nixos-systems/modules/system/authentik.nix

{ config, lib, pkgs, ... }:
with lib;
{
	options.myModules.authentik.enable = mkEnableOption "custom authentik configuration";

	config = mkIf config.myModules.authentik.enable {
		environment.systemPackages = [
			pkgs.authentik
		];
		services.authentik = {
			enable = true;
			environmentFile = "/run/secrets/authentik-env";
			settings = {
				database = {
					host = "127.0.0.1";
					name = "authentik";
				};
				email = {
					host = "smtp.forwardemail.net";
					port = 2465;
					use_tls = false;
					use_ssl = true;
					from = "auth@corp.gleipnir.technology";
				};
				listen = {
					debug = "127.0.0.1:9900";
					debug_py = "127.0.0.1:9901";
					http = "127.0.0.1:10030";
					https = "127.0.0.1:10031";
					ldap = "127.0.0.1:3389";
					ldaps = "127.0.0.1:6636";
					radius = "127.0.0.1:1812";
					metrics = "127.0.0.1:9300";
				};
			};
		};
		services.caddy.virtualHosts."auth.gleipnir.technology".extraConfig = ''
			reverse_proxy http://127.0.0.1:10030
		'';
		services.postgresql = {
			ensureDatabases = [ "authentik" ];
			ensureUsers = [{
				ensureClauses.login = true;
				ensureDBOwnership = true;
				name = "authentik";
			}];
		};
		services.restic.backups."authentik-db" = {
			# We can use this due to overridding restic with unstable
			command = [
				"${lib.getExe pkgs.sudo}"
				"-u postgres"
				"${pkgs.postgresql}/bin/pg_dump authentik"
			];
			environmentFile = "/var/run/secrets/restic-env";
			extraBackupArgs = [
				"--tag database"
			];
			passwordFile = "/var/run/secrets/restic-password";
			pruneOpts = [
				"--keep-daily 14"
				"--keep-weekly 4"
				"--keep-monthly 2"
				"--group-by tags"
			];
			repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/authentik";
		};
		services.restic.backups."authentik-files" = {
			environmentFile = "/var/run/secrets/restic-env";
			extraBackupArgs = [
				"--tag files"
			];
			initialize = true;
			passwordFile = "/var/run/secrets/restic-password";
			paths = [
				"/opt/authentik/certs"
				"/opt/authentik/media"
				"/opt/authentik/templates"
			];
			repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/authentik";
		};
		sops.secrets.authentik-env = with config.virtualisation.oci-containers; {
			format = "dotenv";
			group = "authentik";
			mode = "0440";
			owner = "authentik";
			restartUnits = ["authentik" "authentik-migrate" "authentik-worker"];
			sopsFile = ../../secrets/authentik.env;
		};
		systemd.tmpfiles.rules = [
			"d /opt/authentik/certs 0755 authentik authentik"
			"d /opt/authentik/media 0755 authentik authentik"
			"d /opt/authentik/templates 0755 authentik authentik"
		];
		users.groups.authentik = {};
		users.users.authentik = {
			group = "authentik";
			isNormalUser = false;
			isSystemUser = true;
		};
	};
}
Add initial authentik backup script This includes a new paradigm for using a pgpass file, which is great, as well as sorting out how to properly do a bash script shebang in a service file. 2025-07-23 21:39:18 +00:00			`{ config, lib, pkgs, ... }:`
Add the authentik secrets to the authentik module 2025-07-18 15:44:34 +00:00			`with lib;`
			`{`
			`options.myModules.authentik.enable = mkEnableOption "custom authentik configuration";`

