diff options
| author | sefidel <contact@sefidel.net> | 2024-01-24 19:18:11 +0900 |
|---|---|---|
| committer | sefidel <contact@sefidel.net> | 2024-01-24 19:18:11 +0900 |
| commit | 497c3cd7864fdbcc546408d6d86ebfad37aa9b78 (patch) | |
| tree | 6cd5bf30b9953156d71192fa96e34a863dda5926 /modules/services/authentik.nix | |
| parent | a1dc1ff8c07155f697a30145168820612b28b6cd (diff) | |
| download | infra-497c3cd7864fdbcc546408d6d86ebfad37aa9b78.tar.gz infra-497c3cd7864fdbcc546408d6d86ebfad37aa9b78.zip | |
wip: try to use infra-modules infra-modules
Diffstat (limited to 'modules/services/authentik.nix')
| -rw-r--r-- | modules/services/authentik.nix | 69 |
1 files changed, 0 insertions, 69 deletions
diff --git a/modules/services/authentik.nix b/modules/services/authentik.nix deleted file mode 100644 index 10241b9..0000000 --- a/modules/services/authentik.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ inputs, config, lib, ... }: - -with lib; -let - cfg = config.modules.services.authentik; -in -{ - imports = [ inputs.authentik-nix.nixosModules.default ]; - - options.modules.services.authentik = { - enable = mkEnableOption "Authentik - Identity Provider"; - domain = mkOption { type = types.str; }; - realHost = mkOption { type = types.str; default = "authentik.${cfg.domain}"; }; - email = { - host = mkOption { type = types.str; default = "smtp.${cfg.domain}"; }; - username = mkOption { type = types.str; default = "authentik@${cfg.domain}"; }; - from = mkOption { type = types.str; default = cfg.email.username; }; - }; - secrets = { - authentik-envs = mkOption { type = types.path; description = "path to the environment file"; }; - }; - }; - - config = mkIf cfg.enable { - services.authentik = { - enable = true; - - environmentFile = cfg.secrets.authentik-envs; - - settings = { - email = { - host = cfg.email.host; - port = 587; - username = cfg.email.username; - use_tls = true; - use_ssl = false; - from = cfg.email.from; - }; - - cert_discovery_dir = "env://CREDENTIALS_DIRECTORY"; - }; - nginx = { - # This is configured manually since authentik-nix doesn't support - # cases where cert domain != nginx host - enable = false; - enableACME = false; - # host = cfg.realHost; - }; - }; - - modules.persistence.directories = [ - "/var/lib/private/authentik" - ]; - - systemd.services.authentik-worker.serviceConfig.LoadCredential = [ - "${cfg.domain}.pem:${config.security.acme.certs.${cfg.domain}.directory}/fullchain.pem" - "${cfg.domain}.key:${config.security.acme.certs.${cfg.domain}.directory}/key.pem" - ]; - - services.nginx.virtualHosts.${cfg.realHost} = { - useACMEHost = cfg.domain; - forceSSL = true; - locations."/" = { - proxyWebsockets = true; - proxyPass = "https://localhost:9443"; - }; - }; - }; -} |