diff --git a/README.md b/README.md index bd0662c..b3f5e15 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,6 @@ SSO for almost everything running. ## TODO: -- Docker/podman images are currently not persisted, maybe they should be. ### Services **For sure**: diff --git a/roles/authentik.nix b/roles/authentik/default.nix similarity index 94% rename from roles/authentik.nix rename to roles/authentik/default.nix index 888b78e..44981b3 100644 --- a/roles/authentik.nix +++ b/roles/authentik/default.nix @@ -30,7 +30,6 @@ ... }: let - AUTHENTIK_VERSION = "2024.12.3"; publicEnv = pkgs.writeText "authentik-public.env" '' AUTHENTIK_EMAIL__USE_TLS=false AUTHENTIK_EMAIL__USE_SSL=true @@ -113,14 +112,14 @@ podman.containers = { # TODO: Does using system redis make sense here? "authentik-redis" = { - image = "docker.io/library/redis:7.4.2-alpine"; + imageMetadata = import ./images/redis.nix; autoStart = true; volumes = [ "/appdata/authentik/redis:/data" ]; }; "authentik-server" = { - image = "ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}"; + imageMetadata = import ./images/server.nix; autoStart = true; cmd = [ "server" ]; environment = { @@ -141,7 +140,7 @@ ]; }; "authentik-worker" = { - image = "ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}"; + imageMetadata = import ./images/server.nix; user = "root"; autoStart = true; cmd = [ "worker" ]; diff --git a/roles/authentik/images/redis.nix b/roles/authentik/images/redis.nix new file mode 100644 index 0000000..04fb921 --- /dev/null +++ b/roles/authentik/images/redis.nix @@ -0,0 +1,5 @@ +{ + imageName = "docker.io/library/redis"; + imageDigest = "sha256:5c30ac9c59d8fcddc368d0dd98f544b8b5ab3a981c633db59da7eff9d76b97cc"; # 7.4.2-alpine + sha256 = "8a4937f259307fa724fb1a9eac9862b5a9bfba555eba2a43e816cd40104e1692"; +} diff --git a/roles/authentik/images/server.nix b/roles/authentik/images/server.nix new file mode 100644 index 0000000..ff4dbc2 --- /dev/null +++ b/roles/authentik/images/server.nix @@ -0,0 +1,5 @@ +{ + imageName = "ghcr.io/goauthentik/server"; + imageDigest = "sha256:7464a70c0d84df0816858106116a3306a80359b4300aa656c3a5ab790a38c229"; # 2024.12.3 + sha256 = "fadbb55b7ae1d84d7322538101e933caa021582e5120828040c3883a18b1b3d5"; +} diff --git a/roles/default.nix b/roles/default.nix index 7511ca9..6b828ab 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -10,5 +10,5 @@ # Services sonarr = utils.mkRole (import ./sonarr.nix); traefik = utils.mkRole (import ./traefik.nix); - authentik = utils.mkRole (import ./authentik.nix); + authentik = utils.mkRole (import ./authentik); } diff --git a/roles/podman.nix b/roles/podman.nix index d099e7a..ab6f406 100644 --- a/roles/podman.nix +++ b/roles/podman.nix @@ -5,7 +5,12 @@ ''; nixosModule = - { lib, config, ... }: + { + pkgs, + lib, + config, + ... + }: { options.podman = { containers = lib.mkOption { @@ -23,9 +28,21 @@ virtualisation.podman.defaultNetwork.settings.dns_enabled = true; virtualisation.oci-containers.backend = "podman"; - # TODO: Maybe we want to pre-fetch the images during build? - # This would ensure the config always reproduces the exact same system - virtualisation.oci-containers.containers = cfg.containers; + virtualisation.oci-containers.containers = lib.mapAttrs ( + _: container: + lib.mkMerge [ + (lib.mkIf (lib.hasAttr "imageMetadata" container) ( + let + metadata = container.imageMetadata; + in + { + image = "${metadata.imageName}:latest"; + imageFile = pkgs.dockerTools.pullImage metadata; + } + )) + (builtins.removeAttrs container [ "imageMetadata" ]) + ] + ) cfg.containers; }; }; }