feat(koi): authentik
This commit is contained in:
parent
7aa01c52af
commit
f27bacde37
SSH key fingerprint:
SHA256:uNeCpw6aTSU4aIObXLvHfLkDa82HWH9EiOj9AXOIRpI
2 changed files with 77 additions and 0 deletions
77
hosts/koi/containers/authentik/default.nix
Normal file
77
hosts/koi/containers/authentik/default.nix
Normal file
|
|
@ -0,0 +1,77 @@
|
||||||
|
{ abs, pkgs, config, ... }@inputs:
|
||||||
|
|
||||||
|
let
|
||||||
|
secrets = import (abs "lib/secrets.nix");
|
||||||
|
|
||||||
|
UID = 1110;
|
||||||
|
sharedConfig = {
|
||||||
|
image = "ghcr.io/goauthentik/server:2024.8.2";
|
||||||
|
dependsOn = [ "authentik-redis" ];
|
||||||
|
environment = {
|
||||||
|
AUTHENTIK_POSTGRESQL__HOST = "172.17.0.1";
|
||||||
|
AUTHENTIK_POSTGRESQL__USER = "authentik";
|
||||||
|
AUTHENTIK_POSTGRESQL__PASSWORD = "authentik";
|
||||||
|
AUTHENTIK_POSTGRESQL__NAME = "authentik";
|
||||||
|
AUTHENTIK_REDIS__HOST = "authentik-redis.docker";
|
||||||
|
};
|
||||||
|
volumes = [
|
||||||
|
"/mnt/puffer/authentik/media:/media"
|
||||||
|
"/mnt/puffer/authentik/templates:/templates"
|
||||||
|
];
|
||||||
|
user = builtins.toString UID;
|
||||||
|
environmentFiles = [
|
||||||
|
(secrets.file config "authentik-env")
|
||||||
|
];
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
# email related + AUTHENTIK_SECRET_KEY
|
||||||
|
(secrets.declare [{
|
||||||
|
name = "authentik-env";
|
||||||
|
owner = "authentik";
|
||||||
|
}])
|
||||||
|
];
|
||||||
|
|
||||||
|
users.users.authentik = {
|
||||||
|
isNormalUser = true;
|
||||||
|
uid = UID;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.postgresql.ensureUsers = [
|
||||||
|
{ name = "authentik"; ensureDBOwnership = true; }
|
||||||
|
];
|
||||||
|
services.postgresql.ensureDatabases = [ "authentik" ];
|
||||||
|
desu.postgresql.ensurePasswords.authentik = "authentik";
|
||||||
|
|
||||||
|
virtualisation.oci-containers.containers.authentik-redis = {
|
||||||
|
image = "docker.io/redis:7.0-alpine";
|
||||||
|
volumes = [
|
||||||
|
"/mnt/puffer/authentik/redis:/data"
|
||||||
|
];
|
||||||
|
user = builtins.toString UID;
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualisation.oci-containers.containers.authentik-server = sharedConfig // {
|
||||||
|
cmd = [ "server" ];
|
||||||
|
};
|
||||||
|
systemd.services.docker-authentik-server.after = [ "postgresql.service" ];
|
||||||
|
|
||||||
|
virtualisation.oci-containers.containers.authentik-worker = sharedConfig // {
|
||||||
|
cmd = [ "worker" ];
|
||||||
|
};
|
||||||
|
systemd.services.docker-authentik-worker.after = [ "postgresql.service" ];
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d /mnt/puffer/authentik 0777 root root -"
|
||||||
|
];
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."id.stupid.fish" = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = "stupid.fish";
|
||||||
|
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://authentik-server.docker:9000$request_uri";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
BIN
secrets/authentik-env.age
Normal file
BIN
secrets/authentik-env.age
Normal file
Binary file not shown.
Loading…
Reference in a new issue