nixos-config/hosts/nuc/modules/authentik/default.nix

{ config, ... }:
let
  domain = "auth.${config.networking.domain}";
in
{
  age.secrets.authentik-core = {
    file = ../../../../secrets/nuc/authentik/core.age;
  };
  age.secrets.authentik-ldap = {
    file = ../../../../secrets/nuc/authentik/ldap.age;
  };
  services.authentik = {
    enable = true;
    environmentFile = config.age.secrets.authentik-core.path;
    settings = {
      cert_discovery_dir = "env://CREDENTIALS_DIRECTORY";
    };
  };
  systemd.services.authentik-worker.serviceConfig.LoadCredential = [
    "${domain}.pem:/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}/${domain}.crt"
    "${domain}.key:/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}/${domain}.key"
  ];

  services.authentik-ldap = {
    enable = true;
    environmentFile = config.age.secrets.authentik-ldap.path;
  };
  services.caddy.virtualHosts."${domain}".extraConfig = ''
    reverse_proxy localhost:9000
  '';
  # open the firewall for proxy auth
  networking.firewall.allowedTCPPorts = [ 9000 ];
}
nuc: configure authentik 2024-05-20 12:19:05 +02:00			`{ config, ... }:`
			`let`
			`domain = "auth.${config.networking.domain}";`
			`in`
			`{`
nuc: add authentik-ldap 2024-05-23 09:25:08 +02:00			`age.secrets.authentik-core = {`
			`file = ../../../../secrets/nuc/authentik/core.age;`
			`};`
			`age.secrets.authentik-ldap = {`
			`file = ../../../../secrets/nuc/authentik/ldap.age;`
nuc: configure authentik 2024-05-20 12:19:05 +02:00			`};`
			`services.authentik = {`
			`enable = true;`
nuc: add authentik-ldap 2024-05-23 09:25:08 +02:00			`environmentFile = config.age.secrets.authentik-core.path;`
auth updates 2024-06-22 16:27:40 +02:00			`settings = {`
			`cert_discovery_dir = "env://CREDENTIALS_DIRECTORY";`
			`};`
nuc: add authentik-ldap 2024-05-23 09:25:08 +02:00			`};`
auth updates 2024-06-22 16:27:40 +02:00			`systemd.services.authentik-worker.serviceConfig.LoadCredential = [`
			`"${domain}.pem:/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}/${domain}.crt"`
			`"${domain}.key:/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}/${domain}.key"`
			`];`

nuc: add authentik-ldap 2024-05-23 09:25:08 +02:00			`services.authentik-ldap = {`
			`enable = true;`
			`environmentFile = config.age.secrets.authentik-ldap.path;`
nuc: configure authentik 2024-05-20 12:19:05 +02:00			`};`
nuc: switch to caddy 2024-05-21 18:44:04 +02:00			`services.caddy.virtualHosts."${domain}".extraConfig = ''`
			`reverse_proxy localhost:9000`
			`'';`
rspamd: authenticate via sso 2024-05-24 00:22:19 +02:00			`# open the firewall for proxy auth`
			`networking.firewall.allowedTCPPorts = [ 9000 ];`
nuc: configure authentik 2024-05-20 12:19:05 +02:00			`}`