mirror of
https://git.sr.ht/~rouven/nixos-config
synced 2024-11-15 21:33:11 +01:00
34 lines
1 KiB
Nix
34 lines
1 KiB
Nix
{ config, ... }:
|
|
let
|
|
domain = "auth.${config.networking.domain}";
|
|
in
|
|
{
|
|
age.secrets.authentik-core = {
|
|
file = ../../../../secrets/nuc/authentik/core.age;
|
|
};
|
|
age.secrets.authentik-ldap = {
|
|
file = ../../../../secrets/nuc/authentik/ldap.age;
|
|
};
|
|
services.authentik = {
|
|
enable = true;
|
|
environmentFile = config.age.secrets.authentik-core.path;
|
|
settings = {
|
|
cert_discovery_dir = "env://CREDENTIALS_DIRECTORY";
|
|
};
|
|
};
|
|
systemd.services.authentik-worker.serviceConfig.LoadCredential = [
|
|
"${domain}.pem:/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}/${domain}.crt"
|
|
"${domain}.key:/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}/${domain}.key"
|
|
];
|
|
|
|
services.authentik-ldap = {
|
|
enable = true;
|
|
environmentFile = config.age.secrets.authentik-ldap.path;
|
|
};
|
|
services.caddy.virtualHosts."${domain}".extraConfig = ''
|
|
reverse_proxy localhost:9000
|
|
'';
|
|
# open the firewall for proxy auth
|
|
networking.firewall.allowedTCPPorts = [ 9000 ];
|
|
}
|