Allow for extra certs to be provided

2024-02-14 12:29:49 -08:00 · 2024-02-14 12:29:49 -08:00 · c7919fe478
parent 4c8601dac9
commit c7919fe478
1 changed files with 29 additions and 6 deletions
--- a/authentik-container.nix
+++ b/authentik-container.nix
@ -73,6 +73,14 @@ in {
      };
    };

+    extraCerts = mkOption {
+      type = attrsOf (listOf str);
+      description = ''
+        Map of certificate name to a list of certificates to make available to the
+              Authentik server (i.e. the public and optionally private keys).'';
+      default = { };
+    };
+
    uids = {
      authentik = mkOption {
        type = int;
@ -98,7 +106,21 @@ in {
        "d ${cfg.state-directory}/templates 0700 authentik          root - -"
        "d ${cfg.state-directory}/certs     0700 authentik          root - -"
      ];
-      services.arion-authentik = {
+      services = {
+        authentik-cert-copy = {
+          wantedBy = [ "arion-authentik.service" ];
+          before = [ "arion-authentik.service" ];
+          script = let
+            copyCommands = concatLists (mapAttrsToList (_: certs:
+              concatMap (cert:
+                let target = "${cfg.state-directory}/certs/${baseNameOf cert}";
+                in ''
+                  cp ${cert} ${target}
+                  chown authentik:root ${target}
+                '') certs)) cfg.extraCerts;
+          in concatStringsSep "\n" copyCommands;
+        };
+        arion-authentik = {
          after = [ "network-online.target" "podman.service" ];
          requires = [ "network-online.target" "podman.service" ];
          serviceConfig = {
@ -107,6 +129,7 @@ in {
          };
        };
      };
+    };

    users = {
      users = {