infra/nixos
2
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
nixos/authentik.nix

89 lines
2.3 KiB
Nix
Raw Blame History

{ config, pkgs, lib, ... }:
let
environment = {
AUTHENTIK_POSTGRESQL__HOST = "10.88.0.1";
AUTHENTIK_REDIS__HOST = "10.88.0.1";
};
in {
networking.firewall.trustedInterfaces = [ "podman0" ];
services.postgresql = {
enableTCPIP = true;
ensureDatabases = ["authentik"];
ensureUsers = [
{
name = "authentik";
ensureDBOwnership = true;
}
];
authentication = ''
host all all 10.88.0.0/16 md5
'';
};
services.redis = {
servers.authentik = {
enable = true;
requirePassFile = "/var/secrets/redis-password";
port = 6379;
bind = "10.88.0.1";
};
};
virtualisation.podman.enable = true;
virtualisation.oci-containers.backend = "podman";
virtualisation.oci-containers.containers = {
authentik-server = {
image = "ghcr.io/goauthentik/server:2024.12.2";
cmd = [ "server" ];
inherit environment;
environmentFiles = [ "/opt/authentik.env" ];
ports = [ "10.88.0.1:9000:9000" ];
volumes = [
#"${dataDir}/media:/media"
#"${dataDir}/assets:/web/dist/extra:ro"
#"${dataDir}/templates:/templates"
];
};
authentik-worker = {
image = "ghcr.io/goauthentik/server:2024.12.2";
cmd = [ "worker" ];
inherit environment;
environmentFiles = [ "/opt/authentik.env" ];
volumes = [
#"${dataDir}/media:/media"
#"${dataDir}/assets:/web/dist/extra:ro"
#"${dataDir}/templates:/templates"
];
};
authentik-ldap = {
image = "ghcr.io/goauthentik/ldap:2024.12.2";
ports = [ "10.88.0.1:389:3389" "10.88.0.1:636:6636" ];
environment = {
AUTHENTIK_HOST = "https://auth.orga.cebula.camp";
};
environmentFiles = [
"/var/secrets/authentik-ldap"
];
};
authentik-proxy = {
image = "ghcr.io/goauthentik/proxy:2024.12.2";
ports = [ "10.88.0.1:9002:9000" ];
environment = {
AUTHENTIK_HOST = "https://auth.orga.cebula.camp";
};
environmentFiles = [
"/var/secrets/authentik-proxy"
];
};
};
services.nginx.virtualHosts."auth.orga.cebula.camp" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://10.88.0.1:9000/";
proxyWebsockets = true;
};
};
}
Reference in a new issue View git blame Copy permalink