{pkgs, ...}: let authentikImage = "ghcr.io/goauthentik/server:2024.4.1"; in { project.name = "auth"; networks.dmz = { name = "dmz"; external = true; }; networks.internal = {}; services = { authentik.service = { image = authentikImage; container_name = "authentik"; labels = { "traefik.enable" = "true"; "traefik.http.services.authentik.loadbalancer.server.port" = "9000"; "traefik.http.routers.authentik.service" = "authentik"; "traefik.http.routers.authentik.rule" = "Host(`auth.ghoscht.com`)"; "traefik.http.routers.authentik.entrypoints" = "websecure"; "traefik.http.routers.authentik.tls" = "true"; "traefik.http.routers.authentik.tls.certresolver" = "letsencrypt"; "traefik.http.services.authentik-external.loadbalancer.server.port" = "9000"; "traefik.http.routers.authentik-external.service" = "authentik-external"; "traefik.http.routers.authentik-external.rule" = "Host(`auth.ghoscht.com`)"; "traefik.http.routers.authentik-external.entrypoints" = "websecure-external"; "traefik.http.routers.authentik-external.tls" = "true"; "traefik.http.routers.authentik-external.tls.certresolver" = "letsencrypt"; }; command = "server"; environment = { AUTHENTIK_REDIS__HOST = "redis"; AUTHENTIK_POSTGRESQL__HOST = "postgres"; AUTHENTIK_ERROR_REPORTING__ENABLED = "true"; }; env_file = [ "/home/ghoscht/.docker/auth/authentik.env" ]; dns = ["1.1.1.1"]; restart = "always"; depends_on = { redis = {condition = "service_healthy";}; postgres = {condition = "service_healthy";}; }; volumes = [ "/storage/dataset/docker/auth/authentik_media:/media" "/storage/dataset/docker/auth/authentik_custom_templates:/templates" ]; networks = [ "dmz" "internal" ]; }; worker.service = { image = authentikImage; command = "worker"; environment = { AUTHENTIK_REDIS__HOST = "redis"; AUTHENTIK_POSTGRESQL__HOST = "postgres"; AUTHENTIK_ERROR_REPORTING__ENABLED = "true"; }; env_file = [ "/home/ghoscht/.docker/auth/authentik.env" ]; dns = ["1.1.1.1"]; depends_on = { redis = {condition = "service_healthy";}; postgres = {condition = "service_healthy";}; }; volumes = [ "/var/run/docker.sock:/var/run/docker.sock" "/storage/dataset/docker/auth/authentik_media:/media" "/storage/dataset/docker/auth/authentik_custom_templates:/templates" ]; restart = "always"; user = "root"; networks = [ "internal" ]; }; redis.service = { image = "redis:7.2.4"; command = "--save 60 1 --loglevel warning"; healthcheck = { test = [ "CMD-SHELL" "redis-cli ping | grep PONG" ]; start_period = "20s"; interval = "30s"; retries = 5; timeout = "5s"; }; restart = "always"; volumes = [ "/storage/dataset/docker/auth/redis_data:/data" ]; networks = [ "internal" ]; }; postgres.service = { image = "postgres:12.18"; restart = "always"; env_file = [ "/home/ghoscht/.docker/auth/postgres.env" ]; volumes = [ "/storage/dataset/docker/auth/postgres_data:/var/lib/postgresql/data" ]; healthcheck = { test = [ "CMD-SHELL" "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" ]; start_period = "20s"; interval = "30s"; retries = 5; timeout = "5s"; }; networks = [ "internal" ]; }; }; }