153 lines
3.9 KiB
Nix
153 lines
3.9 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.my.services.authentik;
|
|
|
|
# https://github.com/goauthentik/authentik/issues/5440#issuecomment-1682856454
|
|
# Needed for Tailscale
|
|
rfc-7033 = pkgs.callPackage ../../packages/authentik-rfc7033/default.nix { };
|
|
in
|
|
{
|
|
|
|
options.my.services.authentik = {
|
|
enable = lib.mkEnableOption "Enable Authentik module";
|
|
|
|
envFile = lib.mkOption {
|
|
default = null;
|
|
type = lib.types.nullOr lib.types.path;
|
|
description = ''
|
|
The path to the env file
|
|
'';
|
|
};
|
|
|
|
email = {
|
|
host = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "SMTP server host for Authentik.";
|
|
default = "smtp.example.com";
|
|
};
|
|
port = lib.mkOption {
|
|
type = lib.types.int;
|
|
description = "SMTP server port for Authentik.";
|
|
default = 587;
|
|
};
|
|
username = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "SMTP username for Authentik.";
|
|
default = "authentik@example.com";
|
|
};
|
|
use_tls = lib.mkOption {
|
|
type = lib.types.bool;
|
|
description = "Use TLS for SMTP connection.";
|
|
default = true;
|
|
};
|
|
use_ssl = lib.mkOption {
|
|
type = lib.types.bool;
|
|
description = "Use SSL for SMTP connection.";
|
|
default = false;
|
|
};
|
|
from = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "Email address to use in the From field.";
|
|
default = "authentik@example.com";
|
|
};
|
|
};
|
|
|
|
proxy = {
|
|
enable = lib.mkEnableOption "Set the proxy entry for this service";
|
|
|
|
domain = lib.mkOption {
|
|
default = "example.com";
|
|
type = lib.types.str;
|
|
description = ''
|
|
The domain where Caddy is reachable
|
|
'';
|
|
};
|
|
|
|
subdomain = lib.mkOption {
|
|
default = "auth";
|
|
type = lib.types.str;
|
|
description = ''
|
|
The subdomain where the service is reachable
|
|
'';
|
|
};
|
|
|
|
host = lib.mkOption {
|
|
default = "localhost";
|
|
type = lib.types.str;
|
|
description = ''
|
|
host name where the service is running
|
|
'';
|
|
};
|
|
|
|
};
|
|
};
|
|
|
|
config = lib.mkMerge [
|
|
(lib.mkIf cfg.enable {
|
|
|
|
services.authentik = {
|
|
enable = true;
|
|
environmentFile = cfg.envFile;
|
|
settings = {
|
|
email = cfg.email;
|
|
disable_startup_analytics = true;
|
|
avatars = "initials";
|
|
};
|
|
nginx = {
|
|
enable = true;
|
|
enableACME = false;
|
|
host = "${cfg.proxy.subdomain}.${cfg.proxy.domain}";
|
|
};
|
|
};
|
|
|
|
# Add your package to system packages
|
|
environment.systemPackages = [ rfc-7033 ];
|
|
|
|
# Systemd service configuration
|
|
systemd.services.authentik-rfc-7033 = {
|
|
description = "Pyhton webserver to implement RFC 7033";
|
|
wantedBy = [ "multi-user.target" ];
|
|
serviceConfig = {
|
|
ExecStart = "${pkgs.python3}/bin/python ${rfc-7033}/bin/rfc-7033.py";
|
|
Restart = "on-failure";
|
|
User = "nobody"; # Or specify a user
|
|
Group = "nogroup";
|
|
# Optional: Log output to journalctl
|
|
StandardOutput = "journal";
|
|
StandardError = "journal";
|
|
};
|
|
};
|
|
|
|
# Port 8000 is for RFC 7033
|
|
networking.firewall.allowedTCPPorts = [
|
|
8000
|
|
9000
|
|
];
|
|
|
|
})
|
|
|
|
(lib.mkIf cfg.proxy.enable {
|
|
services.caddy = with cfg.proxy; {
|
|
virtualHosts."${subdomain}.${domain}".extraConfig = ''
|
|
# Other reverse proxies go here
|
|
reverse_proxy http://${host}:9000
|
|
|
|
import cloudflare_${domain}
|
|
'';
|
|
virtualHosts."${domain}".extraConfig = ''
|
|
handle /.well-known/webfinger {
|
|
# This should point to the port that the Python script is running on, default is 8000
|
|
reverse_proxy http://${host}:8000
|
|
}
|
|
|
|
import cloudflare_${domain}
|
|
'';
|
|
};
|
|
})
|
|
];
|
|
}
|