{ config, pkgs, lib, ... }: let environment = { AUTHENTIK_POSTGRESQL__HOST = "10.88.0.1"; AUTHENTIK_REDIS__HOST = "10.88.0.1"; }; in { networking.firewall.trustedInterfaces = [ "podman0" ]; services.postgresql = { enableTCPIP = true; ensureDatabases = ["authentik"]; ensureUsers = [ { name = "authentik"; ensureDBOwnership = true; } ]; authentication = '' host all all 10.88.0.0/16 md5 ''; }; services.redis = { servers.authentik = { enable = true; requirePassFile = "/var/secrets/redis-password"; port = 6379; bind = "10.88.0.1"; }; }; virtualisation.podman.enable = true; virtualisation.oci-containers.backend = "podman"; virtualisation.oci-containers.containers = { authentik-server = { image = "ghcr.io/goauthentik/server:2024.12.2"; cmd = [ "server" ]; inherit environment; environmentFiles = [ "/opt/authentik.env" ]; ports = [ "10.88.0.1:9000:9000" ]; volumes = [ #"${dataDir}/media:/media" #"${dataDir}/assets:/web/dist/extra:ro" #"${dataDir}/templates:/templates" ]; }; authentik-worker = { image = "ghcr.io/goauthentik/server:2024.12.2"; cmd = [ "worker" ]; inherit environment; environmentFiles = [ "/opt/authentik.env" ]; volumes = [ #"${dataDir}/media:/media" #"${dataDir}/assets:/web/dist/extra:ro" #"${dataDir}/templates:/templates" ]; }; authentik-ldap = { image = "ghcr.io/goauthentik/ldap:2024.12.2"; ports = [ "10.88.0.1:389:3389" "10.88.0.1:636:6636" ]; environment = { AUTHENTIK_HOST = "https://auth.orga.cebula.camp"; }; environmentFiles = [ "/var/secrets/authentik-ldap" ]; }; authentik-proxy = { image = "ghcr.io/goauthentik/proxy:2024.12.2"; ports = [ "10.88.0.1:9002:9000" ]; environment = { AUTHENTIK_HOST = "https://auth.orga.cebula.camp"; }; environmentFiles = [ "/var/secrets/authentik-proxy" ]; }; }; services.nginx.virtualHosts."auth.orga.cebula.camp" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://10.88.0.1:9000/"; proxyWebsockets = true; }; }; }