{ authentikHost, ... }: { config, lib, pkgs, ... }: with lib; let hostname = config.instance.hostname; host = config.fudo.hosts."${hostname}"; domainName = host.domain; zoneName = config.fudo.domains."${domainName}".zone; isAuthentik = hostname == authentikHost; authentikHostname = "authentik.${domainName}"; smtpPasswd = pkgs.lib.passwd.stablerandom-passwd-file "authentik-smtp-passwd" config.instance.build-seed; in { config = { fudo = { system-users.authentik = { description = "Aunthentik system user."; ldap-hashed-password = pkgs.lib.passwd.hash-ldap-passwd "authentik-smtp-passwd.hashed" smtpPasswd; }; zones."${zoneName}".aliases.authentik = authentikHost; }; systemd.services.arion-authentik = { requires = [ config.fudo.secrets.secret-target ]; after = [ config.fudo.secrets.secret-target ]; }; services = { authentikContainer = mkIf isAuthentik { enable = true; images = { authentik = "ghcr.io/goauthentik/server:2023.8.3"; postgres = "docker.io/library/postgres:12-alpine"; redis = "docker.io/library/redis:alpine"; }; smtp = { host = "mail.fudo.org"; password-file = smtpPasswd; }; }; nginx = mkIf isAuthentik { enable = true; recommendedOptimisation = true; recommendedProxySettings = true; virtualHosts = { "${authentikHostname}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://localhost:${ toString config.services.authentikContainer.ports.http }"; proxyWebsockets = true; }; }; }; }; }; security.acme.certs = mkIf isAuthentik (genAttrs [ authentikHostname ] (domain: { postRun = let dst = "${config.services.authentikContainer.state-directory}/certs/${domain}"; in '' mkdir -p ${dst} cp -v {cert,chain,fullchain,full,key}.pem ${dst}/ cp -v key.pem ${dst}/privkey.pem chown -R authentik ${dst} ''; })); }; }