nixos-config/modules/nixos/services/authentik.nix

{
  config,
  lib,
  inputs,
  secretsDir,
  ...
}:
let
  inherit (lib)
    mkEnableOption
    mkIf
    mkOption
    recursiveUpdate
    ;
  inherit (lib.types) bool str;

  cfg = config.ataraxia.services.authentik;
  nginx = config.ataraxia.services.nginx;
  domain = "auth.ataraxiadev.com";
in
{
  imports = [ inputs.ataraxiasjel-nur.nixosModules.authentik ];

  options.ataraxia.services.authentik = {
    enable = mkEnableOption "Enable authentik service";
    sopsDir = mkOption {
      type = str;
      default = config.networking.hostName;
      description = ''
        Name for sops secrets directory. Defaults to hostname.
      '';
    };
    nginxHost = mkOption {
      type = bool;
      default = config.ataraxia.services.nginx.enable;
      description = "Enable nginx vHost integration";
    };
  };

  config = mkIf cfg.enable {
    sops.secrets.authentik-env.sopsFile = secretsDir + /${cfg.sopsDir}/authentik.yaml;
    sops.secrets.authentik-ldap.sopsFile = secretsDir + /${cfg.sopsDir}/authentik.yaml;
    sops.secrets.authentik-env.restartUnits = [
      "authentik-server.service"
      "authentik-worker.service"
    ];
    sops.secrets.authentik-ldap.restartUnits = [ "authentik-ldap-outpost.service" ];

    backups.postgresql.authentik = { };

    services.authentik = {
      enable = true;
      logLevel = "info";
      listen.address = "127.0.0.1";
      listen.http = 9000;
      listen.https = 9443;
      environmentFile = config.sops.secrets.authentik-env.path;
      outposts.ldap = {
        enable = true;
        host = "https://${domain}";
        environmentFile = config.sops.secrets.authentik-ldap.path;
        listen.address = "127.0.0.1";
        listen.ldap = 3389;
        listen.ldaps = 6636;
      };
    };

    services.nginx.virtualHosts = mkIf cfg.nginxHost {
      ${domain} = recursiveUpdate nginx.defaultSettings {
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString config.services.authentik.listen.http}";
          proxyWebsockets = true;
        };
      };
    };
  };
}
feat: add authentik service 2025-07-08 20:08:11 +03:00			`{`
			`config,`
			`lib,`
			`inputs,`
			`secretsDir,`
			`...`
			`}:`
			`let`
feat: add nginx integration to some services 2025-07-10 18:36:59 +03:00			`inherit (lib)`
			`mkEnableOption`
			`mkIf`
			`mkOption`
			`recursiveUpdate`
			`;`
			`inherit (lib.types) bool str;`
feat: add authentik service 2025-07-08 20:08:11 +03:00
			`cfg = config.ataraxia.services.authentik;`
feat: add nginx integration to some services 2025-07-10 18:36:59 +03:00			`nginx = config.ataraxia.services.nginx;`
			`domain = "auth.ataraxiadev.com";`
feat: add authentik service 2025-07-08 20:08:11 +03:00			`in`
			`{`
			`imports = [ inputs.ataraxiasjel-nur.nixosModules.authentik ];`

			`options.ataraxia.services.authentik = {`
			`enable = mkEnableOption "Enable authentik service";`
			`sopsDir = mkOption {`
			`type = str;`
			`default = config.networking.hostName;`
			`description = ''`
			`Name for sops secrets directory. Defaults to hostname.`
			`'';`
			`};`
feat: add nginx integration to some services 2025-07-10 18:36:59 +03:00			`nginxHost = mkOption {`
			`type = bool;`
			`default = config.ataraxia.services.nginx.enable;`
			`description = "Enable nginx vHost integration";`
			`};`
feat: add authentik service 2025-07-08 20:08:11 +03:00			`};`

			`config = mkIf cfg.enable {`
			`sops.secrets.authentik-env.sopsFile = secretsDir + /${cfg.sopsDir}/authentik.yaml;`
			`sops.secrets.authentik-ldap.sopsFile = secretsDir + /${cfg.sopsDir}/authentik.yaml;`
			`sops.secrets.authentik-env.restartUnits = [`
			`"authentik-server.service"`
			`"authentik-worker.service"`
			`];`
			`sops.secrets.authentik-ldap.restartUnits = [ "authentik-ldap-outpost.service" ];`

			`backups.postgresql.authentik = { };`

			`services.authentik = {`
			`enable = true;`
			`logLevel = "info";`
			`listen.address = "127.0.0.1";`
			`listen.http = 9000;`
			`listen.https = 9443;`
			`environmentFile = config.sops.secrets.authentik-env.path;`
			`outposts.ldap = {`
			`enable = true;`
feat: add nginx integration to some services 2025-07-10 18:36:59 +03:00			`host = "https://${domain}";`
feat: add authentik service 2025-07-08 20:08:11 +03:00			`environmentFile = config.sops.secrets.authentik-ldap.path;`
			`listen.address = "127.0.0.1";`
			`listen.ldap = 3389;`
			`listen.ldaps = 6636;`
			`};`
			`};`
feat: add nginx integration to some services 2025-07-10 18:36:59 +03:00
			`services.nginx.virtualHosts = mkIf cfg.nginxHost {`
			`${domain} = recursiveUpdate nginx.defaultSettings {`
			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:${toString config.services.authentik.listen.http}";`
			`proxyWebsockets = true;`
			`};`
			`};`
			`};`
feat: add authentik service 2025-07-08 20:08:11 +03:00			`};`
			`}`