systems/x86_64-linux/marvin/services/authentik.nix at ec64701c852fef17653bcc1034443dab720a0cd0 · pyrox.dev/nix

pyrox.dev / nix
My Nix Configuration
nix / systems / x86_64-linux / marvin / services / authentik.nix
at ec64701c852fef17653bcc1034443dab720a0cd0 2.8 kB view raw
 1{
 2  config,
 3  lib,
 4  pkgs,
 5  ...
 6}:
 7let
 8  d = lib.py.data.services.authentik;
 9in
10{
11  virtualisation.oci-containers.containers =
12    let
13      authentikVersion = "2025.4";
14      base = {
15        environmentFiles = [ config.age.secrets.authentik-env.path ];
16        extraOptions = [ "--network=authentik" ];
17      };
18      authentikBase = base // {
19        image = "ghcr.io/goauthentik/server:${authentikVersion}";
20        environment = {
21          AUTHENTIK_REDIS__HOST = "authentik-redict";
22
23          # Postgres Settings
24          AUTHENTIK_POSTGRESQL__HOST = "authentik-db";
25          AUTHENTIK_POSTGRESQL__PORT = "5432";
26          AUTHENTIK_POSTGRESQL__USER = "authentik";
27          AUTHENTIK_POSTGRESQL__NAME = "authentik";
28          AUTHENTIK_POSTGRESQL__PASSWORD = "\${PG_PASS}";
29
30          # Disable error reporting
31          AUTHENTIK_ERROR_REPORTING__ENABLED = "false";
32
33          # Avatars are an attribute based on an uploaded file
34          AUTHENTIK_AVATARS = "attributes.user.avatar";
35
36          # Email Settings
37          AUTHENTIK_EMAIL__HOST = "mail.pyrox.dev";
38          AUTHENTIK_EMAIL__USERNAME = "auth@pyrox.dev";
39          AUTHENTIK_EMAIL__PORT = "465";
40          AUTHENTIK_EMAIL__USE_TLS = "true";
41          AUTHENTIK_EMAIL__FROM = "PyroServ Auth <auth@pyrox.dev>";
42        };
43      };
44      authentikVols = [
45        "/var/lib/authentik/media:/media"
46        "/var/lib/authentik/templates:/templates"
47      ];
48    in
49    {
50      authentik-db = base // {
51        image = "postgres:17-alpine";
52        volumes = [ "/var/lib/authentik/db:/var/lib/postgresql/data" ];
53        environment = {
54          POSTGRES_PASSWORD = "\${PG_PASS}";
55          POSTGRES_USER = "authentik";
56          POSTGRES_DB = "authentik";
57        };
58      };
59      authentik-redict = {
60        image = "registry.redict.io/redict:alpine";
61        extraOptions = [ "--network=authentik" ];
62      };
63      authentik-server = authentikBase // {
64        cmd = [ "server" ];
65        ports = [
66          "${toString d.port}:9000"
67          "6943:9443"
68          "9301:9300"
69        ];
70        volumes = authentikVols ++ [ "/var/lib/authentik/custom.css:/web/dist/custom.css" ];
71      };
72      authentik-worker = authentikBase // {
73        cmd = [ "worker" ];
74        volumes = authentikVols ++ [ "/var/lib/authentik/certs:/certs" ];
75      };
76      authentik-ldap = base // {
77        image = "ghcr.io/goauthentik/ldap:${authentikVersion}";
78        ports = [
79          "389:3389"
80          "636:6636"
81        ];
82        environment = {
83          AUTHENTIK_HOST = "https://${d.extUrl}";
84          AUTHENTIK_INSECURE = "false";
85        };
86      };
87    };
88  age.secrets.authentik-env = {
89    file = ./secrets/authentik-env.age;
90    owner = "thehedgehog";
91    group = "misc";
92  };
93}