nixos-config/config/domain-config/fudo.org/authentik.nix

{ authentikHost, authentikImage, ... }:

{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  host = config.fudo.hosts."${hostname}";
  domainName = host.domain;
  zoneName = config.fudo.domains."${domainName}".zone;
  isAuthentik = hostname == authentikHost;
  authentikHostname = "authentik.${domainName}";

in {
  config = {
    fudo = {
      users.authentik.ldap-hashed-passwd =
        pkgs.lib.passwd.hash-ldap-passwd "authentik-smtp"
        config.fudo.secrets.files.domain-secrets."${domainName}"."authentik-smtp.passwd";

      zones."${zoneName}".aliases.authentik = authentikHost;
    };

    systemd.services.authentik-cert-copy.after = [ "fudo-secrets.target" ];

    services = {
      authentikContainer = mkIf isAuthentik {
        enable = true;
        images = {
          authentik = authentikImage;
          postgres = "docker.io/library/postgres:12-alpine";
          redis = "docker.io/library/redis:alpine";
        };
        smtp = {
          host = "mail.fudo.org";
          password-file =
            config.fudo.secrets.files.domain-secrets."${domainName}"."authentik-smtp.passwd";
        };
      };

      nginx = mkIf isAuthentik {
        enable = true;
        recommendedOptimisation = true;
        recommendedProxySettings = true;
        virtualHosts = {
          "${authentikHostname}" = {
            enableACME = true;
            forceSSL = true;
            locations."/" = {
              proxyPass = "http://localhost:${
                  toString config.services.authentikContainer.ports.http
                }";
              proxyWebsockets = true;
            };
          };
        };
      };
    };
  };
}