nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
e3955ba861
nixos-config/config/domain-config/informis.land/authentik.nix

80 lines
2.2 KiB
Nix
Raw Blame History

{ authentikHost, ... }:
{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.instance.hostname;
host = config.fudo.hosts."${hostname}";
domainName = host.domain;
zoneName = config.fudo.domains."${domainName}".zone;
isAuthentik = hostname == authentikHost;
authentikHostname = "authentik.${domainName}";
smtpPasswd = pkgs.lib.passwd.stablerandom-passwd-file "authentik-smtp-passwd"
config.instance.build-seed;
in {
config = {
fudo = {
system-users.authentik = {
description = "Aunthentik system user.";
ldap-hashed-password =
pkgs.lib.passwd.hash-ldap-passwd "authentik-smtp-passwd.hashed"
smtpPasswd;
};
zones."${zoneName}".aliases.authentik = authentikHost;
};
systemd.services.arion-authentik = {
requires = [ config.fudo.secrets.secret-target ];
after = [ config.fudo.secrets.secret-target ];
};
services = {
authentikContainer = mkIf isAuthentik {
enable = true;
images = {
authentik = "ghcr.io/goauthentik/server:2023.8.3";
postgres = "docker.io/library/postgres:12-alpine";
redis = "docker.io/library/redis:alpine";
};
smtp = {
host = "mail.fudo.org";
password-file = smtpPasswd;
};
};
nginx = mkIf isAuthentik {
enable = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
virtualHosts = {
"${authentikHostname}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${
toString config.services.authentikContainer.ports.http
}";
proxyWebsockets = true;
};
};
};
};
};
security.acme.certs = mkIf isAuthentik (genAttrs [ authentikHostname ]
(domain: {
postRun = let
dst =
"${config.services.authentikContainer.state-directory}/certs/${domain}";
in ''
mkdir -p ${dst}
cp -v {cert,chain,fullchain,full,key}.pem ${dst}/
cp -v key.pem ${dst}/privkey.pem
chown -R authentik ${dst}
'';
}));
};
}
Reference in New Issue View Git Blame Copy Permalink