nixos-systems/modules/system/authentik.nix

{ pkgs, lib, config, ... }:
with lib;
{
	options.myModules.authentik.enable = mkEnableOption "custom authentik configuration";

	config = mkIf config.myModules.authentik.enable {
		sops.secrets.authentik-env = {
			format = "env";
			group = "authentik";
			mode = "0440";
			owner = "authentik";
			restartUnits = ["authentik"];
			sopsFile = ../../secrets/authentik.env;
		};
		systemd.services.podman-create-authentik-pod = with config.virtualisation.oci-containers; {
			serviceConfig.Type = "oneshot";
			wantedBy = [ "${backend}-authentik-server.service" "${backend}-authentik-worker.service"];
			script = ''
				${pkgs.podman}/bin/podman pod exists authentik || \
				  ${pkgs.podman}/bin/podman pod create \
				    --name authentik \
				    -p 127.0.0.1:10000:9000
			'';
		};
		systemd.tmpfiles.rules = [
			"d /opt/authentik/certs 0755 authentik authentik"
			"d /opt/authentik/media 0755 authentik authentik"
			"d /opt/authentik/templates 0755 authentik authentik"
		];
		users.groups.authentik = {};
		users.users.authentik = {
			group = "authentik";
			isNormalUser = false;
			isSystemUser = true;
		};
		virtualisation.oci-containers.containers = {
			authentik-server = {
				cmd = ["server"];
				environmentFiles = [
					"/var/run/secrets/authentik-env"
				];
				extraOptions = [ "--pod=authentik" ];
				image = "ghcr.io/goauthentik/server:2025.4";
				volumes = [
					"/opt/authentik/media:/media"
					"/opt/authentik/templates:/templates"
				];
			};
			authentik-worker = {
				cmd = ["worker"];
				environmentFiles = [
					"/var/run/secrets/authentik-env"
				];
				extraOptions = [ "--pod=authentik" ];
				image = "ghcr.io/goauthentik/server:2025.4";
				volumes = [
					"/opt/authentik/certs:/certs"
					"/opt/authentik/media:/media"
					"/opt/authentik/templates:/templates"
				];
			};
		};
	};
}
Add the authentik secrets to the authentik module 2025-07-18 15:44:34 +00:00			`{ pkgs, lib, config, ... }:`
			`with lib;`
			`{`
			`options.myModules.authentik.enable = mkEnableOption "custom authentik configuration";`

			`config = mkIf config.myModules.authentik.enable {`
			`sops.secrets.authentik-env = {`
Switch authentik env file to an actual env file ini is not env. 2025-07-18 17:00:35 +00:00			`format = "env";`
Add the authentik secrets to the authentik module 2025-07-18 15:44:34 +00:00			`group = "authentik";`
			`mode = "0440";`
			`owner = "authentik";`
			`restartUnits = ["authentik"];`
Switch authentik env file to an actual env file ini is not env. 2025-07-18 17:00:35 +00:00			`sopsFile = ../../secrets/authentik.env;`
Add the authentik secrets to the authentik module 2025-07-18 15:44:34 +00:00			`};`
Add authentik containers and pod 2025-07-18 16:38:41 +00:00			`systemd.services.podman-create-authentik-pod = with config.virtualisation.oci-containers; {`
			`serviceConfig.Type = "oneshot";`
			`wantedBy = [ "${backend}-authentik-server.service" "${backend}-authentik-worker.service"];`
			`script = ''`
			`${pkgs.podman}/bin/podman pod exists authentik \|\| \`
			`${pkgs.podman}/bin/podman pod create \`
			`--name authentik \`
			`-p 127.0.0.1:10000:9000`
			`'';`
			`};`
Create required volume mount locations 2025-07-18 16:52:52 +00:00			`systemd.tmpfiles.rules = [`
			`"d /opt/authentik/certs 0755 authentik authentik"`
			`"d /opt/authentik/media 0755 authentik authentik"`
			`"d /opt/authentik/templates 0755 authentik authentik"`
			`];`
Add the authentik secrets to the authentik module 2025-07-18 15:44:34 +00:00			`users.groups.authentik = {};`
			`users.users.authentik = {`
			`group = "authentik";`
			`isNormalUser = false;`
			`isSystemUser = true;`
			`};`
Add authentik containers and pod 2025-07-18 16:38:41 +00:00			`virtualisation.oci-containers.containers = {`
			`authentik-server = {`
			`cmd = ["server"];`
			`environmentFiles = [`
			`"/var/run/secrets/authentik-env"`
			`];`
			`extraOptions = [ "--pod=authentik" ];`
			`image = "ghcr.io/goauthentik/server:2025.4";`
			`volumes = [`
			`"/opt/authentik/media:/media"`
			`"/opt/authentik/templates:/templates"`
			`];`
			`};`
			`authentik-worker = {`
			`cmd = ["worker"];`
			`environmentFiles = [`
			`"/var/run/secrets/authentik-env"`
			`];`
			`extraOptions = [ "--pod=authentik" ];`
			`image = "ghcr.io/goauthentik/server:2025.4";`
			`volumes = [`
			`"/opt/authentik/certs:/certs"`
			`"/opt/authentik/media:/media"`
			`"/opt/authentik/templates:/templates"`
			`];`
			`};`
			`};`
Add the authentik secrets to the authentik module 2025-07-18 15:44:34 +00:00			`};`
			`}`