2025-02-05 21:08:52 +01:00
|
|
|
{
|
|
|
|
|
name = "Authentik";
|
|
|
|
|
description = ''
|
|
|
|
|
SSO provider
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
traefikRoutes =
|
|
|
|
|
{
|
|
|
|
|
host,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
let
|
|
|
|
|
hostname = host.hostname;
|
|
|
|
|
config = host.config.authentik;
|
|
|
|
|
in
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
name = "${hostname}-authentik";
|
|
|
|
|
rule = "Host(`${config.domain}`)";
|
2025-02-07 19:32:06 +01:00
|
|
|
target = "http://${host.ip}:9000";
|
2025-02-05 21:08:52 +01:00
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
nixosModule =
|
2025-02-07 19:32:06 +01:00
|
|
|
{
|
|
|
|
|
lib,
|
|
|
|
|
config,
|
|
|
|
|
pkgs,
|
2025-02-11 17:21:09 +01:00
|
|
|
host,
|
2025-02-07 19:32:06 +01:00
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
let
|
|
|
|
|
publicEnv = pkgs.writeText "authentik-public.env" ''
|
|
|
|
|
AUTHENTIK_EMAIL__USE_TLS=false
|
|
|
|
|
AUTHENTIK_EMAIL__USE_SSL=true
|
|
|
|
|
AUTHENTIK_EMAIL__TIMEOUT=10
|
|
|
|
|
'';
|
|
|
|
|
in
|
2025-02-05 21:08:52 +01:00
|
|
|
{
|
|
|
|
|
options.authentik = {
|
|
|
|
|
domain = lib.mkOption {
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = {
|
2025-02-16 12:30:00 +01:00
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
|
|
|
9000
|
|
|
|
|
];
|
2025-02-07 19:32:06 +01:00
|
|
|
|
|
|
|
|
# Set up user to run authentik
|
|
|
|
|
users.users."authentik" = {
|
|
|
|
|
isSystemUser = true;
|
|
|
|
|
group = "authentik";
|
2025-02-05 21:08:52 +01:00
|
|
|
};
|
2025-02-07 19:32:06 +01:00
|
|
|
users.groups."authentik" = { };
|
2025-02-05 21:08:52 +01:00
|
|
|
|
2025-02-07 19:32:06 +01:00
|
|
|
# TODO: Persist some/all of this into ceph cluster
|
|
|
|
|
environment.persistence."/persistent" = {
|
|
|
|
|
directories = [
|
|
|
|
|
{
|
|
|
|
|
directory = "/appdata/authentik/redis";
|
|
|
|
|
mode = "0700";
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
directory = "/appdata/authentik/media";
|
|
|
|
|
mode = "0700";
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
directory = "/appdata/authentik/certs";
|
|
|
|
|
mode = "0700";
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
sops.secrets = {
|
|
|
|
|
"authentik/db_pass" = {
|
|
|
|
|
owner = "authentik";
|
|
|
|
|
};
|
|
|
|
|
"authentik/secret_key" = {
|
|
|
|
|
owner = "authentik";
|
|
|
|
|
};
|
|
|
|
|
"authentik/email_host" = {
|
|
|
|
|
owner = "authentik";
|
|
|
|
|
};
|
|
|
|
|
"authentik/email_port" = {
|
|
|
|
|
owner = "authentik";
|
|
|
|
|
};
|
|
|
|
|
"authentik/email_from" = {
|
|
|
|
|
owner = "authentik";
|
|
|
|
|
};
|
|
|
|
|
"authentik/email_username" = {
|
|
|
|
|
owner = "authentik";
|
|
|
|
|
};
|
|
|
|
|
"authentik/email_password" = {
|
|
|
|
|
owner = "authentik";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
sops.templates."authentik-secret.env" = {
|
|
|
|
|
owner = "authentik";
|
|
|
|
|
content = ''
|
|
|
|
|
AUTHENTIK_POSTGRESQL__PASSWORD=${config.sops.placeholder."authentik/db_pass"}
|
|
|
|
|
AUTHENTIK_SECRET_KEY="${config.sops.placeholder."authentik/secret_key"}"
|
|
|
|
|
AUTHENTIK_EMAIL__HOST="${config.sops.placeholder."authentik/email_host"}"
|
|
|
|
|
AUTHENTIK_EMAIL__PORT="${config.sops.placeholder."authentik/email_port"}"
|
|
|
|
|
AUTHENTIK_EMAIL__FROM="${config.sops.placeholder."authentik/email_from"}"
|
|
|
|
|
AUTHENTIK_EMAIL__USERNAME="${config.sops.placeholder."authentik/email_username"}"
|
|
|
|
|
AUTHENTIK_EMAIL__PASSWORD="${config.sops.placeholder."authentik/email_password"}"
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2025-02-11 17:21:09 +01:00
|
|
|
# Create the database
|
|
|
|
|
postgres.databases = [ "authentik" ];
