Eli Ribble
dad759c4b3
Label Studio _really_ prefers using a direct object storage model. Can't say I blame them, it makes sense given they are running Python. I had to bump Authentik to not use its default port so that minio could use its own default port. That seemed safest given that Authentik is always proxied but minio/S3 may _not_ be. I'm just not sure.
68 lines
1.8 KiB
Nix
68 lines
1.8 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
with lib;
|
|
{
|
|
options.myModules.authentik.enable = mkEnableOption "custom authentik configuration";
|
|
|
|
config = mkIf config.myModules.authentik.enable {
|
|
environment.systemPackages = [
|
|
pkgs.authentik
|
|
];
|
|
services.authentik = {
|
|
enable = true;
|
|
environmentFile = "/run/secrets/authentik-env";
|
|
settings = {
|
|
database = {
|
|
host = "127.0.0.1";
|
|
name = "authentik";
|
|
};
|
|
email = {
|
|
host = "smtp.forwardemail.net";
|
|
port = 2465;
|
|
use_tls = false;
|
|
use_ssl = true;
|
|
from = "auth@corp.gleipnir.technology";
|
|
};
|
|
listen = {
|
|
listen_debug = "127.0.0.1:9900";
|
|
listen_debug_py = "127.0.0.1:9901";
|
|
listen_http = "127.0.0.1:10030";
|
|
listen_https = "127.0.0.1:10031";
|
|
listen_ldap = "127.0.0.1:3389";
|
|
listen_ldaps = "127.0.0.1:6636";
|
|
listen_radius = "127.0.0.1:1812";
|
|
listen_metrics = "127.0.0.1:9300";
|
|
};
|
|
};
|
|
};
|
|
services.caddy.virtualHosts."auth.gleipnir.technology".extraConfig = ''
|
|
reverse_proxy http://127.0.0.1:10030
|
|
'';
|
|
services.postgresql = {
|
|
ensureDatabases = [ "authentik" ];
|
|
ensureUsers = [{
|
|
ensureClauses.login = true;
|
|
ensureDBOwnership = true;
|
|
name = "authentik";
|
|
}];
|
|
};
|
|
sops.secrets.authentik-env = with config.virtualisation.oci-containers; {
|
|
format = "dotenv";
|
|
group = "authentik";
|
|
mode = "0440";
|
|
owner = "authentik";
|
|
restartUnits = ["authentik" "authentik-migrate" "authentik-worker"];
|
|
sopsFile = ../../secrets/authentik.env;
|
|
};
|
|
systemd.tmpfiles.rules = [
|
|
"d /opt/authentik/certs 0755 authentik authentik"
|
|
"d /opt/authentik/media 0755 authentik authentik"
|
|
"d /opt/authentik/templates 0755 authentik authentik"
|
|
];
|
|
users.groups.authentik = {};
|
|
users.users.authentik = {
|
|
group = "authentik";
|
|
isNormalUser = false;
|
|
isSystemUser = true;
|
|
};
|
|
};
|
|
}
|