deploy authentik

1 files changed, 117 insertions, 1 deletions

diff --git a/modules/authentik/default.nix b/modules/authentik/default.nix
index 865d469..5291235 100644
--- a/modules/authentik/default.nix
+++ b/modules/authentik/default.nix
@@ -1,5 +1,121 @@
-{ config, lib, pkgs, ... }:
+{ self, config, lib, pkgs, ... }:
 
+with self.lib.nginx;
+
+let version = "2023.8.3";
+in
 {
+  virtualisation.oci-containers.backend = "podman";
+  virtualisation.oci-containers.containers = {
+    authentik-redis = {
+      image = "docker.io/library/redis:alpine";
+      cmd = [ "--save" "60" "1" "--loglevel" "warning" ];
+      autoStart = true;
+      volumes = [
+        "/var/lib/authentik/redis:/data"
+      ];
+      ports = [
+        "10.10.0.1:6379:6379"
+      ];
+    };
+    authentik-server = {
+      image = "ghcr.io/goauthentik/server:${version}";
+      environmentFiles = [ "/etc/secrets/authentik/container.env" ];
+      cmd = [ "server" ];
+      autoStart = true;
+      ports = [
+        # "10.10.0.1:9000:9000"
+        "10.10.0.1:9443:9443"
+      ];
+    };
+    authentik-worker = {
+      image = "ghcr.io/goauthentik/server:${version}";
+      environmentFiles = [ "/etc/secrets/authentik/container.env" ];
+      cmd = [ "worker" ];
+      autoStart = true;
+      volumes = [
+        "/var/lib/authentik/media:/media"
+        "/var/lib/authentik/certs:/certs"
+        "/var/lib/authentik/templates:/templates"
+      ];
+    };
+    authentik-ldap = {
+      image = "ghcr.io/goauthentik/ldap:${version}";
+      environmentFiles = [ "/etc/secrets/authentik/ldap.env" ];
+      autoStart = true;
+      ports = [
+        "389:3389"
+        "636:6636"
+      ];
+    };
+    authentik-proxy = {
+      image = "ghcr.io/goauthentik/proxy:${version}";
+      environmentFiles = [ "/etc/secrets/authentik/proxy.env" ];
+      autoStart = true;
+      ports = [
+        "10.10.0.1:9444:9443"
+      ];
+    };
+  };
+
+  # Allow binding of root ports for the ldap container
+  # systemd.services.podman-authentik-ldap = {
+  #   serviceConfig = {
+  #     AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+  #   };
+  # };
+
+  security.acme.certs = {
+    "vapor.systems" = {
+      extraDomainNames = [ "*.vapor.systems" ];
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "auth.vapor.systems" = {
+        addSSL = true;
+        useACMEHost = "vapor.systems";
+        locations."/" = {
+          proxyPass = "https://10.10.0.1:9443/";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_pass_header Authorization;
+
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header Host $host;
+            proxy_set_header Upgrade $http_upgrade;
+          '';
+        };
+      };
+    };
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "authentik" ];
+
+    ensureUsers = [
+      {
+        name = "authentik";
+        ensurePermissions = { "DATABASE authentik" = "ALL PRIVILEGES"; };
+      }
+    ];
+  };
 
+  secrets = {
+    authentik = {
+      source = ../../secrets/authentik/container.env;
+      dest = "/etc/secrets/authentik/container.env";
+    };
+    authentik-ldap = {
+      source = ../../secrets/authentik/ldap.env;
+      dest = "/etc/secrets/authentik/ldap.env";
+    };
+    authentik-proxy = {
+      source = ../../secrets/authentik/proxy.env;
+      dest = "/etc/secrets/authentik/proxy.env";
+    };
+  };
 }