pazpi/nix
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

feat: add RFC 7033 support with new service and package

Browse source 
Python webserver to serve RFC7033 since Authentik does not support it.
This is needed for OICD login in Tailscale
This commit is contained in:
= 2025-02-09 00:27:36 +01:00
parent 8b72b206ce
commit f664873ced
3 changed files with 116 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

42
modules/services/authentik.nix
View file

@ -6,6 +6,10 @@
}:
let
cfg = config.my.services.authentik;
# https://github.com/goauthentik/authentik/issues/5440#issuecomment-1682856454
# Needed for Tailscale
rfc-7033 = pkgs.callPackage ../../packages/authentik-rfc7033/default.nix { };
in
{
@ -101,14 +105,48 @@ in
};
};
networking.firewall.allowedTCPPorts = [ 9000 ];
# Add your package to system packages
environment.systemPackages = [ rfc-7033 ];
# Systemd service configuration
systemd.services.authentik-rfc-7033 = {
description = "Pyhton webserver to implement RFC 7033";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.python3}/bin/python ${rfc-7033}/bin/rfc-7033.py";
Restart = "on-failure";
User = "nobody"; # Or specify a user
Group = "nogroup";
# Optional: Log output to journalctl
StandardOutput = "journal";
StandardError = "journal";
};
};
# Port 8000 is for RFC 7033
networking.firewall.allowedTCPPorts = [
8000
9000
];
})
(lib.mkIf cfg.proxy.enable {
services.caddy = with cfg.proxy; {
virtualHosts."${subdomain}.${domain}".extraConfig = ''
reverse_proxy http://${host}:9000
# Other reverse proxies go here
handle {
reverse_proxy http://${host}:9000
}
import cloudflare_${domain}
'';
virtualHosts."${domain}".extraConfig = ''
handle /.well-known/webfinger {
# This should point to the port that the Python script is running on, default is 8000
reverse_proxy http://${host}:8000
}
import cloudflare_${domain}
'';
};