nixos-config/config/domain-config/informis.land/authentik.nix

{ authentikHost, ... }:

{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  host = config.fudo.hosts."${hostname}";
  domainName = host.domain;
  zoneName = config.fudo.domains."${domainName}".zone;
  isAuthentik = hostname == authentikHost;
  authentikHostname = "authentik.${domainName}";
  smtpPasswd = pkgs.lib.passwd.stablerandom-passwd-file "authentik-smtp-passwd"
    config.instance.build-seed;

in {
  config = {
    fudo = {
      system-users.authentik = {
        description = "Aunthentik system user.";
        ldap-hashed-password =
          pkgs.lib.passwd.hash-ldap-passwd "authentik-smtp-passwd.hashed"
          smtpPasswd;
      };
      zones."${zoneName}".aliases.authentik = authentikHost;
    };

    systemd.services.arion-authentik = {
      requires = [ config.fudo.secrets.secret-target ];
      after = [ config.fudo.secrets.secret-target ];
    };

    services = {
      authentikContainer = mkIf isAuthentik {
        enable = true;
        images = {
          authentik = "ghcr.io/goauthentik/server:2023.8.3";
          postgres = "docker.io/library/postgres:12-alpine";
          redis = "docker.io/library/redis:alpine";
        };
        smtp = {
          host = "mail.fudo.org";
          password-file = smtpPasswd;
        };
      };

      nginx = mkIf isAuthentik {
        enable = true;
        recommendedOptimisation = true;
        recommendedProxySettings = true;
        virtualHosts = {
          "${authentikHostname}" = {
            enableACME = true;
            forceSSL = true;
            locations."/" = {
              proxyPass = "http://localhost:${
                  toString config.services.authentikContainer.ports.http
                }";
              proxyWebsockets = true;
            };
          };
        };
      };
    };

    security.acme.certs = mkIf isAuthentik (genAttrs [ authentikHostname ]
      (domain: {
        postRun = let
          dst =
            "${config.services.authentikContainer.state-directory}/certs/${domain}";
        in ''
          mkdir -p ${dst}
          cp -v {cert,chain,fullchain,full,key}.pem ${dst}/
          cp -v key.pem ${dst}/privkey.pem
          chown -R authentik ${dst}
        '';
      }));
  };
}
Huge commit...like usual I guess 2023-10-14 16:15:26 -07:00			`{ authentikHost, ... }:`

			`{ config, lib, pkgs, ... }:`

			`with lib;`
			`let`
			`hostname = config.instance.hostname;`
			`host = config.fudo.hosts."${hostname}";`
			`domainName = host.domain;`
			`zoneName = config.fudo.domains."${domainName}".zone;`
			`isAuthentik = hostname == authentikHost;`
			`authentikHostname = "authentik.${domainName}";`
			`smtpPasswd = pkgs.lib.passwd.stablerandom-passwd-file "authentik-smtp-passwd"`
			`config.instance.build-seed;`

			`in {`
			`config = {`
			`fudo = {`
			`system-users.authentik = {`
			`description = "Aunthentik system user.";`
			`ldap-hashed-password =`
			`pkgs.lib.passwd.hash-ldap-passwd "authentik-smtp-passwd.hashed"`
			`smtpPasswd;`
			`};`
			`zones."${zoneName}".aliases.authentik = authentikHost;`
			`};`

			`systemd.services.arion-authentik = {`
			`requires = [ config.fudo.secrets.secret-target ];`
			`after = [ config.fudo.secrets.secret-target ];`
			`};`

			`services = {`
			`authentikContainer = mkIf isAuthentik {`
			`enable = true;`
			`images = {`
			`authentik = "ghcr.io/goauthentik/server:2023.8.3";`
			`postgres = "docker.io/library/postgres:12-alpine";`
			`redis = "docker.io/library/redis:alpine";`
			`};`
			`smtp = {`
			`host = "mail.fudo.org";`
			`password-file = smtpPasswd;`
			`};`
			`};`

			`nginx = mkIf isAuthentik {`
			`enable = true;`
			`recommendedOptimisation = true;`
			`recommendedProxySettings = true;`
			`virtualHosts = {`
			`"${authentikHostname}" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`locations."/" = {`
			`proxyPass = "http://localhost:${`
			`toString config.services.authentikContainer.ports.http`
			`}";`
			`proxyWebsockets = true;`
			`};`
			`};`
			`};`
			`};`
			`};`

			`security.acme.certs = mkIf isAuthentik (genAttrs [ authentikHostname ]`
			`(domain: {`
			`postRun = let`
			`dst =`
			`"${config.services.authentikContainer.state-directory}/certs/${domain}";`
			`in ''`
			`mkdir -p ${dst}`
			`cp -v {cert,chain,fullchain,full,key}.pem ${dst}/`
			`cp -v key.pem ${dst}/privkey.pem`
			`chown -R authentik ${dst}`
			`'';`
			`}));`
			`};`
			`}`