65 lines
1.5 KiB
Nix
65 lines
1.5 KiB
Nix
{
|
|
pkgs,
|
|
common,
|
|
secrets,
|
|
inputs,
|
|
...
|
|
}:
|
|
let
|
|
domain = common.subdomain "auth";
|
|
ldap = common.subdomain "ldap";
|
|
|
|
authentikScope = (inputs.authentik-nix.lib.mkAuthentikScope { inherit pkgs; }).overrideScope (
|
|
final: prev: {
|
|
authentikComponents = prev.authentikComponents // {
|
|
docs = prev.authentikComponents.docs.overrideAttrs {
|
|
dontCheckForBrokenSymlinks = true;
|
|
};
|
|
};
|
|
}
|
|
);
|
|
in
|
|
{
|
|
services.authentik = {
|
|
enable = true;
|
|
inherit (authentikScope) authentikComponents;
|
|
environmentFile = secrets.authentik;
|
|
settings = {
|
|
email = with common.email; {
|
|
host = smtp.address;
|
|
port = smtp.STARTTLS;
|
|
username = outgoing;
|
|
from = withSubaddress "authentik";
|
|
use_tls = true;
|
|
use_ssl = false;
|
|
};
|
|
disable_startup_analytics = true;
|
|
cookie_domain = common.domain;
|
|
};
|
|
|
|
nginx = {
|
|
enable = true;
|
|
enableACME = true;
|
|
host = domain;
|
|
};
|
|
};
|
|
|
|
services.authentik-ldap = {
|
|
enable = true;
|
|
environmentFile = secrets.authentik-ldap;
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
3389 # <- 389 port forwarded, LDAP
|
|
6636 # <- 636 port forwarded, LDAPS
|
|
];
|
|
|
|
systemd.services.authentik-worker.serviceConfig.LoadCredential = [
|
|
"${ldap}.pem:/etc/secrets/ssl/ldap.inx.moe/fullchain.pem"
|
|
"${ldap}.key:/etc/secrets/ssl/ldap.inx.moe/key.pem"
|
|
];
|
|
|
|
services.nginx.virtualHosts.${domain} = {
|
|
acmeRoot = null;
|
|
};
|
|
}
|