hosts/marvin/services/authentik.nix at 70e950d82b973ff08e1e1abe942b5520bc8a564d · pyrox.dev/nix

pyrox.dev / nix
My Nix Configuration
nix / hosts / marvin / services / authentik.nix
at 70e950d82b973ff08e1e1abe942b5520bc8a564d 2.8 kB view raw
 1{
 2  config,
 3  self,
 4  ...
 5}:
 6let
 7  d = self.lib.data.services.authentik;
 8in
 9{
10  virtualisation.oci-containers.containers =
11    let
12      authentikVersion = "2025.4";
13      base = {
14        environmentFiles = [ config.age.secrets.authentik-env.path ];
15        extraOptions = [ "--network=authentik" ];
16      };
17      authentikBase = base // {
18        image = "ghcr.io/goauthentik/server:${authentikVersion}";
19        environment = {
20          AUTHENTIK_REDIS__HOST = "authentik-redict";
21
22          # Postgres Settings
23          AUTHENTIK_POSTGRESQL__HOST = "authentik-db";
24          AUTHENTIK_POSTGRESQL__PORT = "5432";
25          AUTHENTIK_POSTGRESQL__USER = "authentik";
26          AUTHENTIK_POSTGRESQL__NAME = "authentik";
27          AUTHENTIK_POSTGRESQL__PASSWORD = "\${PG_PASS}";
28
29          # Disable error reporting
30          AUTHENTIK_ERROR_REPORTING__ENABLED = "false";
31
32          # Avatars are an attribute based on an uploaded file
33          AUTHENTIK_AVATARS = "attributes.user.avatar";
34
35          # Email Settings
36          AUTHENTIK_EMAIL__HOST = "mail.pyrox.dev";
37          AUTHENTIK_EMAIL__USERNAME = "auth@pyrox.dev";
38          AUTHENTIK_EMAIL__PORT = "465";
39          AUTHENTIK_EMAIL__USE_TLS = "true";
40          AUTHENTIK_EMAIL__FROM = "PyroServ Auth <auth@pyrox.dev>";
41        };
42      };
43      authentikVols = [
44        "/var/lib/authentik/media:/media"
45        "/var/lib/authentik/templates:/templates"
46      ];
47    in
48    {
49      authentik-db = base // {
50        image = "postgres:17-alpine";
51        volumes = [ "/var/lib/authentik/db:/var/lib/postgresql/data" ];
52        environment = {
53          POSTGRES_PASSWORD = "\${PG_PASS}";
54          POSTGRES_USER = "authentik";
55          POSTGRES_DB = "authentik";
56        };
57      };
58      authentik-redict = {
59        image = "registry.redict.io/redict:alpine";
60        extraOptions = [ "--network=authentik" ];
61      };
62      authentik-server = authentikBase // {
63        cmd = [ "server" ];
64        ports = [
65          "${toString d.port}:9000"
66          "6943:9443"
67          "9301:9300"
68        ];
69        volumes = authentikVols ++ [ "/var/lib/authentik/custom.css:/web/dist/custom.css" ];
70      };
71      authentik-worker = authentikBase // {
72        cmd = [ "worker" ];
73        volumes = authentikVols ++ [ "/var/lib/authentik/certs:/certs" ];
74      };
75      authentik-ldap = base // {
76        image = "ghcr.io/goauthentik/ldap:${authentikVersion}";
77        ports = [
78          "389:3389"
79          "636:6636"
80        ];
81        environment = {
82          AUTHENTIK_HOST = "https://${d.extUrl}";
83          AUTHENTIK_INSECURE = "false";
84        };
85      };
86    };
87  age.secrets.authentik-env = {
88    file = ./secrets/authentik-env.age;
89    owner = "thehedgehog";
90    group = "misc";
91  };
92}