74 lines
1.7 KiB
Nix
74 lines
1.7 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
namespace,
|
|
...
|
|
}:
|
|
with lib;
|
|
let
|
|
name = "authentik";
|
|
cfg = config.${namespace}.services.${name};
|
|
|
|
authentikConfig = lib.${namespace}.mkModule {
|
|
inherit config name;
|
|
description = "authentik Service";
|
|
options = { };
|
|
moduleConfig = {
|
|
services = {
|
|
authentik = {
|
|
enable = true;
|
|
environmentFile = cfg.environmentFile;
|
|
settings = {
|
|
port = cfg.port;
|
|
};
|
|
};
|
|
redis.servers.authentik = {
|
|
enable = mkDefault true;
|
|
port = mkDefault 6379;
|
|
};
|
|
|
|
# postgresql = {
|
|
# enable = mkDefault true;
|
|
# ensureDatabases = [ name ];
|
|
# ensureUsers = [
|
|
# {
|
|
# name = name;
|
|
# ensureDBOwnership = true;
|
|
# }
|
|
# ];
|
|
# };
|
|
};
|
|
|
|
# Open firewall for authentik if enabled
|
|
networking.firewall = mkIf cfg.openFirewall {
|
|
allowedTCPPorts = [
|
|
4822
|
|
];
|
|
allowedUDPPorts = [
|
|
4822
|
|
];
|
|
};
|
|
|
|
virtualisation.oci-containers.containers.authentik_rac = {
|
|
autoStart = true;
|
|
image = "ghcr.io/goauthentik/rac";
|
|
ports = [ "4822:4822" ];
|
|
volumes = [
|
|
"${cfg.configDir}/authentik-rac:/media"
|
|
];
|
|
environment = {
|
|
AUTHENTIK_HOST = "https://${name}.mjallen.dev";
|
|
AUTHENTIK_TOKEN = "0XGkB2pXoOTqcCMAjucAtfamvlsIZCPmy1Zri54Ozjj3zzMCvcLwkQPrukfx";
|
|
AUTHENTIK_INSECURE = "false"; # Set to true for self-signed certs
|
|
PUID = toString cfg.puid;
|
|
PGID = toString cfg.pgid;
|
|
TZ = cfg.timeZone;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
in
|
|
{
|
|
imports = [ authentikConfig ];
|
|
}
|