147 lines
4.1 KiB
Nix
147 lines
4.1 KiB
Nix
{ config, lib, ... }: let
|
|
|
|
hostPort = 9005;
|
|
|
|
subdomain = "auth2";
|
|
|
|
name = "authentik";
|
|
|
|
in {
|
|
|
|
options.sysconfig.docker.authentik.enable = with lib; mkOption {
|
|
type = with types; bool;
|
|
default = false;
|
|
};
|
|
|
|
config = lib.mkIf (config.sysconfig.docker.authentik.enable && config.sysconfig.docker.enable) {
|
|
|
|
networking.firewall.interfaces = {
|
|
"ve-traefik" = {
|
|
allowedTCPPorts = [ hostPort ];
|
|
};
|
|
};
|
|
|
|
/*
|
|
system.activationScripts.setupAuthentikNet = ''
|
|
${pkgs.docker}/bin/docker network ls | grep docker-main ||
|
|
${pkgs.docker}/bin/docker network create -d bridge docker-main \
|
|
--attachable --subnet 192.168.102.0/24 --ip-range 192.168.102.0/24 \
|
|
--gateway 192.168.102.1 \
|
|
-o "com.docker.network.bridge.name"="docker-main" \
|
|
-o "com.docker.network.bridge.trusted_host_interfaces"="wt0:ve-netbird:ve-traefik"
|
|
'';
|
|
*/
|
|
|
|
sops.secrets = {
|
|
"authentik/pass" = {};
|
|
"authentik/secret_key" = {};
|
|
};
|
|
|
|
sops.templates."authentik.env" = {
|
|
content = ''
|
|
POSTGRES_DB=authentik-db
|
|
POSTGRES_USER=authentik-admin
|
|
POSTGRES_PASSWORD=${config.sops.placeholder."authentik/pass"}
|
|
AUTHENTIK_SECRET_KEY=${config.sops.placeholder."authentik/secret_key"}
|
|
AUTHENTIK_POSTGRESQL__NAME=authentik-db
|
|
AUTHENTIK_POSTGRESQL__USER=authentik-admin
|
|
AUTHENTIK_POSTGRESQL__PASSWORD=${config.sops.placeholder."authentik/pass"}
|
|
'';
|
|
};
|
|
|
|
virtualisation.oci-containers.containers.authentik-server = {
|
|
image = "ghcr.io/goauthentik/server:2025.12.1";
|
|
|
|
# unstable, waiting for 26.05
|
|
#pull = "newer";
|
|
|
|
hostname = "${subdomain}.esotericbytes.com";
|
|
|
|
networks = [
|
|
"docker-main"
|
|
];
|
|
|
|
labels = {
|
|
"traefik.http.routers.${name}.entrypoints" = "localsecure";
|
|
"traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)";
|
|
"traefik.http.routers.${name}.service" = "${name}";
|
|
"traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
|
|
|
|
"traefik.http.services.${name}.loadbalancer.server.url" = "http://192.168.100.10:${builtins.toString hostPort}";
|
|
};
|
|
|
|
extraOptions = lib.mkIf config.sysconfig.docker.nvidia [
|
|
"--ip=192.168.101.8"
|
|
];
|
|
|
|
ports = [
|
|
"${builtins.toString hostPort}:9000"
|
|
];
|
|
|
|
volumes = [
|
|
];
|
|
|
|
environment = {
|
|
};
|
|
|
|
environmentFiles = [ config.sops.templates."authentik.env".path ];
|
|
};
|
|
|
|
virtualisation.oci-containers.containers.authentik-worker = {
|
|
image = "ghcr.io/goauthentik/server:2025.12.1";
|
|
|
|
# unstable, waiting for 26.05
|
|
#pull = "newer";
|
|
|
|
hostname = "${subdomain}.esotericbytes.com";
|
|
|
|
networks = [
|
|
"docker-main"
|
|
];
|
|
|
|
extraOptions = lib.mkIf config.sysconfig.docker.nvidia [
|
|
"--ip=192.168.101.9"
|
|
];
|
|
|
|
ports = [
|
|
];
|
|
|
|
volumes = [
|
|
];
|
|
|
|
environment = {
|
|
};
|
|
|
|
environmentFiles = [ config.sops.templates."authentik.env".path ];
|
|
};
|
|
|
|
virtualisation.oci-containers.containers.authentik-db = {
|
|
image = "docker.io/library/postgres:16-alpine";
|
|
|
|
# unstable, waiting for 26.05
|
|
#pull = "newer";
|
|
|
|
hostname = "${subdomain}.esotericbytes.com";
|
|
|
|
networks = [
|
|
"docker-main"
|
|
];
|
|
|
|
extraOptions = lib.mkIf config.sysconfig.docker.nvidia [
|
|
"--ip=192.168.101.10"
|
|
];
|
|
|
|
ports = [
|
|
];
|
|
|
|
volumes = [
|
|
];
|
|
|
|
environment = {
|
|
};
|
|
|
|
environmentFiles = [ config.sops.templates."authentik.env".path ];
|
|
};
|
|
};
|
|
}
|