From f27bacde3772886ebdf5ae75b60d71cf24089071 Mon Sep 17 00:00:00 2001
From: teidesu <alina@tei.su>
Date: Tue, 17 Sep 2024 01:04:08 +0300
Subject: [PATCH] feat(koi): authentik

---
 hosts/koi/containers/authentik/default.nix |  77 +++++++++++++++++++++
 secrets/authentik-env.age                  | Bin 0 -> 561 bytes
 2 files changed, 77 insertions(+)
 create mode 100644 hosts/koi/containers/authentik/default.nix
 create mode 100644 secrets/authentik-env.age

diff --git a/hosts/koi/containers/authentik/default.nix b/hosts/koi/containers/authentik/default.nix
new file mode 100644
index 0000000..b0236e8
--- /dev/null
+++ b/hosts/koi/containers/authentik/default.nix
@@ -0,0 +1,77 @@
+{ abs, pkgs, config, ... }@inputs:
+
+let 
+  secrets = import (abs "lib/secrets.nix");
+
+  UID = 1110;
+  sharedConfig = {
+    image = "ghcr.io/goauthentik/server:2024.8.2";
+    dependsOn = [ "authentik-redis" ];
+    environment = {
+      AUTHENTIK_POSTGRESQL__HOST = "172.17.0.1";
+      AUTHENTIK_POSTGRESQL__USER = "authentik";
+      AUTHENTIK_POSTGRESQL__PASSWORD = "authentik";
+      AUTHENTIK_POSTGRESQL__NAME = "authentik";
+      AUTHENTIK_REDIS__HOST = "authentik-redis.docker";
+    };
+    volumes = [
+      "/mnt/puffer/authentik/media:/media"
+      "/mnt/puffer/authentik/templates:/templates"
+    ];
+    user = builtins.toString UID;
+    environmentFiles = [
+      (secrets.file config "authentik-env")
+    ];
+  };
+in {
+  imports = [
+    # email related + AUTHENTIK_SECRET_KEY
+    (secrets.declare [{
+      name = "authentik-env";
+      owner = "authentik";
+    }])
+  ];
+
+  users.users.authentik = {
+    isNormalUser = true;
+    uid = UID;
+  };
+
+  services.postgresql.ensureUsers = [
+    { name = "authentik"; ensureDBOwnership = true; }
+  ];
+  services.postgresql.ensureDatabases = [ "authentik" ];
+  desu.postgresql.ensurePasswords.authentik = "authentik";
+
+  virtualisation.oci-containers.containers.authentik-redis = {
+    image = "docker.io/redis:7.0-alpine";
+    volumes = [
+      "/mnt/puffer/authentik/redis:/data"
+    ];
+    user = builtins.toString UID;
+  };
+
+  virtualisation.oci-containers.containers.authentik-server = sharedConfig // {
+    cmd = [ "server" ];
+  };
+  systemd.services.docker-authentik-server.after = [ "postgresql.service" ];
+
+  virtualisation.oci-containers.containers.authentik-worker = sharedConfig // {
+    cmd = [ "worker" ];
+  };
+  systemd.services.docker-authentik-worker.after = [ "postgresql.service" ];
+
+  systemd.tmpfiles.rules = [
+    "d /mnt/puffer/authentik 0777 root root -"
+  ];
+
+  services.nginx.virtualHosts."id.stupid.fish" = {
+    forceSSL = true;
+    useACMEHost = "stupid.fish";
+
+    locations."/" = {
+      proxyPass = "http://authentik-server.docker:9000$request_uri";
+      proxyWebsockets = true;
+    };
+  };
+}
\ No newline at end of file
diff --git a/secrets/authentik-env.age b/secrets/authentik-env.age
new file mode 100644
index 0000000000000000000000000000000000000000..e2ca917e1f8d9e3c65b14494cd99b29b2b4c9fe5
GIT binary patch
literal 561
zcmV-10?z$mXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9Lb80v^Sa%>(
zb9!tqIC@W4D{3$~Yer}^Yj;mcYcEDxIdFGvYEV*3bxJZ%Vr*+KM{5dJR%>Hpd3R+r
zY<f;nNMl(uctT=fW^!<Bb~JE$OI1s2Ni#xMIZ;bDWKjw&EiE8OSWh!VPg!wTNMvL|
zFL^g;bTn;aT5xwsVtIOXM@&~|Yh`LlLv%-WOLqz)LCx6#GKlyby*d4XJwsuR%5|af
zNyV~}pF387P)_WJnmS~97=lUxMm;QU+oUV;#5WEPQPV1F;QaY-o)Z5aUH-3iMa7oF
z%&wG6UBpO!ypLE8`}FgWw2zCfH@;nz#hDE^#yADj*}PN4=I6cgWMRQe%1}H0&rI$C
z4wK8p$&pbIxLxoUtA-#tt4&7o&~Q#eosh0yl6D5{cFG$$JB>vcM1GxmGY%1*eW8)2
z?()PDb>;yCD(n1+WxxE3{w&8#+_u!uEU0M`h2m9wT22mBhte?{e%qE}$Z!U^5Am?3
zhB$BBLmbdve<oR(dl_$<*W11(L*5{Q$sPiI6P#E?srqc;wQ~)zpxsI{r#*7);%JB>
zt3fgJk0pgEi*OGV7=loPuC=cE&VXpw{iJCc1Y!sngZ${=PxXoj5k@RaShqT8Rn9Jn
zF&{z%G9%Nh_UkYO-h;<?OW-B*j!L|C5yLq1j4(U(00pp5?@Cq6Q1u%@Yy0sPi^KPd

literal 0
HcmV?d00001