blob: 10241b9a93f17699f9b4cb5619386822c728ee80 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
{ inputs, config, lib, ... }:
with lib;
let
cfg = config.modules.services.authentik;
in
{
imports = [ inputs.authentik-nix.nixosModules.default ];
options.modules.services.authentik = {
enable = mkEnableOption "Authentik - Identity Provider";
domain = mkOption { type = types.str; };
realHost = mkOption { type = types.str; default = "authentik.${cfg.domain}"; };
email = {
host = mkOption { type = types.str; default = "smtp.${cfg.domain}"; };
username = mkOption { type = types.str; default = "authentik@${cfg.domain}"; };
from = mkOption { type = types.str; default = cfg.email.username; };
};
secrets = {
authentik-envs = mkOption { type = types.path; description = "path to the environment file"; };
};
};
config = mkIf cfg.enable {
services.authentik = {
enable = true;
environmentFile = cfg.secrets.authentik-envs;
settings = {
email = {
host = cfg.email.host;
port = 587;
username = cfg.email.username;
use_tls = true;
use_ssl = false;
from = cfg.email.from;
};
cert_discovery_dir = "env://CREDENTIALS_DIRECTORY";
};
nginx = {
# This is configured manually since authentik-nix doesn't support
# cases where cert domain != nginx host
enable = false;
enableACME = false;
# host = cfg.realHost;
};
};
modules.persistence.directories = [
"/var/lib/private/authentik"
];
systemd.services.authentik-worker.serviceConfig.LoadCredential = [
"${cfg.domain}.pem:${config.security.acme.certs.${cfg.domain}.directory}/fullchain.pem"
"${cfg.domain}.key:${config.security.acme.certs.${cfg.domain}.directory}/key.pem"
];
services.nginx.virtualHosts.${cfg.realHost} = {
useACMEHost = cfg.domain;
forceSSL = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "https://localhost:9443";
};
};
};
}
|
