From 0c6391c85e88ef8dd050bca811c1436d523b0fe3 Mon Sep 17 00:00:00 2001
From: Maximilian Bosch <maximilian@mbosch.me>
Date: Wed, 17 Sep 2025 10:27:14 +0200
Subject: [PATCH] module: also use non-conflicting ports for other outposts

Incidentally I had parts of that already in my private config and immediately
forgot. But now that we're at it, let's fix it up properly as well.
---
 module.nix | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/module.nix b/module.nix
index 58cd60d..39620d0 100644
--- a/module.nix
+++ b/module.nix
@@ -128,6 +128,15 @@ in
     authentik-ldap = {
       enable = mkEnableOption "authentik LDAP outpost";
 
+      listenMetrics = mkOption {
+        type = types.str;
+        default = "[::1]:9302";
+        description = ''
+          Listen address for the metrics server of the LDAP outpost.
+          Overrides the default listen setting that's also used by the server.
+        '';
+      };
+
       environmentFile = mkOption {
         type = types.nullOr pathToSecret;
         default = null;
@@ -151,6 +160,31 @@ in
     authentik-proxy = {
       enable = mkEnableOption "authentik Proxy outpost";
 
+      listenMetrics = mkOption {
+        type = types.str;
+        default = "[::1]:9303";
+        description = ''
+          Listen address for the metrics server of the proxy outpost.
+          Overrides the default listen setting that's also used by the server.
+        '';
+      };
+      listenHTTPS = mkOption {
+        type = types.str;
+        default = "[::1]:9004";
+        description = ''
+          Listen address for the HTTPS server of the proxy outpost.
+          Overrides the default listen setting that's also used by the server.
+        '';
+      };
+      listenHTTP = mkOption {
+        type = types.str;
+        default = "[::1]:9005";
+        description = ''
+          Listen address for the HTTP server of the proxy outpost.
+          Overrides the default listen setting that's also used by the server.
+        '';
+      };
+
       environmentFile = mkOption {
         type = types.nullOr pathToSecret;
         default = null;
@@ -174,6 +208,15 @@ in
     authentik-radius = {
       enable = mkEnableOption "authentik RADIUS outpost";
 
+      listenMetrics = mkOption {
+        type = types.str;
+        default = "[::1]:9306";
+        description = ''
+          Listen address for the metrics server of the RADIUS outpost.
+          Overrides the default listen setting that's also used by the server.
+        '';
+      };
+
       environmentFile = mkOption {
         type = types.nullOr pathToSecret;
         default = null;
@@ -409,6 +452,7 @@ in
             "network-online.target"
             "authentik.service"
           ];
+          environment.AUTHENTIK_LISTEN__METRICS = cfg.listenMetrics;
           serviceConfig = {
             RuntimeDirectory = "authentik-ldap";
             UMask = "0027";
@@ -435,6 +479,11 @@ in
             "network-online.target"
             "authentik.service"
           ];
+          environment = {
+            AUTHENTIK_LISTEN__METRICS = cfg.listenMetrics;
+            AUTHENTIK_LISTEN__HTTP = cfg.listenHTTP;
+            AUTHENTIK_LISTEN__HTTPS = cfg.listenHTTPS;
+          };
           serviceConfig = {
             RuntimeDirectory = "authentik-proxy";
             UMask = "0027";
@@ -461,6 +510,7 @@ in
             "network-online.target"
             "authentik.service"
           ];
+          environment.AUTHENTIK_LISTEN__METRICS = cfg.listenMetrics;
           serviceConfig = {
             RuntimeDirectory = "authentik-radius";
             UMask = "0027";