diff options
author | sefidel <contact@sefidel.net> | 2024-01-14 19:41:07 +0900 |
---|---|---|
committer | sefidel <contact@sefidel.net> | 2024-01-14 19:41:07 +0900 |
commit | 05cf38543e0f3c66fbf069d26656fe53871883d2 (patch) | |
tree | 3ded31da16f636a9dfb3daff7e4315d528688cac /modules/services | |
parent | ab38ccc1add444de85990c3e7aad75ede10e1674 (diff) | |
download | infra-05cf38543e0f3c66fbf069d26656fe53871883d2.tar.gz infra-05cf38543e0f3c66fbf069d26656fe53871883d2.zip |
feat(modules/authentik): init
Diffstat (limited to 'modules/services')
-rw-r--r-- | modules/services/authentik.nix | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/modules/services/authentik.nix b/modules/services/authentik.nix new file mode 100644 index 0000000..10241b9 --- /dev/null +++ b/modules/services/authentik.nix @@ -0,0 +1,69 @@ +{ inputs, config, lib, ... }: + +with lib; +let + cfg = config.modules.services.authentik; +in +{ + imports = [ inputs.authentik-nix.nixosModules.default ]; + + options.modules.services.authentik = { + enable = mkEnableOption "Authentik - Identity Provider"; + domain = mkOption { type = types.str; }; + realHost = mkOption { type = types.str; default = "authentik.${cfg.domain}"; }; + email = { + host = mkOption { type = types.str; default = "smtp.${cfg.domain}"; }; + username = mkOption { type = types.str; default = "authentik@${cfg.domain}"; }; + from = mkOption { type = types.str; default = cfg.email.username; }; + }; + secrets = { + authentik-envs = mkOption { type = types.path; description = "path to the environment file"; }; + }; + }; + + config = mkIf cfg.enable { + services.authentik = { + enable = true; + + environmentFile = cfg.secrets.authentik-envs; + + settings = { + email = { + host = cfg.email.host; + port = 587; + username = cfg.email.username; + use_tls = true; + use_ssl = false; + from = cfg.email.from; + }; + + cert_discovery_dir = "env://CREDENTIALS_DIRECTORY"; + }; + nginx = { + # This is configured manually since authentik-nix doesn't support + # cases where cert domain != nginx host + enable = false; + enableACME = false; + # host = cfg.realHost; + }; + }; + + modules.persistence.directories = [ + "/var/lib/private/authentik" + ]; + + systemd.services.authentik-worker.serviceConfig.LoadCredential = [ + "${cfg.domain}.pem:${config.security.acme.certs.${cfg.domain}.directory}/fullchain.pem" + "${cfg.domain}.key:${config.security.acme.certs.${cfg.domain}.directory}/key.pem" + ]; + + services.nginx.virtualHosts.${cfg.realHost} = { + useACMEHost = cfg.domain; + forceSSL = true; + locations."/" = { + proxyWebsockets = true; + proxyPass = "https://localhost:9443"; + }; + }; + }; +} |