			`config = mkIf config.myModules.authentik.enable {`
Get authentik working on the new corp server without podman The podman integration was pretty janky because it relied on running a pod and the NixOS integration with pods are essentially non-existent. This led to issues with the port being improperly forwarded when partially restarted. Now instead I use a flake dedicated to running authentik. This allows me to specify some of the config in the module directly and some in secrets, which is really nice. I've additionally added some changes to the listen address so that the service isn't exposed over public IP addresses. 2025-09-09 13:01:14 +00:00			`environment.systemPackages = [`
			`pkgs.authentik`
			`];`
			`services.authentik = {`
			`enable = true;`
			`environmentFile = "/run/secrets/authentik-env";`
			`settings = {`
			`database = {`
			`host = "127.0.0.1";`
			`name = "authentik";`
			`};`
			`email = {`
			`host = "smtp.forwardemail.net";`
			`port = 2465;`
			`use_tls = false;`
			`use_ssl = true;`
			`from = "auth@corp.gleipnir.technology";`
			`};`
			`listen = {`
Use the new authentik config pattern for setting listening addresses 2026-01-13 14:58:11 +00:00			`debug = "127.0.0.1:9900";`
			`debug_py = "127.0.0.1:9901";`
			`http = "127.0.0.1:10030";`
			`https = "127.0.0.1:10031";`
			`ldap = "127.0.0.1:3389";`
			`ldaps = "127.0.0.1:6636";`
			`radius = "127.0.0.1:1812";`
			`metrics = "127.0.0.1:9300";`
Get authentik working on the new corp server without podman The podman integration was pretty janky because it relied on running a pod and the NixOS integration with pods are essentially non-existent. This led to issues with the port being improperly forwarded when partially restarted. Now instead I use a flake dedicated to running authentik. This allows me to specify some of the config in the module directly and some in secrets, which is really nice. I've additionally added some changes to the listen address so that the service isn't exposed over public IP addresses. 2025-09-09 13:01:14 +00:00			`};`
			`};`
			`};`
Switch to caddy, remove onlyoffice, add collabora Most things work on this commit, except the integration between collabora and seafile. I think it might be related to the timezone change I made and a lack of access_token being passed in the URL. I'm going to test that with a reboot. But first, checkpoint! 2025-07-18 22:45:02 +00:00			`services.caddy.virtualHosts."auth.gleipnir.technology".extraConfig = ''`
Add minio module for S3-compatible object storage Label Studio _really_ prefers using a direct object storage model. Can't say I blame them, it makes sense given they are running Python. I had to bump Authentik to not use its default port so that minio could use its own default port. That seemed safest given that Authentik is always proxied but minio/S3 may _not_ be. I'm just not sure. 2025-10-01 19:25:29 +00:00			`reverse_proxy http://127.0.0.1:10030`
Switch to caddy, remove onlyoffice, add collabora Most things work on this commit, except the integration between collabora and seafile. I think it might be related to the timezone change I made and a lack of access_token being passed in the URL. I'm going to test that with a reboot. But first, checkpoint! 2025-07-18 22:45:02 +00:00			`'';`
Get authentik working on the new corp server without podman The podman integration was pretty janky because it relied on running a pod and the NixOS integration with pods are essentially non-existent. This led to issues with the port being improperly forwarded when partially restarted. Now instead I use a flake dedicated to running authentik. This allows me to specify some of the config in the module directly and some in secrets, which is really nice. I've additionally added some changes to the listen address so that the service isn't exposed over public IP addresses. 2025-09-09 13:01:14 +00:00			`services.postgresql = {`
			`ensureDatabases = [ "authentik" ];`
			`ensureUsers = [{`
			`ensureClauses.login = true;`
			`ensureDBOwnership = true;`
			`name = "authentik";`
			`}];`
			`};`
Add restic backup for all corp services 2026-01-12 00:48:54 +00:00			`services.restic.backups."authentik-db" = {`
			`# We can use this due to overridding restic with unstable`
			`command = [`
			`"${lib.getExe pkgs.sudo}"`
			`"-u postgres"`
			`"${pkgs.postgresql}/bin/pg_dump authentik"`
			`];`
			`environmentFile = "/var/run/secrets/restic-env";`
			`extraBackupArgs = [`
			`"--tag database"`
			`];`
			`passwordFile = "/var/run/secrets/restic-password";`
			`pruneOpts = [`
			`"--keep-daily 14"`
			`"--keep-weekly 4"`
			`"--keep-monthly 2"`
			`"--group-by tags"`
			`];`
			`repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/authentik";`
			`};`
			`services.restic.backups."authentik-files" = {`
			`environmentFile = "/var/run/secrets/restic-env";`
			`extraBackupArgs = [`
			`"--tag files"`
			`];`
			`initialize = true;`
			`passwordFile = "/var/run/secrets/restic-password";`
			`paths = [`
			`"/opt/authentik/certs"`
			`"/opt/authentik/media"`
			`"/opt/authentik/templates"`
			`];`
			`repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/authentik";`
			`};`
Create environment file correctly, reference correct services 2025-07-18 17:10:24 +00:00			`sops.secrets.authentik-env = with config.virtualisation.oci-containers; {`
			`format = "dotenv";`
Add the authentik secrets to the authentik module 2025-07-18 15:44:34 +00:00			`group = "authentik";`
			`mode = "0440";`
			`owner = "authentik";`
Get authentik working on the new corp server without podman The podman integration was pretty janky because it relied on running a pod and the NixOS integration with pods are essentially non-existent. This led to issues with the port being improperly forwarded when partially restarted. Now instead I use a flake dedicated to running authentik. This allows me to specify some of the config in the module directly and some in secrets, which is really nice. I've additionally added some changes to the listen address so that the service isn't exposed over public IP addresses. 2025-09-09 13:01:14 +00:00			`restartUnits = ["authentik" "authentik-migrate" "authentik-worker"];`
Switch authentik env file to an actual env file ini is not env. 2025-07-18 17:00:35 +00:00			`sopsFile = ../../secrets/authentik.env;`
Add the authentik secrets to the authentik module 2025-07-18 15:44:34 +00:00			`};`
Create required volume mount locations 2025-07-18 16:52:52 +00:00			`systemd.tmpfiles.rules = [`
			`"d /opt/authentik/certs 0755 authentik authentik"`
			`"d /opt/authentik/media 0755 authentik authentik"`
			`"d /opt/authentik/templates 0755 authentik authentik"`
			`];`
Add the authentik secrets to the authentik module 2025-07-18 15:44:34 +00:00			`users.groups.authentik = {};`
			`users.users.authentik = {`
			`group = "authentik";`
			`isNormalUser = false;`
			`isSystemUser = true;`
			`};`
			`};`
			`}`