60 lines
1.4 KiB
Nix
60 lines
1.4 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
{
|
|
users.groups.authentik = { };
|
|
users.users.authentik = {
|
|
isSystemUser = true;
|
|
extraGroups = [ "docker" ];
|
|
group = "authentik";
|
|
};
|
|
systemd.services = {
|
|
authentik-secrets-setup = {
|
|
enable = true;
|
|
};
|
|
};
|
|
services.authentik-ldap = {
|
|
enable = true;
|
|
environmentFile = "/var/lib/authentik-ldap-env";
|
|
};
|
|
services.authentik = {
|
|
enable = true;
|
|
# The environmentFile needs to be on the target host!
|
|
# Best use something like sops-nix or agenix to manage it
|
|
environmentFile = "/var/lib/authentik_secret";
|
|
settings = {
|
|
email = {
|
|
host = "mail.${config.networking.domain}";
|
|
port = 25;
|
|
username = "authentik@${config.networking.domain}";
|
|
use_tls = false;
|
|
use_ssl = false;
|
|
from = "authentik@${config.networking.domain}";
|
|
};
|
|
disable_startup_analytics = true;
|
|
avatars = "initials";
|
|
};
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
virtualHosts = {
|
|
"auth.${config.networking.domain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
proxyPass = "http://localhost:9000";
|
|
proxyWebsockets = true;
|
|
recommendedProxySettings = true;
|
|
extraConfig = ''
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|