diff options
Diffstat (limited to 'modules/services')
| -rw-r--r-- | modules/services/authentik.nix | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/modules/services/authentik.nix b/modules/services/authentik.nix new file mode 100644 index 0000000..10241b9 --- /dev/null +++ b/modules/services/authentik.nix @@ -0,0 +1,69 @@ +{ inputs, config, lib, ... }: + +with lib; +let + cfg = config.modules.services.authentik; +in +{ + imports = [ inputs.authentik-nix.nixosModules.default ]; + + options.modules.services.authentik = { + enable = mkEnableOption "Authentik - Identity Provider"; + domain = mkOption { type = types.str; }; + realHost = mkOption { type = types.str; default = "authentik.${cfg.domain}"; }; + email = { + host = mkOption { type = types.str; default = "smtp.${cfg.domain}"; }; + username = mkOption { type = types.str; default = "authentik@${cfg.domain}"; }; + from = mkOption { type = types.str; default = cfg.email.username; }; + }; + secrets = { + authentik-envs = mkOption { type = types.path; description = "path to the environment file"; }; + }; + }; + + config = mkIf cfg.enable { + services.authentik = { + enable = true; + + environmentFile = cfg.secrets.authentik-envs; + + settings = { + email = { + host = cfg.email.host; + port = 587; + username = cfg.email.username; + use_tls = true; + use_ssl = false; + from = cfg.email.from; + }; + + cert_discovery_dir = "env://CREDENTIALS_DIRECTORY"; + }; + nginx = { + # This is configured manually since authentik-nix doesn't support + # cases where cert domain != nginx host + enable = false; + enableACME = false; + # host = cfg.realHost; + }; + }; + + modules.persistence.directories = [ + "/var/lib/private/authentik" + ]; + + systemd.services.authentik-worker.serviceConfig.LoadCredential = [ + "${cfg.domain}.pem:${config.security.acme.certs.${cfg.domain}.directory}/fullchain.pem" + "${cfg.domain}.key:${config.security.acme.certs.${cfg.domain}.directory}/key.pem" + ]; + + services.nginx.virtualHosts.${cfg.realHost} = { + useACMEHost = cfg.domain; + forceSSL = true; + locations."/" = { + proxyWebsockets = true; + proxyPass = "https://localhost:9443"; + }; + }; + }; +} |