about summary refs log tree commit diff
path: root/modules/services
diff options
context:
space:
mode:
authorsefidel <contact@sefidel.net>2024-01-14 19:41:07 +0900
committersefidel <contact@sefidel.net>2024-01-14 19:41:07 +0900
commit05cf38543e0f3c66fbf069d26656fe53871883d2 (patch)
tree3ded31da16f636a9dfb3daff7e4315d528688cac /modules/services
parentab38ccc1add444de85990c3e7aad75ede10e1674 (diff)
downloadinfra-05cf38543e0f3c66fbf069d26656fe53871883d2.tar.gz
infra-05cf38543e0f3c66fbf069d26656fe53871883d2.zip
feat(modules/authentik): init
Diffstat (limited to 'modules/services')
-rw-r--r--modules/services/authentik.nix69
1 files changed, 69 insertions, 0 deletions
diff --git a/modules/services/authentik.nix b/modules/services/authentik.nix
new file mode 100644
index 0000000..10241b9
--- /dev/null
+++ b/modules/services/authentik.nix
@@ -0,0 +1,69 @@
+{ inputs, config, lib, ... }:
+
+with lib;
+let
+  cfg = config.modules.services.authentik;
+in
+{
+  imports = [ inputs.authentik-nix.nixosModules.default ];
+
+  options.modules.services.authentik = {
+    enable = mkEnableOption "Authentik - Identity Provider";
+    domain = mkOption { type = types.str; };
+    realHost = mkOption { type = types.str; default = "authentik.${cfg.domain}"; };
+    email = {
+      host = mkOption { type = types.str; default = "smtp.${cfg.domain}"; };
+      username = mkOption { type = types.str; default = "authentik@${cfg.domain}"; };
+      from = mkOption { type = types.str; default = cfg.email.username; };
+    };
+    secrets = {
+       authentik-envs = mkOption { type = types.path; description = "path to the environment file"; };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.authentik = {
+      enable = true;
+
+      environmentFile = cfg.secrets.authentik-envs;
+
+      settings = {
+        email = {
+          host = cfg.email.host;
+          port = 587;
+          username = cfg.email.username;
+          use_tls = true;
+          use_ssl = false;
+          from = cfg.email.from;
+        };
+
+        cert_discovery_dir = "env://CREDENTIALS_DIRECTORY";
+      };
+      nginx = {
+        # This is configured manually since authentik-nix doesn't support
+        # cases where cert domain != nginx host
+        enable = false;
+        enableACME = false;
+        # host = cfg.realHost;
+      };
+    };
+
+    modules.persistence.directories = [
+      "/var/lib/private/authentik"
+    ];
+
+    systemd.services.authentik-worker.serviceConfig.LoadCredential = [
+      "${cfg.domain}.pem:${config.security.acme.certs.${cfg.domain}.directory}/fullchain.pem"
+      "${cfg.domain}.key:${config.security.acme.certs.${cfg.domain}.directory}/key.pem"
+    ];
+
+    services.nginx.virtualHosts.${cfg.realHost} = {
+      useACMEHost = cfg.domain;
+      forceSSL = true;
+      locations."/" = {
+        proxyWebsockets = true;
+        proxyPass = "https://localhost:9443";
+      };
+    };
+  };
+}