diff --git a/modules/authentik-server.nix b/modules/authentik-server.nix new file mode 100644 index 0000000..0395181 --- /dev/null +++ b/modules/authentik-server.nix @@ -0,0 +1,132 @@ +{ config, lib, ... }: +let + cfg = import ./vars.nix; + dbport = cfg.authentik.dbPort; + domain = cfg.authentik.domain; + redis = "6379"; + port = cfg.authentik.port; + authentikEnvironment = { + TZ = "Europe/Berlin"; + AUTHENTIK_REDIS__HOST = cfg.podman.hostIP; + AUTHENTIK_POSTGRESQL__HOST = cfg.podman.hostIP; + AUTHENTIK_POSTGRESQL__PORT = dbport; + AUTHENTIK_POSTGRESQL__NAME = "authentik"; + AUTHENTIK_POSTGRESQL__USER = "authentik"; + AUTHENTIK_POSTGRESQL__PASSWORD = "file://${config.sops.secrets."authentik/db".path}"; + AUTHENTIK_SECRET_KEY = "file://${config.sops.secrets."authentik/secret".path}"; + AUTHENTIK_EMAIL__HOST = cfg.mail.host; + AUTHENTIK_EMAIL__PORT = cfg.mail.port; + AUTHENTIK_EMAIL__USE_TLS = "true"; + AUTHENTIK_EMAIL__FROM = "Authentik "; + }; +in +{ + imports = [ + ./podman-postgresql.nix # for the database + ./nginx.nix # for the webserver + ]; + + sops.secrets."authentik/db" = { + owner = "mc-fucker"; # unfortunately, the UID of the container process can't + group = "nogroup"; # be changed, so it needs to be this user + }; + sops.secrets."authentik/secret" = { + owner = "mc-fucker"; + group = "nogroup"; + }; + + services.podman-postgresql."authentik" = { + enable = true; + image = "docker.io/library/postgres:15-alpine"; + port = (lib.strings.toInt dbport); + passwordFile = config.sops.secrets."authentik/db".path; + }; + + + virtualisation.oci-containers.containers.redis = { + image = "docker.io/library/redis:alpine"; + extraOptions = cfg.podman.extraOptions; + cmd = [ "--save 60 1" ]; + volumes = [ + "/var/lib/redis:/data" + ]; + ports = [ "${redis}:${redis}" ]; + environment = { + TZ = "Europe/Berlin"; + }; + }; + + virtualisation.oci-containers.containers.authentik-server = { + image = "ghcr.io/goauthentik/server"; + extraOptions = cfg.podman.extraOptions; + cmd = [ "server" ]; + dependsOn = [ + "postgresql-authentik" + "redis" + ]; + volumes = [ + "/var/lib/authentik/media:/media" + "/var/lib/authentik/templates:/templates" + "${config.sops.secrets."authentik/db".path}:${config.sops.secrets."authentik/db".path}" + "${config.sops.secrets."authentik/secret".path}:${config.sops.secrets."authentik/secret".path}" + ]; + ports = [ "${port}:${port}" ]; + environment = authentikEnvironment; + }; + + virtualisation.oci-containers.containers.authentik-worker = { + image = "ghcr.io/goauthentik/server"; + extraOptions = cfg.podman.extraOptions; + cmd = [ "worker" ]; + dependsOn = [ + "postgresql-authentik" + "redis" + ]; + volumes = [ + "/var/lib/authentik/media:/media" + "/var/lib/authentik/templates:/templates" + "${config.sops.secrets."authentik/db".path}:${config.sops.secrets."authentik/db".path}" + "${config.sops.secrets."authentik/secret".path}:${config.sops.secrets."authentik/secret".path}" + ]; + environment = authentikEnvironment; + }; + + + services.nginx = { + + upstreams.authentik = { + servers."localhost:${port}" = {}; + }; + + appendHttpConfig = '' + map $http_upgrade $connection_upgrade_keepalive { + default upgrade; + ''' '''; + } + ''; + + virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + + locations."/" = { + proxyPass = "http://authentik"; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_keepalive; + ''; + }; + + extraConfig = '' + access_log /var/log/nginx/${domain}_access.log; + error_log /var/log/nginx/${domain}_error.log; + ''; + }; + }; + +} +# vim: set et ts=2 sw=2 ai: