StuRa/stura-infra
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
stura-infra/hosts/auth/authentik.nix
goeranh e3a9a391c2
use secret files
2026-03-21 18:04:08 +01:00

84 lines
2 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
...
}:
{
users.groups.authentik = { };
users.users.authentik = {
isSystemUser = true;
extraGroups = [ "docker" ];
group = "authentik";
};
virtualisation.docker.enable = true;
systemd.services = {
authentik-secrets-setup = {
enable = true;
};
};
users.groups.authentik-ldap = {};
users.users.authentik-ldap = {
isSystemUser = true;
group = "authentik-ldap";
};
systemd.services.authentik-ldap.serviceConfig = {
DynamicUser = lib.mkForce false;
User = "authentik-ldap";
};
services.authentik-ldap = {
enable = true;
environmentFile = config.sops.secrets."auth/ldap-env-file".path;
# environmentFile = "/var/lib/authentik-ldap-env";
};
services.authentik = {
enable = true;
# environmentFile = "/var/lib/authentik_secret";
environmentFile = config.sops.secrets."auth/env-file".path;
settings = {
email = {
host = "mail.${config.networking.domain}";
port = 25;
username = "authentik@${config.networking.domain}";
use_tls = false;
use_ssl = false;
from = "authentik@${config.networking.domain}";
};
disable_startup_analytics = true;
avatars = "initials";
};
};
systemd.services.authentik-secrets-generator = {
enable = true;
requiredBy = [
"authentik-secrets-setup.service"
"authentik-worker.service"
];
script = ''
echo "AUTHENTIK_SECRET_KEY=$(${pkgs.openssl}/bin/openssl rand -hex 32)" > /var/lib/authentik_secret
'';
};
services.nginx = {
enable = true;
virtualHosts = {
"auth.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:9000";
proxyWebsockets = true;
recommendedProxySettings = true;
extraConfig = ''
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
};
};
};
}
Reference in a new issue View git blame Copy permalink