{ self, config, lib, pkgs, ... }: { services.authentik = { enable = true; createDatabase = false; # The environmentFile needs to be on the target host! # Best use something like sops-nix or agenix to manage it environmentFile = "/etc/secrets/authentik/container.env"; settings = { # email = { # host = "smtp.example.com"; # port = 587; # username = "authentik@example.com"; # use_tls = true; # use_ssl = false; # from = "authentik@example.com"; # }; disable_startup_analytics = true; avatars = "initials"; }; }; services.authentik-ldap = { enable = true; environmentFile = "/etc/secrets/authentik/ldap.env"; }; systemd.services.authentik-ldap.serviceConfig = { AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; }; services.authentik-proxy = { enable = true; environmentFile = "/etc/secrets/authentik/proxy.env"; }; # networking.firewall.allowedTCPPorts = [ 389 636 ]; security.acme.certs = { "vapor.systems" = { extraDomainNames = [ "*.vapor.systems" ]; }; }; services.nginx = { enable = true; virtualHosts = { "auth.vapor.systems" = { addSSL = true; useACMEHost = "vapor.systems"; locations."/" = { proxyPass = "https://10.10.0.1:9443/"; proxyWebsockets = true; extraConfig = '' proxy_pass_header Authorization; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; ''; }; }; }; }; services.postgresql = { ensureDatabases = [ "authentik" ]; ensureUsers = [{ name = "authentik"; ensureDBOwnership = true; }]; }; secrets = { authentik = { source = ../../secrets/authentik/container.env; dest = "/etc/secrets/authentik/container.env"; }; authentik-ldap = { source = ../../secrets/authentik/ldap.env; dest = "/etc/secrets/authentik/ldap.env"; }; authentik-proxy = { source = ../../secrets/authentik/proxy.env; dest = "/etc/secrets/authentik/proxy.env"; }; }; }