd5ceacd9 fix name
2026-05-13 22:33:28 +02:00

108 lines
3.7 KiB
Nix
Raw Blame History

{ config, containerCfg, pkgs, lib, builder, name, ... }:
let
version = "2026.2.2";
serverCfg = config.syscfg.server;
authentikData = builder.mkData {
name = "authentik"; dir = "authentik"; vars = {
NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain or "nextcloud"}.${serverCfg.hostDomain}";
AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
COOKIE_DOMAIN = "${serverCfg.hostDomain}";
AUTHENTIK_LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.hostDomain));
};
};
in {
sops = true;
db = true;
paths = [{
path="${serverCfg.configPath}/authentik/media";
owner = "1000:1000";
mode = "0755";
}{
path="${serverCfg.configPath}/authentik/templates";
owner = "1000:1000";
mode = "0755";
}];
containers = {
server = builder.mkContainer {
subdomain = containerCfg.subdomain;
image = "ghcr.io/goauthentik/server:${version}";
port = 9000;
secret = name;
extraEnv = {
AUTHENTIK_REDIS__HOST = builder.host;
AUTHENTIK_POSTGRESQL__HOST = builder.host;
AUTHENTIK_POSTGRESQL__USER = "authentik_user";
AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
AUTHENTIK_EMAIL__HOST = serverCfg.mailDomain;
AUTHENTIK_EMAIL__PORT = "587";
AUTHENTIK_EMAIL__USERNAME = "noreply@${serverCfg.hostDomain}";
AUTHENTIK_EMAIL__USE_TLS = "true";
AUTHENTIK_EMAIL__USE_SSL = "false";
AUTHENTIK_EMAIL__TIMEOUT = "10";
AUTHENTIK_EMAIL__FROM = "sso@noreply.${serverCfg.hostDomain}";
AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
};
overrides = {
cmd = [ "server" ];
volumes = [
"${serverCfg.configPath}/authentik/media:/media"
"${serverCfg.configPath}/authentik/templates:/templates"
"${authentikData}:/blueprints/custom:ro"
];
};
};
worker = builder.mkContainer {
image = "ghcr.io/goauthentik/server:${version}";
secret = name;
extraEnv = {
AUTHENTIK_REDIS__HOST = builder.host;
AUTHENTIK_POSTGRESQL__HOST = builder.host;
AUTHENTIK_POSTGRESQL__USER = "authentik_user";
AUTHENTIK_POSTGRESQL__NAME = "authentik_db";
AUTHENTIK_POSAUTHENTIK_POSTGRESQL__SSLMODE = "false";
AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
};
overrides = {
cmd = [ "worker" ];
volumes = [
"${serverCfg.configPath}/authentik/media:/media"
"${serverCfg.configPath}/authentik/templates:/templates"
"${authentikData}:/blueprints/custom:ro"
];
};
};
ldap = builder.mkContainer {
image = "ghcr.io/goauthentik/ldap:${version}";
secret = name;
extraEnv = {
"AUTHENTIK_HOST" = "http://authentik-server:9000";
"AUTHENTIK_INSECURE" = "true";
};
# overrides = {
# ports = [ "389:3389" "636:6636" ];
# };
};
};
setup = {
trigger = "worker";
script = pkgs.writeShellScript "setup" ''
# Define the command wrapper
AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.hostDomain} -u root authentik-worker ak"
$AK apply_blueprint /blueprints/custom/authentik.yaml
$AK apply_blueprint /blueprints/custom/traefik.yaml
$AK apply_blueprint /blueprints/custom/ldap.yaml
${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
echo "Completed Authentik Setup"
'';
};
}
Reference in New Issue View Git Blame Copy Permalink