nix-home/modules/cloud/authentik/default.nix

{ pkgs, config, lib, ... }:

with lib;
let
  cfg = config.cloud.authentik;

  mkImage =
    { imageName, imageDigest, ... }: "${imageName}@${imageDigest}";
  # If we can pullImage we can just do
  # mkImage = pkgs.dockerTools.pullImage;

  images = {
    postgresql = mkImage {
      imageName = "postgres";
      finalImageTag = "12-alpine";
      imageDigest = "sha256:f52ffee699232c84d820c35c28656363f4fda6a3e3e934b83f4e5e1898e2bdfa";
    };
    redis = mkImage {
      imageName = "redis";
      finalImageTag = "alpine";
      imageDigest = "sha256:a5481d685c31d0078b319e39639cb4f5c2c9cf4ebfca1ef888f4327be9bcc5a7";
    };
    authentik = mkImage {
      imageName = "ghcr.io/goauthentik/server";
      finalImageTag = "2023.4.1";
      imageDigest = "sha256:96c9f29247a270524056aff59f1bcb7118ef51d14b334b67ab2b75e8df30e829";
    };
  };
  authentikEnv = pkgs.writeText "authentik.env" ''
    AUTHENTIK_POSTGRESQL__PASSWORD=''${PG_PASS}
  '';
  postgresEnv = pkgs.writeText "postgres.env" ''
    POSTGRES_PASSWORD=''${PG_PASS:?database password required}
  '';
in
{
  options.cloud.authentik = {
    enable = mkEnableOption "Enable authentik OAuth server";
    envFile = mkOption {
      type = types.path;
      description = "Path to an environment file that specifies PG_PASS and AUTHENTIK_SECRET_KEY";
    };
    port = mkOption {
      type = types.int;
      description = "Exposed port";
      default = 9480;
    };
  };

  config = mkIf cfg.enable {
    systemd.services.arion-authentik.serviceConfig.EnvironmentFile = cfg.envFile;
    virtualisation.arion.projects.authentik.settings = {
      services.postgresql.service = {
        image = images.postgresql;
        restart = "unless-stopped";
        healthcheck = {
          test = [ "CMD-SHELL" "pg_isready -d $\${POSTGRES_DB} -U $\${POSTGRES_USER}" ];
          start_period = "20s";
          interval = "30s";
          retries = 5;
          timeout = "5s";
        };
        volumes = [ "database:/var/lib/postgresql/data" ];
        environment = {
          POSTGRES_USER = "authentik";
          POSTGRES_DB = "authentik";
        };
        env_file = [ cfg.envFile "${postgresEnv}" ];
      };
      services.redis.service = {
        image = images.redis;
        command = "--save 60 1 --loglevel warning";
        restart = "unless-stopped";
        healthcheck = {
          test = [ "CMD-SHELL" "redis-cli ping | grep PONG" ];
          start_period = "20s";
          interval = "30s";
          retries = 5;
          timeout = "3s";
        };
        volumes = [ "redis:/data" ];
      };
      services.server.service = {
        image = images.authentik;
        command = "server";
        restart = "unless-stopped";
        volumes = [
          "/var/lib/authentik/media:/media"
          "/var/lib/authentik/custom-templates:/templates"
        ];
        environment = {
          AUTHENTIK_REDIS__HOST = "redis";
          AUTHENTIK_POSTGRESQL__HOST = "postgresql";
          AUTHENTIK_POSTGRESQL__USER = "authentik";
          AUTHENTIK_POSTGRESQL__NAME = "authentik";
        };
        env_file = [ cfg.envFile "${authentikEnv}" ];
        ports = [
          "${toString cfg.port}:9000"
        ];
      };
      services.worker.service = {
        image = images.authentik;
        command = "worker";
        restart = "unless-stopped";
        volumes = [
          "/var/run/docker.sock:/var/run/docker.sock"
          "/var/lib/authentik/media:/media"
          "/var/lib/authentik/custom-templates:/templates"
          "/var/lib/authentik/certs:/certs"
        ];
        environment = {
          AUTHENTIK_REDIS__HOST = "redis";
          AUTHENTIK_POSTGRESQL__HOST = "postgresql";
          AUTHENTIK_POSTGRESQL__USER = "authentik";
          AUTHENTIK_POSTGRESQL__NAME = "authentik";
        };
        env_file = [ cfg.envFile "${authentikEnv}" ];
      };
      docker-compose.volumes = {
        database.driver = "local";
        redis.driver = "local";
      };
    };
  };
}
Move authentik to nix!! 2023-04-26 21:23:28 +00:00			`{ pkgs, config, lib, ... }:`

			`with lib;`
			`let`
			`cfg = config.cloud.authentik;`

			`mkImage =`
			`{ imageName, imageDigest, ... }: "${imageName}@${imageDigest}";`
			`# If we can pullImage we can just do`
			`# mkImage = pkgs.dockerTools.pullImage;`

