diff --git a/system/virtualization/containers/authentik/default.nix b/system/virtualization/containers/authentik/default.nix index d814024..98d0d03 100644 --- a/system/virtualization/containers/authentik/default.nix +++ b/system/virtualization/containers/authentik/default.nix @@ -1,4 +1,4 @@ -{ config, lib, sops-nix, ... }: { +{ config, lib, ... }: { options.sysconfig.containers.authentik.enable = lib.options.mkOption { type = lib.types.bool; diff --git a/system/virtualization/docker/authentik/default.nix b/system/virtualization/docker/authentik/default.nix index 8a37a28..152598d 100644 --- a/system/virtualization/docker/authentik/default.nix +++ b/system/virtualization/docker/authentik/default.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: let +{ config, lib, pkgs, ... }: let hostPort = 9005; @@ -21,17 +21,6 @@ in { }; }; -/* - system.activationScripts.setupAuthentikNet = '' - ${pkgs.docker}/bin/docker network ls | grep docker-main || - ${pkgs.docker}/bin/docker network create -d bridge docker-main \ - --attachable --subnet 192.168.102.0/24 --ip-range 192.168.102.0/24 \ - --gateway 192.168.102.1 \ - -o "com.docker.network.bridge.name"="docker-main" \ - -o "com.docker.network.bridge.trusted_host_interfaces"="wt0:ve-netbird:ve-traefik" - ''; -*/ - sops.secrets = { "authentik/pass" = {}; "authentik/secret_key" = {}; @@ -39,28 +28,68 @@ in { sops.templates."authentik.env" = { content = '' - POSTGRES_DB=authentik-db - POSTGRES_USER=authentik-admin - POSTGRES_PASSWORD=${config.sops.placeholder."authentik/pass"} - AUTHENTIK_SECRET_KEY=${config.sops.placeholder."authentik/secret_key"} - AUTHENTIK_POSTGRESQL__NAME=authentik-db - AUTHENTIK_POSTGRESQL__USER=authentik-admin - AUTHENTIK_POSTGRESQL__PASSWORD=${config.sops.placeholder."authentik/pass"} + PG_PASS=${config.sops.placeholder."authentik/pass"} + SECRET_KEY=${config.sops.placeholder."authentik/secret_key"} ''; }; - virtualisation.oci-containers.containers.authentik-server = { - image = "ghcr.io/goauthentik/server:2025.12.1"; +###################################################################################### +# Containers - # unstable, waiting for 26.05 - #pull = "newer"; - - hostname = "${subdomain}.esotericbytes.com"; - - networks = [ - "docker-main" + virtualisation.oci-containers.containers."authentik-postgresql" = { + image = "docker.io/library/postgres:16-alpine"; + environment = { + "POSTGRES_DB" = "authentik"; + "POSTGRES_PASSWORD" = "\${PG_PASS}"; + "POSTGRES_USER" = "authentik"; + }; + environmentFiles = [ config.sops.templates."authentik.env".path ]; + volumes = [ + "authentik_database:/var/lib/postgresql/data:rw" ]; - + log-driver = "journald"; + extraOptions = [ + "--health-cmd=pg_isready -d \${POSTGRES_DB} -U \${POSTGRES_USER}" + "--health-interval=30s" + "--health-retries=5" + "--health-start-period=20s" + "--health-timeout=5s" + "--network-alias=postgresql" + "--network=authentik_default" + ]; + }; + systemd.services."docker-authentik-postgresql" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + RestartMaxDelaySec = lib.mkOverride 90 "1m"; + RestartSec = lib.mkOverride 90 "100ms"; + RestartSteps = lib.mkOverride 90 9; + }; + after = [ + "docker-network-authentik_default.service" + "docker-volume-authentik_database.service" + ]; + requires = [ + "docker-network-authentik_default.service" + "docker-volume-authentik_database.service" + ]; + partOf = [ + "docker-compose-authentik-root.target" + ]; + wantedBy = [ + "docker-compose-authentik-root.target" + ]; + }; + virtualisation.oci-containers.containers."authentik-server" = { + image = "ghcr.io/goauthentik/server:2025.12.1"; + environment = { + "AUTHENTIK_POSTGRESQL__HOST" = "postgresql"; + "AUTHENTIK_POSTGRESQL__NAME" = "authentik"; + "AUTHENTIK_POSTGRESQL__PASSWORD" = "\${PG_PASS}"; + "AUTHENTIK_POSTGRESQL__USER" = "authentik"; + "AUTHENTIK_SECRET_KEY" = "\${SECRET_KEY}"; + }; + environmentFiles = [ config.sops.templates."authentik.env".path ]; labels = { "traefik.http.routers.${name}.entrypoints" = "localsecure"; "traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)"; @@ -69,78 +98,135 @@ in { "traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}"; }; - - extraOptions = lib.mkIf config.sysconfig.docker.nvidia [ + volumes = [ + "/etc/Authentik/custom-templates:/templates:rw" + "/etc/Authentik/data:/data:rw" + ]; + ports = [ + "${builtins.toString hostPort}:9000/tcp" + #"9443:9443/tcp" + ]; + cmd = [ "server" ]; + dependsOn = [ + "authentik-postgresql" + ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=server" + "--network=authentik_default" "--ip=192.168.101.8" ]; - - ports = [ - "${builtins.toString hostPort}:9000" + networks = [ + "docker-main" ]; - - volumes = [ - ]; - - environment = { - }; - - environmentFiles = [ config.sops.templates."authentik.env".path ]; }; - - virtualisation.oci-containers.containers.authentik-worker = { + systemd.services."docker-authentik-server" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + RestartMaxDelaySec = lib.mkOverride 90 "1m"; + RestartSec = lib.mkOverride 90 "100ms"; + RestartSteps = lib.mkOverride 90 9; + }; + after = [ + "docker-network-authentik_default.service" + "docker-network-setup.service" + ]; + requires = [ + "docker-network-authentik_default.service" + "docker-network-setup.service" + ]; + partOf = [ + "docker-compose-authentik-root.target" + ]; + wantedBy = [ + "docker-compose-authentik-root.target" + ]; + }; + virtualisation.oci-containers.containers."authentik-worker" = { image = "ghcr.io/goauthentik/server:2025.12.1"; - - # unstable, waiting for 26.05 - #pull = "newer"; - - hostname = "${subdomain}.esotericbytes.com"; - - networks = [ - "docker-main" - ]; - - extraOptions = lib.mkIf config.sysconfig.docker.nvidia [ - "--ip=192.168.101.9" - ]; - - ports = [ - ]; - - volumes = [ - ]; - environment = { + "AUTHENTIK_POSTGRESQL__HOST" = "postgresql"; + "AUTHENTIK_POSTGRESQL__NAME" = "authentik"; + "AUTHENTIK_POSTGRESQL__PASSWORD" = "\${PG_PASS}"; + "AUTHENTIK_POSTGRESQL__USER" = "authentik"; + "AUTHENTIK_SECRET_KEY" = "\${SECRET_KEY}"; }; - environmentFiles = [ config.sops.templates."authentik.env".path ]; + volumes = [ + "/etc/Authentik/certs:/certs:rw" + "/etc/Authentik/custom-templates:/templates:rw" + "/etc/Authentik/data:/data:rw" + "/var/run/docker.sock:/var/run/docker.sock:rw" + ]; + cmd = [ "worker" ]; + dependsOn = [ + "authentik-postgresql" + ]; + user = "root"; + log-driver = "journald"; + extraOptions = [ + "--network-alias=worker" + "--network=authentik_default" + ]; + }; + systemd.services."docker-authentik-worker" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + RestartMaxDelaySec = lib.mkOverride 90 "1m"; + RestartSec = lib.mkOverride 90 "100ms"; + RestartSteps = lib.mkOverride 90 9; + }; + after = [ + "docker-network-authentik_default.service" + ]; + requires = [ + "docker-network-authentik_default.service" + ]; + partOf = [ + "docker-compose-authentik-root.target" + ]; + wantedBy = [ + "docker-compose-authentik-root.target" + ]; }; - virtualisation.oci-containers.containers.authentik-db = { - image = "docker.io/library/postgres:16-alpine"; - - # unstable, waiting for 26.05 - #pull = "newer"; - - hostname = "${subdomain}.esotericbytes.com"; - - networks = [ - "docker-main" - ]; - - extraOptions = lib.mkIf config.sysconfig.docker.nvidia [ - "--ip=192.168.101.10" - ]; - - ports = [ - ]; - - volumes = [ - ]; - - environment = { +# Networks + systemd.services."docker-network-authentik_default" = { + path = [ pkgs.docker ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStop = "docker network rm -f authentik_default"; }; - - environmentFiles = [ config.sops.templates."authentik.env".path ]; + script = '' + docker network inspect authentik_default || docker network create authentik_default + ''; + partOf = [ "docker-compose-authentik-root.target" ]; + wantedBy = [ "docker-compose-authentik-root.target" ]; + }; + +# Volumes + systemd.services."docker-volume-authentik_database" = { + path = [ pkgs.docker ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + docker volume inspect authentik_database || docker volume create authentik_database --driver=local + ''; + partOf = [ "docker-compose-authentik-root.target" ]; + wantedBy = [ "docker-compose-authentik-root.target" ]; + }; + +# Root service +# When started, this will automatically create all resources and start +# the containers. When stopped, this will teardown all resources. + systemd.targets."docker-compose-authentik-root" = { + unitConfig = { + Description = "Root target generated by compose2nix."; + }; + wantedBy = [ "multi-user.target" ]; }; }; } diff --git a/system/virtualization/docker/default.nix b/system/virtualization/docker/default.nix index becaab1..3fd24d3 100644 --- a/system/virtualization/docker/default.nix +++ b/system/virtualization/docker/default.nix @@ -36,13 +36,26 @@ hardware.nvidia-container-toolkit.enable = config.sysconfig.docker.nvidia; - system.activationScripts.setupDockerNet = '' - ${pkgs.docker}/bin/docker network ls | grep docker-main || - ${pkgs.docker}/bin/docker network create -d bridge docker-main \ - --attachable --subnet 192.168.101.0/24 --ip-range 192.168.101.0/24 \ - --gateway 192.168.101.1 \ - -o "com.docker.network.bridge.name"="docker-main" \ - -o "com.docker.network.bridge.trusted_host_interfaces"="wt0:ve-netbird:ve-traefik" - ''; + systemd.services."docker-network-setup" = { + path = [ pkgs.docker ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStop = "docker network rm -f docker-main"; + }; + script = '' + docker network inspect docker-main || + docker network create -d bridge docker-main \ + --attachable --subnet 192.168.101.0/24 --ip-range 192.168.101.0/24 \ + --gateway 192.168.101.1 \ + -o "com.docker.network.bridge.name"="docker-main" \ + -o "com.docker.network.bridge.trusted_host_interfaces"="wt0:ve-netbird:ve-traefik" + ''; + wantedBy = [ "docker-net.target" ]; + }; + + systemd.targets."docker-net" = { + wantedBy = [ "multi-user.target" ]; + }; }; }