{ config, lib, ... }: let hostPort = 9005; subdomain = "auth2"; name = "authentik"; in { options.sysconfig.docker.authentik.enable = with lib; mkOption { type = with types; bool; default = false; }; config = lib.mkIf (config.sysconfig.docker.authentik.enable && config.sysconfig.docker.enable) { networking.firewall.interfaces = { "ve-traefik" = { allowedTCPPorts = [ hostPort ]; }; }; /* system.activationScripts.setupAuthentikNet = '' ${pkgs.docker}/bin/docker network ls | grep docker-main || ${pkgs.docker}/bin/docker network create -d bridge docker-main \ --attachable --subnet 192.168.102.0/24 --ip-range 192.168.102.0/24 \ --gateway 192.168.102.1 \ -o "com.docker.network.bridge.name"="docker-main" \ -o "com.docker.network.bridge.trusted_host_interfaces"="wt0:ve-netbird:ve-traefik" ''; */ sops.secrets = { "authentik/pass" = {}; "authentik/secret_key" = {}; }; sops.templates."authentik.env" = { content = '' POSTGRES_DB=authentik-db POSTGRES_USER=authentik-admin POSTGRES_PASSWORD=${config.sops.placeholder."authentik/pass"} AUTHENTIK_SECRET_KEY=${config.sops.placeholder."authentik/secret_key"} AUTHENTIK_POSTGRESQL__NAME=authentik-db AUTHENTIK_POSTGRESQL__USER=authentik-admin AUTHENTIK_POSTGRESQL__PASSWORD=${config.sops.placeholder."authentik/pass"} ''; }; virtualisation.oci-containers.containers.authentik-server = { image = "ghcr.io/goauthentik/server:2025.12.1"; # unstable, waiting for 26.05 #pull = "newer"; hostname = "${subdomain}.esotericbytes.com"; networks = [ "docker-main" ]; labels = { "traefik.http.routers.${name}.entrypoints" = "localsecure"; "traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)"; "traefik.http.routers.${name}.service" = "${name}"; "traefik.http.routers.${name}.tls.certResolver" = "cloudflare"; "traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}"; }; extraOptions = lib.mkIf config.sysconfig.docker.nvidia [ "--ip=192.168.101.8" ]; ports = [ "${builtins.toString hostPort}:9000" ]; volumes = [ ]; environment = { }; environmentFiles = [ config.sops.templates."authentik.env".path ]; }; virtualisation.oci-containers.containers.authentik-worker = { image = "ghcr.io/goauthentik/server:2025.12.1"; # unstable, waiting for 26.05 #pull = "newer"; hostname = "${subdomain}.esotericbytes.com"; networks = [ "docker-main" ]; extraOptions = lib.mkIf config.sysconfig.docker.nvidia [ "--ip=192.168.101.9" ]; ports = [ ]; volumes = [ ]; environment = { }; environmentFiles = [ config.sops.templates."authentik.env".path ]; }; virtualisation.oci-containers.containers.authentik-db = { image = "docker.io/library/postgres:16-alpine"; # unstable, waiting for 26.05 #pull = "newer"; hostname = "${subdomain}.esotericbytes.com"; networks = [ "docker-main" ]; extraOptions = lib.mkIf config.sysconfig.docker.nvidia [ "--ip=192.168.101.10" ]; ports = [ ]; volumes = [ ]; environment = { }; environmentFiles = [ config.sops.templates."authentik.env".path ]; }; }; }