{ authentikHost, ... }: { config, lib, pkgs, ... }: with lib; let hostname = config.instance.hostname; host = config.fudo.hosts."${hostname}"; domainName = host.domain; zoneName = config.fudo.domains."${domainName}".zone; isAuthentik = hostname == authentikHost; authentikHostname = "authentik.${domainName}"; in { config = { fudo.zones."${zoneName}".aliases.authentik = authentikHost; services = { authentikContainer = mkIf isAuthentik { enable = true; images = { authentik = "ghcr.io/goauthentik/server:2023.8.3"; postgres = "docker.io/library/postgres:12-alpine"; redis = "docker.io/library/redis:alpine"; }; smtp = { host = "mail.fudo.org"; password-file = config.fudo.secrets.files.service-passwords."${authentikHost}".authentik-smtp; }; }; nginx = mkIf isAuthentik { enable = true; recommendedOptimisation = true; recommendedProxySettings = true; virtualHosts = { "${authentikHostname}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://localhost:${ toString config.services.authentikContainer.ports.http }"; proxyWebsockets = true; }; }; "fudo.ldap.fudo.org" = { enableACME = true; forceSSL = true; locations."/".return = "403 Forbidden"; }; "selby.ldap.fudo.org" = { enableACME = true; forceSSL = true; locations."/".return = "403 Forbidden"; }; }; }; }; security.acme.certs = mkIf isAuthentik (genAttrs [ authentikHostname "fudo.ldap.fudo.org" "selby.ldap.fudo.org" ] (domain: { postRun = let dst = "${config.services.authentikContainer.state-directory}/certs/${domain}"; in '' mkdir -p ${dst} cp -v {cert,chain,fullchain,full,key}.pem ${dst}/ cp -v key.pem ${dst}/privkey.pem chown -R authentik ${dst} ''; })); }; }