From 9e30ed04224144829d946335f3d43353aff24bc9 Mon Sep 17 00:00:00 2001 From: Max Audron Date: Fri, 13 Oct 2023 17:36:53 +0200 Subject: deploy authentik --- modules/authentik/default.nix | 118 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 117 insertions(+), 1 deletion(-) (limited to 'modules/authentik/default.nix') diff --git a/modules/authentik/default.nix b/modules/authentik/default.nix index 865d469..5291235 100644 --- a/modules/authentik/default.nix +++ b/modules/authentik/default.nix @@ -1,5 +1,121 @@ -{ config, lib, pkgs, ... }: +{ self, config, lib, pkgs, ... }: +with self.lib.nginx; + +let version = "2023.8.3"; +in { + virtualisation.oci-containers.backend = "podman"; + virtualisation.oci-containers.containers = { + authentik-redis = { + image = "docker.io/library/redis:alpine"; + cmd = [ "--save" "60" "1" "--loglevel" "warning" ]; + autoStart = true; + volumes = [ + "/var/lib/authentik/redis:/data" + ]; + ports = [ + "10.10.0.1:6379:6379" + ]; + }; + authentik-server = { + image = "ghcr.io/goauthentik/server:${version}"; + environmentFiles = [ "/etc/secrets/authentik/container.env" ]; + cmd = [ "server" ]; + autoStart = true; + ports = [ + # "10.10.0.1:9000:9000" + "10.10.0.1:9443:9443" + ]; + }; + authentik-worker = { + image = "ghcr.io/goauthentik/server:${version}"; + environmentFiles = [ "/etc/secrets/authentik/container.env" ]; + cmd = [ "worker" ]; + autoStart = true; + volumes = [ + "/var/lib/authentik/media:/media" + "/var/lib/authentik/certs:/certs" + "/var/lib/authentik/templates:/templates" + ]; + }; + authentik-ldap = { + image = "ghcr.io/goauthentik/ldap:${version}"; + environmentFiles = [ "/etc/secrets/authentik/ldap.env" ]; + autoStart = true; + ports = [ + "389:3389" + "636:6636" + ]; + }; + authentik-proxy = { + image = "ghcr.io/goauthentik/proxy:${version}"; + environmentFiles = [ "/etc/secrets/authentik/proxy.env" ]; + autoStart = true; + ports = [ + "10.10.0.1:9444:9443" + ]; + }; + }; + + # Allow binding of root ports for the ldap container + # systemd.services.podman-authentik-ldap = { + # serviceConfig = { + # AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + # }; + # }; + + security.acme.certs = { + "vapor.systems" = { + extraDomainNames = [ "*.vapor.systems" ]; + }; + }; + + services.nginx = { + enable = true; + virtualHosts = { + "auth.vapor.systems" = { + addSSL = true; + useACMEHost = "vapor.systems"; + locations."/" = { + proxyPass = "https://10.10.0.1:9443/"; + proxyWebsockets = true; + extraConfig = '' + proxy_pass_header Authorization; + + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + ''; + }; + }; + }; + }; + + services.postgresql = { + ensureDatabases = [ "authentik" ]; + + ensureUsers = [ + { + name = "authentik"; + ensurePermissions = { "DATABASE authentik" = "ALL PRIVILEGES"; }; + } + ]; + }; + secrets = { + authentik = { + source = ../../secrets/authentik/container.env; + dest = "/etc/secrets/authentik/container.env"; + }; + authentik-ldap = { + source = ../../secrets/authentik/ldap.env; + dest = "/etc/secrets/authentik/ldap.env"; + }; + authentik-proxy = { + source = ../../secrets/authentik/proxy.env; + dest = "/etc/secrets/authentik/proxy.env"; + }; + }; } -- cgit v1.2.3