Add authentik containers and pod

2025-07-18 16:38:41 +00:00 · 2025-07-18 16:38:41 +00:00 · bcd365fb44
commit bcd365fb44
parent de7adc50b4
1 changed files with 38 additions and 0 deletions
--- a/modules/system/authentik.nix
+++ b/modules/system/authentik.nix
@ -12,11 +12,49 @@ with lib;
 			restartUnits = ["authentik"];
 			sopsFile = ../../secrets/authentik.env;
 		};
+		systemd.services.podman-create-authentik-pod = with config.virtualisation.oci-containers; {
+			serviceConfig.Type = "oneshot";
+			wantedBy = [ "${backend}-authentik-server.service" "${backend}-authentik-worker.service"];
+			script = ''
+				${pkgs.podman}/bin/podman pod exists authentik || \
+				  ${pkgs.podman}/bin/podman pod create \
+				    --name authentik \
+				    --network slirp4netns:allow_host_loopback=true \
+				    -p 127.0.0.1:10000:9000
+			'';
+		};
 		users.groups.authentik = {};
 		users.users.authentik = {
 			group = "authentik";
 			isNormalUser = false;
 			isSystemUser = true;
 		};
+		virtualisation.oci-containers.containers = {
+			authentik-server = {
+				cmd = ["server"];
+				environmentFiles = [
+					"/var/run/secrets/authentik-env"
+				];
+				extraOptions = [ "--pod=authentik" ];
+				image = "ghcr.io/goauthentik/server:2025.4";
+				volumes = [
+					"/opt/authentik/media:/media"
+					"/opt/authentik/templates:/templates"
+				];
+			};
+			authentik-worker = {
+				cmd = ["worker"];
+				environmentFiles = [
+					"/var/run/secrets/authentik-env"
+				];
+				extraOptions = [ "--pod=authentik" ];
+				image = "ghcr.io/goauthentik/server:2025.4";
+				volumes = [
+					"/opt/authentik/certs:/certs"
+					"/opt/authentik/media:/media"
+					"/opt/authentik/templates:/templates"
+				];
+			};
+		};
 	};
 }