merge

modules/nixos/authentik/default.nix

@@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  namespace,
+  ...
+}:
+with lib;
+let
+  cfg = config.${namespace}.services.authentik;
+in
+{
+  imports = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+    services.authentik = {
+      enable = true;
+      environmentFile = cfg.environmentFile;
+      settings = {
+        port = cfg.port;
+      };
+    };
+
+    # Open firewall for authentik if enabled
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [ cfg.port ];
+      allowedUDPPorts = [ cfg.port ];
+    };
+
+    # Ensure PostgreSQL is configured for authentik
+    services.postgresql = {
+      enable = mkDefault true;
+      ensureDatabases = [ "authentik" ];
+      ensureUsers = [
+        {
+          name = "authentik";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    # Ensure Redis is configured for authentik
+    services.redis.servers.authentik = {
+      enable = mkDefault true;
+      port = mkDefault 6379;
+    };
+  };
+}

modules/nixos/authentik/options.nix

@@ -0,0 +1,31 @@
+{ lib, namespace, ... }:
+with lib;
+{
+  options.${namespace}.services.authentik = {
+    enable = mkEnableOption "authentik identity provider";
+
+    port = mkOption {
+      type = types.port;
+      default = 9000;
+      description = "Port for authentik web interface";
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Whether to open firewall for authentik";
+    };
+
+    environmentFile = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      description = "Path to environment file containing authentik secrets";
+    };
+
+    dataDir = mkOption {
+      type = types.str;
+      default = "/var/lib/authentik";
+      description = "Data directory for authentik";
+    };
+  };
+}