9 files changed, 118 insertions, 226 deletions

diff --git a/modules/authentik/authentik-outpost-ldap.nix b/modules/authentik/authentik-outpost-ldap.nix
deleted file mode 100644
index e2031cc..0000000
--- a/modules/authentik/authentik-outpost-ldap.nix
+++ /dev/null
@@ -1,17 +0,0 @@
-{ lib, stdenv, buildGoModule, fetchFromGitHub, ... }:
-
-buildGoModule rec {
-  pname = "authentik-outpost-ldap";
-  version = "2023.8.3";
-
-  src = fetchFromGitHub {
-    owner = "goauthentik";
-    repo = "authentik";
-    rev = "version/${version}";
-    hash = "sha256-dpGvxhA5NWO8LKrGXzalV9EVn/nUIj6sMy2HdY5tjlM=";
-  };
-
-  vendorHash = "sha256-F3JzzL6Gg9H4qdmp4MbQFupccATYIUIFL05is6xzoZY=";
-
-  subPackages = [ "cmd/ldap" ];
-}
diff --git a/modules/authentik/authentik-outpost-proxy.nix b/modules/authentik/authentik-outpost-proxy.nix
deleted file mode 100644
index ee19267..0000000
--- a/modules/authentik/authentik-outpost-proxy.nix
+++ /dev/null
@@ -1,17 +0,0 @@
-{ lib, stdenv, buildGoModule, fetchFromGitHub, ... }:
-
-buildGoModule rec {
-  pname = "authentik-outpost-proxy";
-  version = "2023.8.3";
-
-  src = fetchFromGitHub {
-    owner = "goauthentik";
-    repo = "authentik";
-    rev = "version/${version}";
-    hash = "sha256-dpGvxhA5NWO8LKrGXzalV9EVn/nUIj6sMy2HdY5tjlM=";
-  };
-
-  vendorHash = "sha256-F3JzzL6Gg9H4qdmp4MbQFupccATYIUIFL05is6xzoZY=";
-
-  subPackages = [ "cmd/proxy" ];
-}
diff --git a/modules/authentik/authentik-server.nix b/modules/authentik/authentik-server.nix
deleted file mode 100644
index 8fefc95..0000000
--- a/modules/authentik/authentik-server.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{ lib, stdenv, buildGoModule, fetchFromGitHub, python3Packages, makeWrapper, callPackage, ... }:
-
-let authentik = callPackage ./authentik.nix { };
-in
-buildGoModule rec {
-  pname = "authentik-server";
-  version = "2023.8.3";
-
-  src = fetchFromGitHub {
-    owner = "goauthentik";
-    repo = "authentik";
-    rev = "version/${version}";
-    hash = "sha256-dpGvxhA5NWO8LKrGXzalV9EVn/nUIj6sMy2HdY5tjlM=";
-  };
-
-  vendorHash = "sha256-F3JzzL6Gg9H4qdmp4MbQFupccATYIUIFL05is6xzoZY=";
-
-  subPackages = [ "cmd/server" ];
-
-  postPatch = ''
-    substituteInPlace internal/gounicorn/gounicorn.go \
-      --replace "./manage.py" "${authentik}/bin/manage.py"
-
-    substituteInPlace internal/gounicorn/gounicorn.go \
-      --replace "./lifecycle" "${authentik}/bin"
-  '';
-
-  postInstall = ''
-    wrapProgram "$out/bin/server" --set PATH ${python3Packages.gunicorn}/bin
-  '';
-
-  nativeBuildInputs = [ makeWrapper ];
-}
diff --git a/modules/authentik/authentik-web.nix b/modules/authentik/authentik-web.nix
deleted file mode 100644
index 3fbf416..0000000
--- a/modules/authentik/authentik-web.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-{ lib, stdenv, buildNpmPackage, fetchFromGitHub, python3, ... }:
-
-buildNpmPackage rec {
-  pname = "authentik-web";
-  version = "2023.8.3";
-
-  src = fetchFromGitHub {
-    owner = "goauthentik";
-    repo = "authentik";
-    rev = "version/${version}";
-    hash = "sha256-dpGvxhA5NWO8LKrGXzalV9EVn/nUIj6sMy2HdY5tjlM=";
-  };
-
-  sourceRoot = "source/web";
-
-  npmDepsHash = "sha256-kCKtrsUA7VLHzf9SR/UW1z3RCpQc5r5sa/f4dxonTZ0=";
-  npmPackFlags = [ "--ignore-scripts" ];
-  npmBuildScript = "build";
-
-  nativeBuildInputs = [ python3 ];
-
-  installPhase = ''
-    mkdir $out
-    cp -r dist/ $out/
-    cp -r authentik/ $out/
-  '';
-}
diff --git a/modules/authentik/authentik.nix b/modules/authentik/authentik.nix
