Compare commits
No commits in common. "44d274c6060ad1137b41a28d40d215d5bfa7a846" and "4137675a1ced3b2c320fb13e17d100777b2b2f37" have entirely different histories.
44d274c606
...
4137675a1c
8 changed files with 20 additions and 35 deletions
|
|
@ -40,6 +40,7 @@ SSO for almost everything running.
|
||||||
|
|
||||||
|
|
||||||
## TODO:
|
## TODO:
|
||||||
|
- Docker/podman images are currently not persisted, maybe they should be.
|
||||||
|
|
||||||
### Services
|
### Services
|
||||||
**For sure**:
|
**For sure**:
|
||||||
|
|
|
||||||
|
|
@ -30,6 +30,7 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
|
AUTHENTIK_VERSION = "2024.12.3";
|
||||||
publicEnv = pkgs.writeText "authentik-public.env" ''
|
publicEnv = pkgs.writeText "authentik-public.env" ''
|
||||||
AUTHENTIK_EMAIL__USE_TLS=false
|
AUTHENTIK_EMAIL__USE_TLS=false
|
||||||
AUTHENTIK_EMAIL__USE_SSL=true
|
AUTHENTIK_EMAIL__USE_SSL=true
|
||||||
|
|
@ -112,14 +113,14 @@
|
||||||
podman.containers = {
|
podman.containers = {
|
||||||
# TODO: Does using system redis make sense here?
|
# TODO: Does using system redis make sense here?
|
||||||
"authentik-redis" = {
|
"authentik-redis" = {
|
||||||
imageMetadata = import ./images/redis.nix;
|
image = "docker.io/library/redis:7.4.2-alpine";
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
volumes = [
|
volumes = [
|
||||||
"/appdata/authentik/redis:/data"
|
"/appdata/authentik/redis:/data"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
"authentik-server" = {
|
"authentik-server" = {
|
||||||
imageMetadata = import ./images/server.nix;
|
image = "ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}";
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
cmd = [ "server" ];
|
cmd = [ "server" ];
|
||||||
environment = {
|
environment = {
|
||||||
|
|
@ -140,7 +141,7 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
"authentik-worker" = {
|
"authentik-worker" = {
|
||||||
imageMetadata = import ./images/server.nix;
|
image = "ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}";
|
||||||
user = "root";
|
user = "root";
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
cmd = [ "worker" ];
|
cmd = [ "worker" ];
|
||||||
|
|
@ -1,5 +0,0 @@
|
||||||
{
|
|
||||||
imageName = "docker.io/library/redis";
|
|
||||||
imageDigest = "sha256:5c30ac9c59d8fcddc368d0dd98f544b8b5ab3a981c633db59da7eff9d76b97cc"; # 7.4.2-alpine
|
|
||||||
sha256 = "8a4937f259307fa724fb1a9eac9862b5a9bfba555eba2a43e816cd40104e1692";
|
|
||||||
}
|
|
||||||
|
|
@ -1,5 +0,0 @@
|
||||||
{
|
|
||||||
imageName = "ghcr.io/goauthentik/server";
|
|
||||||
imageDigest = "sha256:7464a70c0d84df0816858106116a3306a80359b4300aa656c3a5ab790a38c229"; # 2024.12.3
|
|
||||||
sha256 = "fadbb55b7ae1d84d7322538101e933caa021582e5120828040c3883a18b1b3d5";
|
|
||||||
}
|
|
||||||
|
|
@ -10,5 +10,5 @@
|
||||||
# Services
|
# Services
|
||||||
sonarr = utils.mkRole (import ./sonarr.nix);
|
sonarr = utils.mkRole (import ./sonarr.nix);
|
||||||
traefik = utils.mkRole (import ./traefik.nix);
|
traefik = utils.mkRole (import ./traefik.nix);
|
||||||
authentik = utils.mkRole (import ./authentik);
|
authentik = utils.mkRole (import ./authentik.nix);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -5,12 +5,7 @@
|
||||||
'';
|
'';
|
||||||
|
|
||||||
nixosModule =
|
nixosModule =
|
||||||
{
|
{ lib, config, ... }:
|
||||||
pkgs,
|
|
||||||
lib,
|
|
||||||
config,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
{
|
{
|
||||||
options.podman = {
|
options.podman = {
|
||||||
containers = lib.mkOption {
|
containers = lib.mkOption {
|
||||||
|
|
@ -28,21 +23,9 @@
|
||||||
virtualisation.podman.defaultNetwork.settings.dns_enabled = true;
|
virtualisation.podman.defaultNetwork.settings.dns_enabled = true;
|
||||||
virtualisation.oci-containers.backend = "podman";
|
virtualisation.oci-containers.backend = "podman";
|
||||||
|
|
||||||
virtualisation.oci-containers.containers = lib.mapAttrs (
|
# TODO: Maybe we want to pre-fetch the images during build?
|
||||||
_: container:
|
# This would ensure the config always reproduces the exact same system
|
||||||
lib.mkMerge [
|
virtualisation.oci-containers.containers = cfg.containers;
|
||||||
(lib.mkIf (lib.hasAttr "imageMetadata" container) (
|
|
||||||
let
|
|
||||||
metadata = container.imageMetadata;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
image = "${metadata.imageName}:latest";
|
|
||||||
imageFile = pkgs.dockerTools.pullImage metadata;
|
|
||||||
}
|
|
||||||
))
|
|
||||||
(builtins.removeAttrs container [ "imageMetadata" ])
|
|
||||||
]
|
|
||||||
) cfg.containers;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -51,6 +51,11 @@
|
||||||
host all all 127.0.0.1/32 md5
|
host all all 127.0.0.1/32 md5
|
||||||
host all all ::1/128 md5
|
host all all ::1/128 md5
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
# FIXME: For debug
|
||||||
|
settings = {
|
||||||
|
log_connections = true;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
|
|
||||||
|
|
@ -80,6 +80,11 @@
|
||||||
];
|
];
|
||||||
|
|
||||||
staticConfigOptions = {
|
staticConfigOptions = {
|
||||||
|
# FIXME: Remove this later
|
||||||
|
log.level = "DEBUG";
|
||||||
|
# FIXME: This is insecure
|
||||||
|
api.insecure = true;
|
||||||
|
|
||||||
entryPoints = {
|
entryPoints = {
|
||||||
web = {
|
web = {
|
||||||
address = ":80";
|
address = ":80";
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue