Cache podman containers for authentik

README.md

@@ -40,7 +40,6 @@ SSO for almost everything running.
 
 
 ## TODO:
-- Docker/podman images are currently not persisted, maybe they should be.
 
 ### Services
 **For sure**:

roles/authentik/default.nix

@@ -30,7 +30,6 @@
       ...
     }:
     let
-      AUTHENTIK_VERSION = "2024.12.3";
       publicEnv = pkgs.writeText "authentik-public.env" ''
         AUTHENTIK_EMAIL__USE_TLS=false
         AUTHENTIK_EMAIL__USE_SSL=true
@@ -113,14 +112,14 @@
         podman.containers = {
           # TODO: Does using system redis make sense here?
           "authentik-redis" = {
-            image = "docker.io/library/redis:7.4.2-alpine";
+            imageMetadata = import ./images/redis.nix;
             autoStart = true;
             volumes = [
               "/appdata/authentik/redis:/data"
             ];
           };
           "authentik-server" = {
-            image = "ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}";
+            imageMetadata = import ./images/server.nix;
             autoStart = true;
             cmd = [ "server" ];
             environment = {
@@ -141,7 +140,7 @@
             ];
           };
           "authentik-worker" = {
-            image = "ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}";
+            imageMetadata = import ./images/server.nix;
             user = "root";
             autoStart = true;
             cmd = [ "worker" ];

roles/authentik/images/redis.nix

@@ -0,0 +1,5 @@
+{
+  imageName = "docker.io/library/redis";
+  imageDigest = "sha256:5c30ac9c59d8fcddc368d0dd98f544b8b5ab3a981c633db59da7eff9d76b97cc"; # 7.4.2-alpine
+  sha256 = "8a4937f259307fa724fb1a9eac9862b5a9bfba555eba2a43e816cd40104e1692";
+}

roles/authentik/images/server.nix

@@ -0,0 +1,5 @@
+{
+  imageName = "ghcr.io/goauthentik/server";
+  imageDigest = "sha256:7464a70c0d84df0816858106116a3306a80359b4300aa656c3a5ab790a38c229"; # 2024.12.3
+  sha256 = "fadbb55b7ae1d84d7322538101e933caa021582e5120828040c3883a18b1b3d5";
+}

roles/default.nix

@@ -10,5 +10,5 @@
   # Services
   sonarr = utils.mkRole (import ./sonarr.nix);
   traefik = utils.mkRole (import ./traefik.nix);
-  authentik = utils.mkRole (import ./authentik.nix);
+  authentik = utils.mkRole (import ./authentik);
 }

roles/podman.nix

@@ -5,7 +5,12 @@
   '';
 
   nixosModule =
-    { lib, config, ... }:
+    {
+      pkgs,
+      lib,
+      config,
+      ...
+    }:
     {
       options.podman = {
         containers = lib.mkOption {
@@ -23,9 +28,21 @@
           virtualisation.podman.defaultNetwork.settings.dns_enabled = true;
           virtualisation.oci-containers.backend = "podman";
 
-          # TODO: Maybe we want to pre-fetch the images during build?
-          # This would ensure the config always reproduces the exact same system
-          virtualisation.oci-containers.containers = cfg.containers;
+          virtualisation.oci-containers.containers = lib.mapAttrs (
+            _: container:
+            lib.mkMerge [
+              (lib.mkIf (lib.hasAttr "imageMetadata" container) (
+                let
+                  metadata = container.imageMetadata;
+                in
+                {
+                  image = "${metadata.imageName}:latest";
+                  imageFile = pkgs.dockerTools.pullImage metadata;
+                }
+              ))
+              (builtins.removeAttrs container [ "imageMetadata" ])
+            ]
+          ) cfg.containers;
         };
     };
 }