deleted file mode 100644
index 5b87de7..0000000
--- a/modules/authentik/authentik.nix
+++ /dev/null
@@ -1,102 +0,0 @@
-{ lib, stdenv, python3Packages, poetry, codespell, callPackage, ... }:
-
-with python3Packages;
-
-let
-  server = callPackage ./authentik-server.nix { };
-  web = callPackage ./authentik-web.nix { };
-in
-buildPythonPackage rec {
-  pname = "authentik";
-  version = "2023.8.3";
-
-  format = "pyproject";
-  src = pkgs.fetchFromGitHub {
-    owner = "goauthentik";
-    repo = pname;
-    rev = "version/${version}";
-    hash = "sha256-dpGvxhA5NWO8LKrGXzalV9EVn/nUIj6sMy2HdY5tjlM=";
-  };
-
-  patches = [ ./pyproject.diff ];
-
-  postPatch = ''
-    substituteInPlace pyproject.toml \
-      --replace "psycopg2-binary" "psycopg2"
-
-    substituteInPlace lifecycle/ak \
-      --replace "python -m manage" "${placeholder "out"}/bin/manage.py"
-    patchShebangs lifecycle/ak
-  '';
-
-  postInstall = ''
-    cp -a ./lifecycle $out/${python.sitePackages}
-    cp -a ./lifecycle/gunicorn.conf.py $out/bin/gunicorn.py
-    chmod +x $out/bin/gunicorn.py
-    cp -a ./manage.py $out/bin/manage.py
-  '';
-
-  passthru.proxy = callPackage ./authentik-outpost-proxy.nix { };
-
-  propagatedBuildInputs = [
-    poetry
-    poetry-core
-
-    psycopg2
-    argon2-cffi
-    celery
-    channels
-    channels-redis
-    codespell
-    colorama
-    dacite
-    deepmerge
-    defusedxml
-    django
-    django-filter
-    django-guardian
-    django-model-utils
-    django-otp
-    django-prometheus
-    django-redis
-    djangorestframework
-    djangorestframework-guardian
-    docker
-    drf-spectacular
-    duo-client
-    facebook-sdk
-    flower
-    geoip2
-    gunicorn
-    kubernetes
-    ldap3
-    lxml
-    opencontainers
-    packaging
-    paramiko
-    psycopg
-    pycryptodome
-    pydantic
-    pydantic-scim
-    pyjwt
-    pyyaml
-    requests-oauthlib
-    sentry-sdk
-    service-identity
-    structlog
-    swagger-spec-validator
-    twilio
-    twisted
-    ua-parser
-    urllib3
-    uvicorn
-    watchdog
-    webauthn
-    wsproto
-    xmlsec
-    zxcvbn
-    jsonpatch
-  ]
-  ++ channels.optional-dependencies.daphne
-  ++ uvicorn.optional-dependencies.standard;
-}
diff --git a/modules/authentik/default.nix b/modules/authentik/default.nix
index 865d469..5291235 100644
--- a/modules/authentik/default.nix
+++ b/modules/authentik/default.nix
@@ -1,5 +1,121 @@
-{ config, lib, pkgs, ... }:
+{ self, config, lib, pkgs, ... }:
 
+with self.lib.nginx;
+
+let version = "2023.8.3";
+in
 {
+  virtualisation.oci-containers.backend = "podman";
+  virtualisation.oci-containers.containers = {
+    authentik-redis = {
+      image = "docker.io/library/redis:alpine";
+      cmd = [ "--save" "60" "1" "--loglevel" "warning" ];
+      autoStart = true;
+      volumes = [
+        "/var/lib/authentik/redis:/data"
+      ];
+      ports = [
+        "10.10.0.1:6379:6379"
+      ];
+    };
+    authentik-server = {
+      image = "ghcr.io/goauthentik/server:${version}";
+      environmentFiles = [ "/etc/secrets/authentik/container.env" ];
+      cmd = [ "server" ];
+      autoStart = true;
+      ports = [
+        # "10.10.0.1:9000:9000"
+        "10.10.0.1:9443:9443"
+      ];
+    };
+    authentik-worker = {
+      image = "ghcr.io/goauthentik/server:${version}";
+      environmentFiles = [ "/etc/secrets/authentik/container.env" ];
+      cmd = [ "worker" ];
+      autoStart = true;
+      volumes = [
+        "/var/lib/authentik/media:/media"
