diff --git a/module.nix b/module.nix index 420308f..53dd5a5 100644 --- a/module.nix +++ b/module.nix @@ -35,6 +35,11 @@ in options = {}; }; }; + + createDatabase = mkOption { + type = types.bool; + default = true; + }; }; config = mkIf cfg.enable { @@ -42,6 +47,11 @@ in authentik.settings = { blueprints_dir = mkDefault "${pkgs.authentik.staticWorkdirDeps}/blueprints"; template_dir = mkDefault "${pkgs.authentik.staticWorkdirDeps}/templates"; + postgresql = { + user = mkDefault "authentik"; + name = mkDefault "authentik"; + host = mkDefault ""; + }; }; redis.servers.authentik = { enable = true; @@ -50,6 +60,10 @@ in postgresql = { enable = true; package = pkgs.postgresql_14; + ensureDatabases = mkIf cfg.createDatabase [ "authentik" ]; + ensureUsers = mkIf cfg.createDatabase [ + { name = "authentik"; ensurePermissions."DATABASE authentik" = "ALL PRIVILEGES"; } + ]; }; }; @@ -67,11 +81,8 @@ in serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - Environment = [ - "AUTHENTIK_POSTGRESQL__USER=authentik" - "AUTHENTIK_POSTGRESQL__NAME=authentik" - ]; DynamicUser = true; + User = "authentik"; ExecStart = "${pkgs.authentik.migrate}/bin/migrate.py"; }; }; @@ -79,13 +90,10 @@ in requiredBy = [ "authentik.service" ]; before = [ "authentik.service" ]; serviceConfig = { - Environment = [ - "AUTHENTIK_POSTGRESQL__USER=authentik" - "AUTHENTIK_POSTGRESQL__NAME=authentik" - ]; RuntimeDirectory = "authentik"; WorkingDirectory = "%t/authentik"; DynamicUser = true; + User = "authentik"; # TODO maybe make this configurable ExecStart = "${pkgs.authentik.celery}/bin/celery -A authentik.root.celery worker -Ofair --max-tasks-per-child=1 --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events"; }; diff --git a/test.nix b/test.nix index c5385db..900b14c 100644 --- a/test.nix +++ b/test.nix @@ -4,10 +4,7 @@ }: let # use a root-owned EnvironmentFile in production instead (systemd.services..serviceConfig.EnvironmentFile) - secrets = { - authentiksecret = "thissecretwillbeinthenixstore"; - postgresql = "dontusethisinproduction"; - }; + authentiksecret = "thissecretwillbeinthenixstore"; in pkgs.nixosTest { name = "authentik"; @@ -26,22 +23,14 @@ pkgs.nixosTest { services.authentik.enable = true; - services.postgresql.initialScript = pkgs.writeText "psql-init.sql" '' - CREATE DATABASE authentik; - CREATE USER authentik WITH PASSWORD '${secrets.postgresql}'; - GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik - ''; systemd.services.authentik-migrate.serviceConfig.Environment = [ - "AUTHENTIK_POSTGRESQL__PASSWORD=${secrets.postgresql}" - "AUTHENTIK_SECRET_KEY=${secrets.authentiksecret}" + "AUTHENTIK_SECRET_KEY=${authentiksecret}" ]; systemd.services.authentik-worker.serviceConfig.Environment = [ - "AUTHENTIK_POSTGRESQL__PASSWORD=${secrets.postgresql}" - "AUTHENTIK_SECRET_KEY=${secrets.authentiksecret}" + "AUTHENTIK_SECRET_KEY=${authentiksecret}" ]; systemd.services.authentik.serviceConfig.Environment = [ - "AUTHENTIK_POSTGRESQL__PASSWORD=${secrets.postgresql}" - "AUTHENTIK_SECRET_KEY=${secrets.authentiksecret}" + "AUTHENTIK_SECRET_KEY=${authentiksecret}" ]; services.xserver.enable = true;