hosts/m3-atlas/services/containers/authentik.nix

{config, ...}: let
  image = "ghcr.io/goauthentik/server:2026.2.0";

  serverIp = "10.89.0.22";
  workerIp = "10.89.0.23";

  postgresHost = "10.89.0.1";
  postgresPort = config.m3ta.ports.get "postgres";
  authentikPort = config.m3ta.ports.get "authentik";

  sharedEnv = {
    AUTHENTIK_POSTGRESQL__HOST = postgresHost;
    AUTHENTIK_POSTGRESQL__PORT = toString postgresPort;
    AUTHENTIK_POSTGRESQL__USER = "authentik";
    AUTHENTIK_POSTGRESQL__NAME = "authentik";
  };
in {
  virtualisation.oci-containers.containers = {
    "authentik-server" = {
      inherit image;
      cmd = ["server"];
      environment = sharedEnv;
      environmentFiles = [config.age.secrets.authentik-env.path];
      ports = ["127.0.0.1:${toString authentikPort}:9000"];
      volumes = [
        "authentik_media:/media"
        "authentik_templates:/templates"
      ];
      extraOptions = [
        "--add-host=postgres:${postgresHost}"
        "--ip=${serverIp}"
        "--network=web"
      ];
    };

    "authentik-worker" = {
      inherit image;
      cmd = ["worker"];
      user = "root";
      environment = sharedEnv;
      environmentFiles = [config.age.secrets.authentik-env.path];
      volumes = [
        "authentik_media:/media"
        "authentik_certs:/certs"
        "authentik_templates:/templates"
      ];
      extraOptions = [
        "--add-host=postgres:${postgresHost}"
        "--ip=${workerIp}"
        "--network=web"
      ];
    };
  };

  services.traefik.dynamicConfigOptions.http = {
    services.authentik.loadBalancer.servers = [
      {url = "http://localhost:${toString authentikPort}/";}
    ];

    routers.authentik = {
      rule = "Host(`auth.m3ta.dev`)";
      tls = {certResolver = "godaddy";};
      service = "authentik";
      entrypoints = "websecure";
    };
  };
}
feat: authentik 2026-02-28 10:06:42 +01:00			`{config, ...}: let`
			`image = "ghcr.io/goauthentik/server:2026.2.0";`

			`serverIp = "10.89.0.22";`
			`workerIp = "10.89.0.23";`

			`postgresHost = "10.89.0.1";`
			`postgresPort = config.m3ta.ports.get "postgres";`
			`authentikPort = config.m3ta.ports.get "authentik";`

			`sharedEnv = {`
			`AUTHENTIK_POSTGRESQL__HOST = postgresHost;`
			`AUTHENTIK_POSTGRESQL__PORT = toString postgresPort;`
			`AUTHENTIK_POSTGRESQL__USER = "authentik";`
			`AUTHENTIK_POSTGRESQL__NAME = "authentik";`
			`};`
			`in {`
			`virtualisation.oci-containers.containers = {`
			`"authentik-server" = {`
			`inherit image;`
			`cmd = ["server"];`
			`environment = sharedEnv;`
			`environmentFiles = [config.age.secrets.authentik-env.path];`
			`ports = ["127.0.0.1:${toString authentikPort}:9000"];`
			`volumes = [`
			`"authentik_media:/media"`
			`"authentik_templates:/templates"`
			`];`
			`extraOptions = [`
			`"--add-host=postgres:${postgresHost}"`
			`"--ip=${serverIp}"`
			`"--network=web"`
			`];`
			`};`

			`"authentik-worker" = {`
			`inherit image;`
			`cmd = ["worker"];`
			`user = "root";`
			`environment = sharedEnv;`
			`environmentFiles = [config.age.secrets.authentik-env.path];`
			`volumes = [`
			`"authentik_media:/media"`
			`"authentik_certs:/certs"`
			`"authentik_templates:/templates"`
			`];`
			`extraOptions = [`
			`"--add-host=postgres:${postgresHost}"`
			`"--ip=${workerIp}"`
			`"--network=web"`
			`];`
			`};`
			`};`

			`services.traefik.dynamicConfigOptions.http = {`
			`services.authentik.loadBalancer.servers = [`
			`{url = "http://localhost:${toString authentikPort}/";}`
			`];`

			`routers.authentik = {`
			rule = "Host(`auth.m3ta.dev`)";
			`tls = {certResolver = "godaddy";};`
			`service = "authentik";`
			`entrypoints = "websecure";`
			`};`
			`};`
			`}`