diff --git a/module.nix b/module.nix index 15e2966..c93f38a 100644 --- a/module.nix +++ b/module.nix @@ -13,6 +13,7 @@ let mkMerge; inherit (lib.options) + mdDoc mkEnableOption mkOption; @@ -45,11 +46,48 @@ in type = types.bool; default = true; }; + + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/secrets/authentik/authentik-env"; + description = mdDoc '' + Environment file as defined in {manpage}`systemd.exec(5)`. + + Secrets may be passed to the service without adding them to the world-readable + /nix/store, by specifying the desied secrets as environment variables according + to the authentic documentation. + + ``` + # example content + AUTHENTIK_SECRET_KEY= + AUTHENTIK_EMAIL__PASSWORD= + ``` + ''; + }; }; # LDAP oupost authentik-ldap = { enable = mkEnableOption "authentik LDAP outpost"; + + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/secrets/authentik-ldap/authentik-ldap-env"; + description = mdDoc '' + Environment file as defined in {manpage}`systemd.exec(5)`. + + Secrets may be passed to the service without adding them to the world-readable + /nix/store, by specifying the desied secrets as environment variables according + to the authentic documentation. + + ``` + # example content + AUTHENTIK_TOKEN= + ``` + ''; + }; }; }; @@ -101,6 +139,7 @@ in DynamicUser = true; User = "authentik"; ExecStart = "${cfg.authentikComponents.migrate}/bin/migrate.py"; + EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ]; }; }; authentik-worker = { @@ -114,6 +153,7 @@ in User = "authentik"; # TODO maybe make this configurable ExecStart = "${cfg.authentikComponents.celery}/bin/celery -A authentik.root.celery worker -Ofair --max-tasks-per-child=1 --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events"; + EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ]; }; }; authentik = { @@ -140,6 +180,7 @@ in WorkingDirectory = "%S/authentik"; DynamicUser = true; ExecStart = "${cfg.authentikComponents.gopkgs}/bin/server"; + EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ]; }; }; }; @@ -163,6 +204,7 @@ in WorkingDirectory = "%t/authentik-ldap"; DynamicUser = true; ExecStart = "${config.services.authentik.authentikComponents.gopkgs}/bin/ldap"; + EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ]; }; }; })) diff --git a/test.nix b/test.nix index fb0fee4..c465e12 100644 --- a/test.nix +++ b/test.nix @@ -2,8 +2,10 @@ , nixosModules }: let - # use a root-owned EnvironmentFile in production instead (systemd.services..serviceConfig.EnvironmentFile) - authentiksecret = "thissecretwillbeinthenixstore"; + # use a root-owned EnvironmentFile in production instead (services.authentik.environmentFile) + authentik-env = pkgs.writeText "authentik-test-secret-env" '' + AUTHENTIK_SECRET_KEY=thissecretwillbeinthenixstore + ''; in pkgs.nixosTest { name = "authentik"; @@ -19,17 +21,10 @@ pkgs.nixosTest { "${pkgs.path}/nixos/tests/common/x11.nix" ]; - services.authentik.enable = true; - - systemd.services.authentik-migrate.serviceConfig.Environment = [ - "AUTHENTIK_SECRET_KEY=${authentiksecret}" - ]; - systemd.services.authentik-worker.serviceConfig.Environment = [ - "AUTHENTIK_SECRET_KEY=${authentiksecret}" - ]; - systemd.services.authentik.serviceConfig.Environment = [ - "AUTHENTIK_SECRET_KEY=${authentiksecret}" - ]; + services.authentik = { + enable = true; + environmentFile = authentik-env; + }; services.xserver.enable = true; test-support.displayManager.auto.user = "alice";