|
|
|
|
|
|
2025-02-07 19:32:06 +01:00
|
|
|
podman.containers = {
|
2025-02-11 17:21:09 +01:00
|
|
|
# TODO: Does using system redis make sense here?
|
2025-02-07 19:32:06 +01:00
|
|
|
"authentik-redis" = {
|
2025-02-14 21:28:54 +01:00
|
|
|
imageMetadata = import ./images/redis.nix;
|
2025-02-07 19:32:06 +01:00
|
|
|
autoStart = true;
|
|
|
|
|
volumes = [
|
|
|
|
|
"/appdata/authentik/redis:/data"
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
"authentik-server" = {
|
2025-02-14 21:28:54 +01:00
|
|
|
imageMetadata = import ./images/server.nix;
|
2025-02-07 19:32:06 +01:00
|
|
|
autoStart = true;
|
|
|
|
|
cmd = [ "server" ];
|
|
|
|
|
environment = {
|
|
|
|
|
AUTHENTIK_REDIS__HOST = "authentik-redis";
|
2025-02-11 17:21:09 +01:00
|
|
|
AUTHENTIK_POSTGRESQL__HOST = "host.containers.internal";
|
2025-02-07 19:32:06 +01:00
|
|
|
AUTHENTIK_POSTGRESQL__USER = "authentik";
|
|
|
|
|
AUTHENTIK_POSTGRESQL__NAME = "authentik";
|
|
|
|
|
};
|
|
|
|
|
environmentFiles = [
|
|
|
|
|
config.sops.templates."authentik-secret.env".path
|
|
|
|
|
publicEnv
|
|
|
|
|
];
|
|
|
|
|
volumes = [
|
|
|
|
|
"/appdata/authentik/media:/media"
|
|
|
|
|
];
|
|
|
|
|
ports = [
|
|
|
|
|
"9000:9000"
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
"authentik-worker" = {
|
2025-02-14 21:28:54 +01:00
|
|
|
imageMetadata = import ./images/server.nix;
|
2025-02-11 17:21:09 +01:00
|
|
|
user = "root";
|
2025-02-07 19:32:06 +01:00
|
|
|
autoStart = true;
|
|
|
|
|
cmd = [ "worker" ];
|
|
|
|
|
environment = {
|
|
|
|
|
AUTHENTIK_REDIS__HOST = "authentik-redis";
|
2025-02-11 17:21:09 +01:00
|
|
|
AUTHENTIK_POSTGRESQL__HOST = "host.containers.internal";
|
2025-02-07 19:32:06 +01:00
|
|
|
AUTHENTIK_POSTGRESQL__USER = "authentik";
|
|
|
|
|
AUTHENTIK_POSTGRESQL__NAME = "authentik";
|
|
|
|
|
};
|
|
|
|
|
environmentFiles = [
|
|
|
|
|
config.sops.templates."authentik-secret.env".path
|
|
|
|
|
publicEnv
|
|
|
|
|
];
|
|
|
|
|
volumes = [
|
|
|
|
|
"/appdata/authentik/media:/media"
|
|
|
|
|
"/appdata/authentik/certs:/certs"
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
};
|
2025-02-05 21:08:52 +01:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
