130 lines
3.7 KiB
Nix
130 lines
3.7 KiB
Nix
|
{pkgs, ...}: let
|
||
|
authentikImage = "ghcr.io/goauthentik/server:2024.4.1";
|
||
|
in {
|
||
|
project.name = "auth";
|
||
|
|
||
|
networks.dmz = {
|
||
|
name = "dmz";
|
||
|
external = true;
|
||
|
};
|
||
|
networks.internal = {};
|
||
|
|
||
|
services = {
|
||
|
authentik.service = {
|
||
|
image = authentikImage;
|
||
|
container_name = "authentik";
|
||
|
labels = {
|
||
|
"traefik.enable" = "true";
|
||
|
|
||
|
"traefik.http.services.authentik.loadbalancer.server.port" = "9000";
|
||
|
"traefik.http.routers.authentik.service" = "authentik";
|
||
|
"traefik.http.routers.authentik.rule" = "Host(`auth.ghoscht.com`)";
|
||
|
"traefik.http.routers.authentik.entrypoints" = "websecure";
|
||
|
"traefik.http.routers.authentik.tls" = "true";
|
||
|
"traefik.http.routers.authentik.tls.certresolver" = "letsencrypt";
|
||
|
|
||
|
"traefik.http.services.authentik-external.loadbalancer.server.port" = "9000";
|
||
|
"traefik.http.routers.authentik-external.service" = "authentik-external";
|
||
|
"traefik.http.routers.authentik-external.rule" = "Host(`auth.ghoscht.com`)";
|
||
|
"traefik.http.routers.authentik-external.entrypoints" = "websecure-external";
|
||
|
"traefik.http.routers.authentik-external.tls" = "true";
|
||
|
"traefik.http.routers.authentik-external.tls.certresolver" = "letsencrypt";
|
||
|
};
|
||
|
command = "server";
|
||
|
environment = {
|
||
|
AUTHENTIK_REDIS__HOST = "redis";
|
||
|
AUTHENTIK_POSTGRESQL__HOST = "postgres";
|
||
|
AUTHENTIK_ERROR_REPORTING__ENABLED = "true";
|
||
|
};
|
||
|
env_file = [
|
||
|
"/home/ghoscht/.docker/auth/authentik.env"
|
||
|
];
|
||
|
dns = ["1.1.1.1"];
|
||
|
restart = "always";
|
||
|
depends_on = {
|
||
|
redis = {condition = "service_healthy";};
|
||
|
postgres = {condition = "service_healthy";};
|
||
|
};
|
||
|
volumes = [
|
||
|
"/storage/dataset/docker/auth/authentik_media:/media"
|
||
|
"/storage/dataset/docker/auth/authentik_custom_templates:/templates"
|
||
|
];
|
||
|
networks = [
|
||
|
"dmz"
|
||
|
"internal"
|
||
|
];
|
||
|
};
|
||
|
worker.service = {
|
||
|
image = authentikImage;
|
||
|
command = "worker";
|
||
|
environment = {
|
||
|
AUTHENTIK_REDIS__HOST = "redis";
|
||
|
AUTHENTIK_POSTGRESQL__HOST = "postgres";
|
||
|
AUTHENTIK_ERROR_REPORTING__ENABLED = "true";
|
||
|
};
|
||
|
env_file = [
|
||
|
"/home/ghoscht/.docker/auth/authentik.env"
|
||
|
];
|
||
|
dns = ["1.1.1.1"];
|
||
|
depends_on = {
|
||
|
redis = {condition = "service_healthy";};
|
||
|
postgres = {condition = "service_healthy";};
|
||
|
};
|
||
|
volumes = [
|
||
|
"/var/run/docker.sock:/var/run/docker.sock"
|
||
|
"/storage/dataset/docker/auth/authentik_media:/media"
|
||
|
"/storage/dataset/docker/auth/authentik_custom_templates:/templates"
|
||
|
];
|
||
|
restart = "always";
|
||
|
user = "root";
|
||
|
networks = [
|
||
|
"internal"
|
||
|
];
|
||
|
};
|
||
|
redis.service = {
|
||
|
image = "redis:7.2.4";
|
||
|
command = "--save 60 1 --loglevel warning";
|
||
|
healthcheck = {
|
||
|
test = [
|
||
|
"CMD-SHELL"
|
||
|
"redis-cli ping | grep PONG"
|
||
|
];
|
||
|
start_period = "20s";
|
||
|
interval = "30s";
|
||
|
retries = 5;
|
||
|
timeout = "5s";
|
||
|
};
|
||
|
restart = "always";
|
||
|
volumes = [
|
||
|
"/storage/dataset/docker/auth/redis_data:/data"
|
||
|
];
|
||
|
networks = [
|
||
|
"internal"
|
||
|
];
|
||
|
};
|
||
|
postgres.service = {
|
||
|
image = "postgres:12.18";
|
||
|
restart = "always";
|
||
|
env_file = [
|
||
|
"/home/ghoscht/.docker/auth/postgres.env"
|
||
|
];
|
||
|
volumes = [
|
||
|
"/storage/dataset/docker/auth/postgres_data:/var/lib/postgresql/data"
|
||
|
];
|
||
|
healthcheck = {
|
||
|
test = [
|
||
|
"CMD-SHELL"
|
||
|
"pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"
|
||
|
];
|
||
|
start_period = "20s";
|
||
|
interval = "30s";
|
||
|
retries = 5;
|
||
|
timeout = "5s";
|
||
|
};
|
||
|
networks = [
|
||
|
"internal"
|
||
|
];
|
||
|
};
|
||
|
};
|
||
|
}
|