{ authentikHost, authentikImage, ... }: { config, lib, pkgs, ... }: with lib; let hostname = config.instance.hostname; host = config.fudo.hosts."${hostname}"; domainName = host.domain; zoneName = config.fudo.domains."${domainName}".zone; isAuthentik = hostname == authentikHost; authentikHostname = "authentik.${domainName}"; in { config = { fudo = { users.authentik.ldap-hashed-passwd = pkgs.lib.passwd.hash-ldap-passwd "authentik-smtp" config.fudo.secrets.files.domain-secrets."${domainName}"."authentik-smtp.passwd"; zones."${zoneName}".aliases.authentik = authentikHost; }; services = { authentikContainer = mkIf isAuthentik { enable = true; images = { authentik = authentikImage; postgres = "docker.io/library/postgres:12-alpine"; redis = "docker.io/library/redis:alpine"; }; smtp = { host = "mail.fudo.org"; password-file = config.fudo.secrets.files.domain-secrets."${domainName}"."authentik-smtp.passwd"; }; }; nginx = mkIf isAuthentik { enable = true; recommendedOptimisation = true; recommendedProxySettings = true; virtualHosts = { "${authentikHostname}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://localhost:${ toString config.services.authentikContainer.ports.http }"; proxyWebsockets = true; }; }; }; }; }; }; }