Infini-DL360/authentik: init with ldap

2025-01-15 23:25:36 -05:00 · 2025-01-15 23:25:36 -05:00 · eb1bfcf1f1
commit eb1bfcf1f1
parent a0b997ec31
7 changed files with 121 additions and 0 deletions
--- a/hosts/Infini-DL360/authentik.nix
+++ b/hosts/Infini-DL360/authentik.nix
@ -0,0 +1,50 @@
+{ config, common, secrets, ... }:
+let
+  domain = common.subdomain "auth";
+  ldap = common.subdomain "ldap";
+in
+{
+  services.authentik = {
+    enable = true;
+    environmentFile = secrets.authentik;
+    settings = {
+      email = with common.email; {
+        host = smtp.address;
+        port = smtp.STARTTLS;
+        username = outgoing;
+        from = withSubaddress "authentik";
+        use_tls = true;
+        use_ssl = false;
+      };
+      disable_startup_analytics = true;
+      cookie_domain = common.domain;
+    };
+
+    nginx = {
+      enable = true;
+      enableACME = true;
+      host = domain;
+    };
+  };
+
+  services.authentik-ldap = {
+    enable = true;
+    environmentFile = secrets.authentik-ldap;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 3389 6636 ];
+
+  security.acme.certs.${ldap} = {
+    group = "nginx";
+    webroot = null;
+  };
+
+  systemd.services.authentik-worker.serviceConfig.LoadCredential = [
+    "${ldap}.pem:${config.security.acme.certs.${ldap}.directory}/fullchain.pem"
+    "${ldap}.key:${config.security.acme.certs.${ldap}.directory}/key.pem"
+  ];
+
+  services.nginx.virtualHosts.${domain} = {
+    acmeRoot = null;
+  };
+}