76 lines
2.2 KiB
Nix
76 lines
2.2 KiB
Nix
{ authentikHost, ... }:
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
let
|
|
hostname = config.instance.hostname;
|
|
host = config.fudo.hosts."${hostname}";
|
|
domainName = host.domain;
|
|
zoneName = config.fudo.domains."${domainName}".zone;
|
|
isAuthentik = hostname == authentikHost;
|
|
authentikHostname = "authentik.${domainName}";
|
|
in {
|
|
config = {
|
|
fudo.zones."${zoneName}".aliases.authentik = authentikHost;
|
|
|
|
services = {
|
|
authentikContainer = mkIf isAuthentik {
|
|
enable = true;
|
|
images = {
|
|
authentik = "ghcr.io/goauthentik/server:2023.8.3";
|
|
postgres = "docker.io/library/postgres:12-alpine";
|
|
redis = "docker.io/library/redis:alpine";
|
|
};
|
|
smtp = {
|
|
host = "mail.fudo.org";
|
|
password-file =
|
|
config.fudo.secrets.files.service-passwords."${authentikHost}".authentik-smtp;
|
|
};
|
|
};
|
|
|
|
nginx = mkIf isAuthentik {
|
|
enable = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
virtualHosts = {
|
|
"${authentikHostname}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
proxyPass = "http://localhost:${
|
|
toString config.services.authentikContainer.ports.http
|
|
}";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
"fudo.ldap.fudo.org" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/".return = "403 Forbidden";
|
|
};
|
|
"selby.ldap.fudo.org" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/".return = "403 Forbidden";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
security.acme.certs = mkIf isAuthentik
|
|
(genAttrs [ authentikHostname "fudo.ldap.fudo.org" "selby.ldap.fudo.org" ]
|
|
(domain: {
|
|
postRun = let
|
|
dst =
|
|
"${config.services.authentikContainer.state-directory}/certs/${domain}";
|
|
in ''
|
|
mkdir -p ${dst}
|
|
cp -v {cert,chain,fullchain,full,key}.pem ${dst}/
|
|
cp -v key.pem ${dst}/privkey.pem
|
|
chown -R authentik ${dst}
|
|
'';
|
|
}));
|
|
};
|
|
}
|