nix-config/modules/nixos/services/authentik/default.nix

{
  config,
  lib,
  namespace,
  ...
}:
with lib;
let
  name = "authentik";
  cfg = config.${namespace}.services.${name};
  cfgRac = config.${namespace}.services."authentikRac";

  authentikConfig = lib.${namespace}.mkModule {
    inherit config name;
    description = "authentik Service";
    options = { };
    moduleConfig = {
      services = {
        authentik = {
          enable = true;
          environmentFile = cfg.environmentFile;
          settings = {
            port = cfg.port;
          };
        };
        redis.servers.authentik = {
          enable = mkDefault true;
          port = mkDefault 6379;
        };
      };

      # Open firewall for authentik if enabled
      networking.firewall = mkIf cfg.openFirewall {
        allowedTCPPorts = [
          4822
        ];
        allowedUDPPorts = [
          4822
        ];
      };
    };
  };

  authentikRacConfig = lib.${namespace}.mkModule {
    inherit config;
    name = "authentikRac";
    description = "authentik_rac Service";
    options = { };
    moduleConfig = {
      virtualisation.oci-containers.containers."authenticRac" = {
        autoStart = true;
        image = "ghcr.io/goauthentik/rac";
        ports = [ "${toString cfgRac.port}:4822" ];
        volumes = [
          "${cfg.configDir}/authentik-rac:/media"
        ];
        environment = {
          AUTHENTIK_HOST = "https://${name}.mjallen.dev";
          AUTHENTIK_TOKEN = "0XGkB2pXoOTqcCMAjucAtfamvlsIZCPmy1Zri54Ozjj3zzMCvcLwkQPrukfx";
          AUTHENTIK_INSECURE = "false"; # Set to true for self-signed certs
          PUID = toString cfg.puid;
          PGID = toString cfg.pgid;
          TZ = cfg.timeZone;
        };
      };
    };
  };
in
{
  imports = [
    authentikConfig
    authentikRacConfig
  ];
}