feat: authentik

hosts/m3-atlas/services/containers/authentik.nix

@@ -0,0 +1,67 @@
+{config, ...}: let
+  image = "ghcr.io/goauthentik/server:2026.2.0";
+
+  serverIp = "10.89.0.22";
+  workerIp = "10.89.0.23";
+
+  postgresHost = "10.89.0.1";
+  postgresPort = config.m3ta.ports.get "postgres";
+  authentikPort = config.m3ta.ports.get "authentik";
+
+  sharedEnv = {
+    AUTHENTIK_POSTGRESQL__HOST = postgresHost;
+    AUTHENTIK_POSTGRESQL__PORT = toString postgresPort;
+    AUTHENTIK_POSTGRESQL__USER = "authentik";
+    AUTHENTIK_POSTGRESQL__NAME = "authentik";
+  };
+in {
+  virtualisation.oci-containers.containers = {
+    "authentik-server" = {
+      inherit image;
+      cmd = ["server"];
+      environment = sharedEnv;
+      environmentFiles = [config.age.secrets.authentik-env.path];
+      ports = ["127.0.0.1:${toString authentikPort}:9000"];
+      volumes = [
+        "authentik_media:/media"
+        "authentik_templates:/templates"
+      ];
+      extraOptions = [
+        "--add-host=postgres:${postgresHost}"
+        "--ip=${serverIp}"
+        "--network=web"
+      ];
+    };
+
+    "authentik-worker" = {
+      inherit image;
+      cmd = ["worker"];
+      user = "root";
+      environment = sharedEnv;
+      environmentFiles = [config.age.secrets.authentik-env.path];
+      volumes = [
+        "authentik_media:/media"
+        "authentik_certs:/certs"
+        "authentik_templates:/templates"
+      ];
+      extraOptions = [
+        "--add-host=postgres:${postgresHost}"
+        "--ip=${workerIp}"
+        "--network=web"
+      ];
+    };
+  };
+
+  services.traefik.dynamicConfigOptions.http = {
+    services.authentik.loadBalancer.servers = [
+      {url = "http://localhost:${toString authentikPort}/";}
+    ];
+
+    routers.authentik = {
+      rule = "Host(`auth.m3ta.dev`)";
+      tls = {certResolver = "godaddy";};
+      service = "authentik";
+      entrypoints = "websecure";
+    };
+  };
+}