about summary refs log tree commit diff
path: root/modules/services
diff options
context:
space:
mode:
Diffstat (limited to 'modules/services')
-rw-r--r--modules/services/authentik.nix69
1 files changed, 69 insertions, 0 deletions
diff --git a/modules/services/authentik.nix b/modules/services/authentik.nix
new file mode 100644
index 0000000..10241b9
--- /dev/null
+++ b/modules/services/authentik.nix
@@ -0,0 +1,69 @@
+{ inputs, config, lib, ... }:
+
+with lib;
+let
+  cfg = config.modules.services.authentik;
+in
+{
+  imports = [ inputs.authentik-nix.nixosModules.default ];
+
+  options.modules.services.authentik = {
+    enable = mkEnableOption "Authentik - Identity Provider";
+    domain = mkOption { type = types.str; };
+    realHost = mkOption { type = types.str; default = "authentik.${cfg.domain}"; };
+    email = {
+      host = mkOption { type = types.str; default = "smtp.${cfg.domain}"; };
+      username = mkOption { type = types.str; default = "authentik@${cfg.domain}"; };
+      from = mkOption { type = types.str; default = cfg.email.username; };
+    };
+    secrets = {
+       authentik-envs = mkOption { type = types.path; description = "path to the environment file"; };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.authentik = {
+      enable = true;
+
+      environmentFile = cfg.secrets.authentik-envs;
+
+      settings = {
+        email = {
+          host = cfg.email.host;
+          port = 587;
+          username = cfg.email.username;
+          use_tls = true;
+          use_ssl = false;
+          from = cfg.email.from;
+        };
+
+        cert_discovery_dir = "env://CREDENTIALS_DIRECTORY";
+      };
+      nginx = {
+        # This is configured manually since authentik-nix doesn't support
+        # cases where cert domain != nginx host
+        enable = false;
+        enableACME = false;
+        # host = cfg.realHost;
+      };
+    };
+
+    modules.persistence.directories = [
+      "/var/lib/private/authentik"
+    ];
+
+    systemd.services.authentik-worker.serviceConfig.LoadCredential = [
+      "${cfg.domain}.pem:${config.security.acme.certs.${cfg.domain}.directory}/fullchain.pem"
+      "${cfg.domain}.key:${config.security.acme.certs.${cfg.domain}.directory}/key.pem"
+    ];
+
+    services.nginx.virtualHosts.${cfg.realHost} = {
+      useACMEHost = cfg.domain;
+      forceSSL = true;
+      locations."/" = {
+        proxyWebsockets = true;
+        proxyPass = "https://localhost:9443";
+      };
+    };
+  };
+}