From bcd365fb4454e098aac80bbe6f22d85af069be7f Mon Sep 17 00:00:00 2001
From: Eli Ribble <eli@gleipnir.technology>
Date: Fri, 18 Jul 2025 16:38:41 +0000
Subject: [PATCH] Add authentik containers and pod

---
 modules/system/authentik.nix | 38 ++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/modules/system/authentik.nix b/modules/system/authentik.nix
index 27ad7e7..cb1618e 100644
--- a/modules/system/authentik.nix
+++ b/modules/system/authentik.nix
@@ -12,11 +12,49 @@ with lib;
 			restartUnits = ["authentik"];
 			sopsFile = ../../secrets/authentik.env;
 		};
+		systemd.services.podman-create-authentik-pod = with config.virtualisation.oci-containers; {
+			serviceConfig.Type = "oneshot";
+			wantedBy = [ "${backend}-authentik-server.service" "${backend}-authentik-worker.service"];
+			script = ''
+				${pkgs.podman}/bin/podman pod exists authentik || \
+				  ${pkgs.podman}/bin/podman pod create \
+				    --name authentik \
+				    --network slirp4netns:allow_host_loopback=true \
+				    -p 127.0.0.1:10000:9000
+			'';
+		};
 		users.groups.authentik = {};
 		users.users.authentik = {
 			group = "authentik";
 			isNormalUser = false;
 			isSystemUser = true;
 		};
+		virtualisation.oci-containers.containers = {
+			authentik-server = {
+				cmd = ["server"];
+				environmentFiles = [
+					"/var/run/secrets/authentik-env"
+				];
+				extraOptions = [ "--pod=authentik" ];
+				image = "ghcr.io/goauthentik/server:2025.4";
+				volumes = [
+					"/opt/authentik/media:/media"
+					"/opt/authentik/templates:/templates"
+				];
+			};
+			authentik-worker = {
+				cmd = ["worker"];
+				environmentFiles = [
+					"/var/run/secrets/authentik-env"
+				];
+				extraOptions = [ "--pod=authentik" ];
+				image = "ghcr.io/goauthentik/server:2025.4";
+				volumes = [
+					"/opt/authentik/certs:/certs"
+					"/opt/authentik/media:/media"
+					"/opt/authentik/templates:/templates"
+				];
+			};
+		};
 	};
 }