module: use postgres peer auth instead of password auth

2023-06-07 14:05:05 +02:00 · 2023-06-07 14:05:05 +02:00 · 3c661c5095
commit 3c661c5095
parent b51c438d24
2 changed files with 20 additions and 23 deletions
--- a/module.nix
+++ b/module.nix
@ -35,6 +35,11 @@ in
        options = {};
      };
    };
+
+    createDatabase = mkOption {
+      type = types.bool;
+      default = true;
+    };
  };

  config = mkIf cfg.enable {
@ -42,6 +47,11 @@ in
      authentik.settings = {
        blueprints_dir = mkDefault "${pkgs.authentik.staticWorkdirDeps}/blueprints";
        template_dir = mkDefault "${pkgs.authentik.staticWorkdirDeps}/templates";
+        postgresql = {
+          user = mkDefault "authentik";
+          name = mkDefault "authentik";
+          host = mkDefault "";
+        };
      };
      redis.servers.authentik = {
        enable = true;
@ -50,6 +60,10 @@ in
      postgresql = {
        enable = true;
        package = pkgs.postgresql_14;
+        ensureDatabases = mkIf cfg.createDatabase [ "authentik" ];
+        ensureUsers = mkIf cfg.createDatabase [
+          { name = "authentik"; ensurePermissions."DATABASE authentik" = "ALL PRIVILEGES"; }
+        ];
      };
    };

@ -67,11 +81,8 @@ in
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = true;
-          Environment = [
-            "AUTHENTIK_POSTGRESQL__USER=authentik"
-            "AUTHENTIK_POSTGRESQL__NAME=authentik"
-          ];
          DynamicUser = true;
+          User = "authentik";
          ExecStart = "${pkgs.authentik.migrate}/bin/migrate.py";
        };
      };
@ -79,13 +90,10 @@ in
        requiredBy = [ "authentik.service" ];
        before = [ "authentik.service" ];
        serviceConfig = {
-          Environment = [
-            "AUTHENTIK_POSTGRESQL__USER=authentik"
-            "AUTHENTIK_POSTGRESQL__NAME=authentik"
-          ];
          RuntimeDirectory = "authentik";
          WorkingDirectory = "%t/authentik";
          DynamicUser = true;
+          User = "authentik";
          # TODO maybe make this configurable
          ExecStart = "${pkgs.authentik.celery}/bin/celery -A authentik.root.celery worker -Ofair --max-tasks-per-child=1 --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events";
        };
--- a/test.nix
+++ b/test.nix
@ -4,10 +4,7 @@
 }:
 let
  # use a root-owned EnvironmentFile in production instead (systemd.services.<name>.serviceConfig.EnvironmentFile)
-  secrets = {
-    authentiksecret = "thissecretwillbeinthenixstore";
-    postgresql = "dontusethisinproduction";
-  };
+  authentiksecret = "thissecretwillbeinthenixstore";
 in
 pkgs.nixosTest {
  name = "authentik";
@ -26,22 +23,14 @@ pkgs.nixosTest {

      services.authentik.enable = true;

-      services.postgresql.initialScript = pkgs.writeText "psql-init.sql" ''
-        CREATE DATABASE authentik;
-        CREATE USER authentik WITH PASSWORD '${secrets.postgresql}';
-        GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik
-      '';
      systemd.services.authentik-migrate.serviceConfig.Environment = [
-        "AUTHENTIK_POSTGRESQL__PASSWORD=${secrets.postgresql}"
-        "AUTHENTIK_SECRET_KEY=${secrets.authentiksecret}"
+        "AUTHENTIK_SECRET_KEY=${authentiksecret}"
      ];
      systemd.services.authentik-worker.serviceConfig.Environment = [
-        "AUTHENTIK_POSTGRESQL__PASSWORD=${secrets.postgresql}"
-        "AUTHENTIK_SECRET_KEY=${secrets.authentiksecret}"
+        "AUTHENTIK_SECRET_KEY=${authentiksecret}"
      ];
      systemd.services.authentik.serviceConfig.Environment = [
-        "AUTHENTIK_POSTGRESQL__PASSWORD=${secrets.postgresql}"
-        "AUTHENTIK_SECRET_KEY=${secrets.authentiksecret}"
+        "AUTHENTIK_SECRET_KEY=${authentiksecret}"
      ];

      services.xserver.enable = true;