blob: f8fa494c643126f9d6dc8b377401aae79073ef69 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
{ self, config, lib, pkgs, ... }:
with self.lib.nginx;
let version = "2025.6.4";
in
{
virtualisation.oci-containers.backend = "podman";
virtualisation.oci-containers.containers = {
authentik-redis = {
image = "docker.io/library/redis:alpine";
cmd = [ "--save" "60" "1" "--loglevel" "warning" ];
autoStart = true;
volumes = [
"/var/lib/authentik/redis:/data"
];
ports = [
"10.10.0.1:6379:6379"
];
};
authentik-server = {
image = "ghcr.io/goauthentik/server:${version}";
environmentFiles = [ "/etc/secrets/authentik/container.env" ];
cmd = [ "server" ];
autoStart = true;
ports = [
# "10.10.0.1:9000:9000"
"10.10.0.1:9443:9443"
];
};
authentik-worker = {
image = "ghcr.io/goauthentik/server:${version}";
environmentFiles = [ "/etc/secrets/authentik/container.env" ];
cmd = [ "worker" ];
autoStart = true;
volumes = [
"/var/lib/authentik/media:/media"
"/var/lib/authentik/certs:/certs"
"/var/lib/authentik/templates:/templates"
];
};
authentik-ldap = {
image = "ghcr.io/goauthentik/ldap:${version}";
environmentFiles = [ "/etc/secrets/authentik/ldap.env" ];
autoStart = true;
extraOptions = [ "-m=1000m" ];
ports = [
"389:3389"
"636:6636"
];
};
authentik-proxy = {
image = "ghcr.io/goauthentik/proxy:${version}";
environmentFiles = [ "/etc/secrets/authentik/proxy.env" ];
autoStart = true;
ports = [
"10.10.0.1:9444:9443"
];
};
};
# Allow binding of root ports for the ldap container
# systemd.services.podman-authentik-ldap = {
# serviceConfig = {
# AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
# };
# };
security.acme.certs = {
"vapor.systems" = {
extraDomainNames = [ "*.vapor.systems" ];
};
};
services.nginx = {
enable = true;
virtualHosts = {
"auth.vapor.systems" = {
addSSL = true;
useACMEHost = "vapor.systems";
locations."/" = {
proxyPass = "https://10.10.0.1:9443/";
proxyWebsockets = true;
extraConfig = ''
proxy_pass_header Authorization;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
'';
};
};
};
};
services.postgresql = {
ensureDatabases = [ "authentik" ];
ensureUsers = [{
name = "authentik";
ensureDBOwnership = true;
}];
};
secrets = {
authentik = {
source = ../../secrets/authentik/container.env;
dest = "/etc/secrets/authentik/container.env";
};
authentik-ldap = {
source = ../../secrets/authentik/ldap.env;
dest = "/etc/secrets/authentik/ldap.env";
};
authentik-proxy = {
source = ../../secrets/authentik/proxy.env;
dest = "/etc/secrets/authentik/proxy.env";
};
};
}
|