			`images = {`
			`postgresql = mkImage {`
			`imageName = "postgres";`
			`finalImageTag = "12-alpine";`
			`imageDigest = "sha256:f52ffee699232c84d820c35c28656363f4fda6a3e3e934b83f4e5e1898e2bdfa";`
			`};`
			`redis = mkImage {`
			`imageName = "redis";`
			`finalImageTag = "alpine";`
			`imageDigest = "sha256:a5481d685c31d0078b319e39639cb4f5c2c9cf4ebfca1ef888f4327be9bcc5a7";`
			`};`
			`authentik = mkImage {`
			`imageName = "ghcr.io/goauthentik/server";`
			`finalImageTag = "2023.4.1";`
			`imageDigest = "sha256:96c9f29247a270524056aff59f1bcb7118ef51d14b334b67ab2b75e8df30e829";`
			`};`
			`};`
			`authentikEnv = pkgs.writeText "authentik.env" ''`
			`AUTHENTIK_POSTGRESQL__PASSWORD=''${PG_PASS}`
			`'';`
			`postgresEnv = pkgs.writeText "postgres.env" ''`
			`POSTGRES_PASSWORD=''${PG_PASS:?database password required}`
			`'';`
			`in`
			`{`
			`options.cloud.authentik = {`
			`enable = mkEnableOption "Enable authentik OAuth server";`
			`envFile = mkOption {`
			`type = types.path;`
			`description = "Path to an environment file that specifies PG_PASS and AUTHENTIK_SECRET_KEY";`
			`};`
			`port = mkOption {`
			`type = types.int;`
			`description = "Exposed port";`
			`default = 9480;`
			`};`
			`};`

			`config = mkIf cfg.enable {`
			`systemd.services.arion-authentik.serviceConfig.EnvironmentFile = cfg.envFile;`
			`virtualisation.arion.projects.authentik.settings = {`
			`services.postgresql.service = {`
			`image = images.postgresql;`
			`restart = "unless-stopped";`
			`healthcheck = {`
			`test = [ "CMD-SHELL" "pg_isready -d $\${POSTGRES_DB} -U $\${POSTGRES_USER}" ];`
			`start_period = "20s";`
			`interval = "30s";`
			`retries = 5;`
			`timeout = "5s";`
			`};`
			`volumes = [ "database:/var/lib/postgresql/data" ];`
			`environment = {`
			`POSTGRES_USER = "authentik";`
			`POSTGRES_DB = "authentik";`
			`};`
			`env_file = [ cfg.envFile "${postgresEnv}" ];`
			`};`
			`services.redis.service = {`
			`image = images.redis;`
			`command = "--save 60 1 --loglevel warning";`
			`restart = "unless-stopped";`
			`healthcheck = {`
			`test = [ "CMD-SHELL" "redis-cli ping \| grep PONG" ];`
			`start_period = "20s";`
			`interval = "30s";`
			`retries = 5;`
			`timeout = "3s";`
			`};`
			`volumes = [ "redis:/data" ];`
			`};`
			`services.server.service = {`
			`image = images.authentik;`
			`command = "server";`
			`restart = "unless-stopped";`
			`volumes = [`
			`"/var/lib/authentik/media:/media"`
			`"/var/lib/authentik/custom-templates:/templates"`
			`];`
			`environment = {`
			`AUTHENTIK_REDIS__HOST = "redis";`
			`AUTHENTIK_POSTGRESQL__HOST = "postgresql";`
			`AUTHENTIK_POSTGRESQL__USER = "authentik";`
			`AUTHENTIK_POSTGRESQL__NAME = "authentik";`
			`};`
			`env_file = [ cfg.envFile "${authentikEnv}" ];`
			`ports = [`
			`"${toString cfg.port}:9000"`
			`];`
			`};`
			`services.worker.service = {`
			`image = images.authentik;`
			`command = "worker";`
			`restart = "unless-stopped";`
			`volumes = [`
			`"/var/run/docker.sock:/var/run/docker.sock"`
			`"/var/lib/authentik/media:/media"`
			`"/var/lib/authentik/custom-templates:/templates"`
			`"/var/lib/authentik/certs:/certs"`
			`];`
			`environment = {`
			`AUTHENTIK_REDIS__HOST = "redis";`
			`AUTHENTIK_POSTGRESQL__HOST = "postgresql";`
			`AUTHENTIK_POSTGRESQL__USER = "authentik";`
			`AUTHENTIK_POSTGRESQL__NAME = "authentik";`
			`};`
			`env_file = [ cfg.envFile "${authentikEnv}" ];`
			`};`
			`docker-compose.volumes = {`
			`database.driver = "local";`
			`redis.driver = "local";`
			`};`
			`};`
			`};`
			`}`