Gleipnir/nixos-systems
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
nixos-systems/modules/system/authentik.nix
Eli Ribble 47056f3df8 Add initial authentik backup script 
This includes a new paradigm for using a pgpass file, which is great, as
well as sorting out how to properly do a bash script shebang in a
service file.
2025-07-24 15:58:32 +00:00

71 lines
2.1 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
with lib;
{
options.myModules.authentik.enable = mkEnableOption "custom authentik configuration";
config = mkIf config.myModules.authentik.enable {
services.caddy.virtualHosts."auth.gleipnir.technology".extraConfig = ''
reverse_proxy http://127.0.0.1:10000
'';
sops.secrets.authentik-env = with config.virtualisation.oci-containers; {
format = "dotenv";
group = "authentik";
mode = "0440";
owner = "authentik";
restartUnits = ["${backend}-authentik-server" "${backend}-authentik-worker"];
sopsFile = ../../secrets/authentik.env;
};
systemd.services.podman-create-authentik-pod = with config.virtualisation.oci-containers; {
serviceConfig.Type = "oneshot";
wantedBy = [ "${backend}-authentik-server.service" "${backend}-authentik-worker.service"];
script = ''
${pkgs.podman}/bin/podman pod exists authentik || \
${pkgs.podman}/bin/podman pod create \
--name authentik \
-p 127.0.0.1:10000:9000
'';
};
systemd.tmpfiles.rules = [
"d /opt/authentik/certs 0755 authentik authentik"
"d /opt/authentik/media 0755 authentik authentik"
"d /opt/authentik/templates 0755 authentik authentik"
];
users.groups.authentik = {};
users.users.authentik = {
group = "authentik";
isNormalUser = false;
isSystemUser = true;
};
virtualisation.oci-containers.containers = {
authentik-redis = {
extraOptions = [ "--pod=authentik" ];
image = "docker.io/redis:8.0.3-alpine";
};
authentik-server = {
cmd = ["server"];
environmentFiles = [
"/var/run/secrets/authentik-env"
];
extraOptions = [ "--pod=authentik" ];
image = "ghcr.io/goauthentik/server:2025.4";
volumes = [
"/opt/authentik/media:/media"
"/opt/authentik/templates:/templates"
];
};
authentik-worker = {
cmd = ["worker"];
environmentFiles = [
"/var/run/secrets/authentik-env"
];
extraOptions = [ "--pod=authentik" ];
image = "ghcr.io/goauthentik/server:2025.4";
volumes = [
"/opt/authentik/certs:/certs"
"/opt/authentik/media:/media"
"/opt/authentik/templates:/templates"
];
};
};
};
}
Reference in a new issue View git blame Copy permalink