62 lines
1.7 KiB
Nix
62 lines
1.7 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
namespace,
|
|
...
|
|
}:
|
|
# NOTE: AUTHENTIK_TOKEN for the RAC outpost is stored in sops.
|
|
# Add jallen-nas/authentik-rac/token to secrets/nas-secrets.yaml and ensure
|
|
# jallen-nas/sops.nix declares the "authentik-rac.env" template before deploying.
|
|
let
|
|
name = "authentik";
|
|
cfg = config.${namespace}.services.${name};
|
|
cfgRac = config.${namespace}.services."authentikRac";
|
|
|
|
authentikConfig = lib.${namespace}.mkModule {
|
|
inherit config name;
|
|
description = "authentik identity provider";
|
|
options = { };
|
|
moduleConfig = {
|
|
services.authentik = {
|
|
inherit (cfg) environmentFile;
|
|
enable = true;
|
|
settings = {
|
|
inherit (cfg) port;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
# RAC outpost: uses podman but has a legacy container name "authenticRac"
|
|
# (different from the option name "authentikRac"), so we use mkModule directly.
|
|
authentikRacConfig = lib.${namespace}.mkModule {
|
|
inherit config;
|
|
name = "authentikRac";
|
|
serviceName = "podman-authenticRac";
|
|
description = "authentik RAC outpost";
|
|
options = { };
|
|
moduleConfig = {
|
|
virtualisation.oci-containers.containers."authenticRac" = {
|
|
autoStart = true;
|
|
image = "ghcr.io/goauthentik/rac";
|
|
ports = [ "${toString cfgRac.port}:4822" ];
|
|
volumes = [ "${cfg.configDir}/authentik-rac:/media" ];
|
|
environmentFiles = [ config.sops.templates."authentik-rac.env".path ];
|
|
environment = {
|
|
AUTHENTIK_HOST = "https://${name}.mjallen.dev";
|
|
AUTHENTIK_INSECURE = "false";
|
|
PUID = toString cfg.puid;
|
|
PGID = toString cfg.pgid;
|
|
TZ = cfg.timeZone;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
in
|
|
{
|
|
imports = [
|
|
authentikConfig
|
|
authentikRacConfig
|
|
];
|
|
}
|