blob: c4ed297abdaa32f0f3e0cd6fa72b79203f332a4f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
{ self, config, lib, pkgs, ... }:
{
services.authentik = {
enable = true;
createDatabase = false;
# The environmentFile needs to be on the target host!
# Best use something like sops-nix or agenix to manage it
environmentFile = "/etc/secrets/authentik/container.env";
settings = {
# email = {
# host = "smtp.example.com";
# port = 587;
# username = "authentik@example.com";
# use_tls = true;
# use_ssl = false;
# from = "authentik@example.com";
# };
disable_startup_analytics = true;
avatars = "initials";
};
};
services.authentik-ldap = {
enable = true;
environmentFile = "/etc/secrets/authentik/ldap.env";
};
systemd.services.authentik-ldap.serviceConfig = {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
};
services.authentik-proxy = {
enable = true;
environmentFile = "/etc/secrets/authentik/proxy.env";
};
# networking.firewall.allowedTCPPorts = [ 389 636 ];
security.acme.certs = {
"vapor.systems" = {
extraDomainNames = [ "*.vapor.systems" ];
};
};
services.nginx = {
enable = true;
virtualHosts = {
"auth.vapor.systems" = {
addSSL = true;
useACMEHost = "vapor.systems";
locations."/" = {
proxyPass = "https://10.10.0.1:9443/";
proxyWebsockets = true;
extraConfig = ''
proxy_pass_header Authorization;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
'';
};
};
};
};
services.postgresql = {
ensureDatabases = [ "authentik" ];
ensureUsers = [{
name = "authentik";
ensureDBOwnership = true;
}];
};
secrets = {
authentik = {
source = ../../secrets/authentik/container.env;
dest = "/etc/secrets/authentik/container.env";
};
authentik-ldap = {
source = ../../secrets/authentik/ldap.env;
dest = "/etc/secrets/authentik/ldap.env";
};
authentik-proxy = {
source = ../../secrets/authentik/proxy.env;
dest = "/etc/secrets/authentik/proxy.env";
};
};
}
|
