Blunkall-Technologies/Olympus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

begin work on authentik again

Browse Source
This commit is contained in:
Nathan
2026-01-27 17:42:00 -06:00
parent 89328fe7e7
commit d7875217bd
6 changed files with 217 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

147
system/virtualization/docker/authentik/default.nix
View File

@@ -1 +1,146 @@
{ ... }: {}
{ config, lib, ... }: let
hostPort = 9005;
subdomain = "auth2";
name = "authentik";
in {
options.sysconfig.docker.authentik.enable = with lib; mkOption {
type = with types; bool;
default = false;
};
config = lib.mkIf (config.sysconfig.docker.authentik.enable && config.sysconfig.docker.enable) {
networking.firewall.interfaces = {
"ve-traefik" = {
allowedTCPPorts = [ hostPort ];
};
};
/*
system.activationScripts.setupAuthentikNet = ''
${pkgs.docker}/bin/docker network ls | grep docker-main ||
${pkgs.docker}/bin/docker network create -d bridge docker-main \
--attachable --subnet 192.168.102.0/24 --ip-range 192.168.102.0/24 \
--gateway 192.168.102.1 \
-o "com.docker.network.bridge.name"="docker-main" \
-o "com.docker.network.bridge.trusted_host_interfaces"="wt0:ve-netbird:ve-traefik"
'';
*/
sops.secrets = {
"authentik/pass" = {};
"authentik/secret_key" = {};
};
sops.templates."authentik.env" = {
content = ''
POSTGRES_DB=authentik-db
POSTGRES_USER=authentik-admin
POSTGRES_PASSWORD=${config.sops.placeholder."authentik/pass"}
AUTHENTIK_SECRET_KEY=${config.sops.placeholder."authentik/secret_key"}
AUTHENTIK_POSTGRESQL__NAME=authentik-db
AUTHENTIK_POSTGRESQL__USER=authentik-admin
AUTHENTIK_POSTGRESQL__PASSWORD=${config.sops.placeholder."authentik/pass"}
'';
};
virtualisation.oci-containers.containers.authentik-server = {
image = "ghcr.io/goauthentik/server:2025.12.1";
# unstable, waiting for 26.05
#pull = "newer";
hostname = "${subdomain}.esotericbytes.com";
networks = [
"docker-main"
];
labels = {
"traefik.http.routers.${name}.entrypoints" = "localsecure";
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
"traefik.http.routers.${name}.service" = "${name}";
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
"traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}";
};
extraOptions = lib.mkIf config.sysconfig.docker.nvidia [
"--ip=192.168.101.8"
];
ports = [
"${builtins.toString hostPort}:9000"
];
volumes = [
];
environment = {
};
environmentFiles = [ config.sops.templates."authentik.env".path ];
};
virtualisation.oci-containers.containers.authentik-worker = {
image = "ghcr.io/goauthentik/server:2025.12.1";
# unstable, waiting for 26.05
#pull = "newer";
hostname = "${subdomain}.esotericbytes.com";
networks = [
"docker-main"
];
extraOptions = lib.mkIf config.sysconfig.docker.nvidia [
"--ip=192.168.101.9"
];
ports = [
];
volumes = [
];
environment = {
};
environmentFiles = [ config.sops.templates."authentik.env".path ];
};
virtualisation.oci-containers.containers.authentik-db = {
image = "docker.io/library/postgres:16-alpine";
# unstable, waiting for 26.05
#pull = "newer";
hostname = "${subdomain}.esotericbytes.com";
networks = [
"docker-main"
];
extraOptions = lib.mkIf config.sysconfig.docker.nvidia [
"--ip=192.168.101.10"
];
ports = [
];
volumes = [
];
environment = {
};
environmentFiles = [ config.sops.templates."authentik.env".path ];
};
};
}