+        "/var/lib/authentik/certs:/certs"
+        "/var/lib/authentik/templates:/templates"
+      ];
+    };
+    authentik-ldap = {
+      image = "ghcr.io/goauthentik/ldap:${version}";
+      environmentFiles = [ "/etc/secrets/authentik/ldap.env" ];
+      autoStart = true;
+      ports = [
+        "389:3389"
+        "636:6636"
+      ];
+    };
+    authentik-proxy = {
+      image = "ghcr.io/goauthentik/proxy:${version}";
+      environmentFiles = [ "/etc/secrets/authentik/proxy.env" ];
+      autoStart = true;
+      ports = [
+        "10.10.0.1:9444:9443"
+      ];
+    };
+  };
+
+  # Allow binding of root ports for the ldap container
+  # systemd.services.podman-authentik-ldap = {
+  #   serviceConfig = {
+  #     AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+  #   };
+  # };
+
+  security.acme.certs = {
+    "vapor.systems" = {
+      extraDomainNames = [ "*.vapor.systems" ];
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "auth.vapor.systems" = {
+        addSSL = true;
+        useACMEHost = "vapor.systems";
+        locations."/" = {
+          proxyPass = "https://10.10.0.1:9443/";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_pass_header Authorization;
+
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header Host $host;
+            proxy_set_header Upgrade $http_upgrade;
+          '';
+        };
+      };
+    };
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "authentik" ];
+
+    ensureUsers = [
+      {
+        name = "authentik";
+        ensurePermissions = { "DATABASE authentik" = "ALL PRIVILEGES"; };
+      }
+    ];
+  };
 
+  secrets = {
+    authentik = {
+      source = ../../secrets/authentik/container.env;
+      dest = "/etc/secrets/authentik/container.env";
+    };
+    authentik-ldap = {
+      source = ../../secrets/authentik/ldap.env;
+      dest = "/etc/secrets/authentik/ldap.env";
+    };
+    authentik-proxy = {
+      source = ../../secrets/authentik/proxy.env;
+      dest = "/etc/secrets/authentik/proxy.env";
+    };
+  };
 }
diff --git a/modules/authentik/pyproject.diff b/modules/authentik/pyproject.diff
deleted file mode 100644
index 1a92468..0000000
--- a/modules/authentik/pyproject.diff
+++ /dev/null
@@ -1,28 +0,0 @@
---- a/pyproject.toml	2023-10-13 10:23:10.097492489 +0200
-+++ b/pyproject.toml	2023-10-13 10:28:17.249270967 +0200
-@@ -137,7 +137,6 @@
- djangorestframework-guardian = "*"
- docker = "*"
- drf-spectacular = "*"
--dumb-init = "*"
- duo-client = "*"
- facebook-sdk = "*"
- flower = "*"
-@@ -154,7 +153,7 @@
- pydantic = "<3.0.0"
- pydantic-scim = "^0.0.7"
- pyjwt = "*"
--python = "^3.11"
-+python = "^3.10"
- pyyaml = "*"
- requests-oauthlib = "*"
- sentry-sdk = "*"
-@@ -164,7 +163,7 @@
- twilio = "*"
- twisted = "*"
- ua-parser = "*"
--urllib3 = { extras = ["secure"], version = "*" }
-+urllib3 = "*"
- uvicorn = { extras = ["standard"], version = "*" }
- watchdog = "*"
- webauthn = "*"
diff --git a/modules/authentik/result b/modules/authentik/result
deleted file mode 120000
index 8b5b976..0000000
--- a/modules/authentik/result
+++ /dev/null
@@ -1 +0,0 @@
-/nix/store/s6d9g5p5kjzfxilajmwqsdzcs8l5i5zw-python3.10-authentik-2023.8.3
\ No newline at end of file
diff --git a/modules/default.nix b/modules/default.nix
index 6912276..60bb257 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -12,6 +12,7 @@
   wireguard = import ./wireguard;
   zfs = import ./zfs;
 
+  authentik = import ./authentik;
   acme = import ./acme;
   teamspeak = import ./teamspeak;
   postgresql = import ./postgresql;