{ config, lib, pkgs, ... }: { users.groups.authentik = { }; users.users.authentik = { isSystemUser = true; extraGroups = [ "docker" ]; group = "authentik"; }; virtualisation.docker.enable = true; systemd.services = { authentik-secrets-setup = { enable = true; }; }; users.groups.authentik-ldap = {}; users.users.authentik-ldap = { isSystemUser = true; group = "authentik-ldap"; }; systemd.services.authentik-ldap.serviceConfig = { DynamicUser = lib.mkForce false; User = "authentik-ldap"; }; services.authentik-ldap = { enable = true; environmentFile = config.sops.secrets."auth/ldap-env-file".path; # environmentFile = "/var/lib/authentik-ldap-env"; }; services.authentik = { enable = true; # environmentFile = "/var/lib/authentik_secret"; environmentFile = config.sops.secrets."auth/env-file".path; settings = { email = { host = "mail.${config.networking.domain}"; port = 25; username = "authentik@${config.networking.domain}"; use_tls = false; use_ssl = false; from = "authentik@${config.networking.domain}"; }; disable_startup_analytics = true; avatars = "initials"; }; }; systemd.services.authentik-secrets-generator = { enable = true; requiredBy = [ "authentik-secrets-setup.service" "authentik-worker.service" ]; script = '' echo "AUTHENTIK_SECRET_KEY=$(${pkgs.openssl}/bin/openssl rand -hex 32)" > /var/lib/authentik_secret ''; }; services.nginx = { enable = true; virtualHosts = { "auth.${config.networking.domain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://localhost:9000"; proxyWebsockets = true; recommendedProxySettings = true; extraConfig = '' proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ''; }; }; }; }; }