tamipes/authentik-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

module: add nginx support with cert auto-discovery

Browse source
This commit is contained in:
WilliButz 2023-10-04 17:55:39 +02:00
parent bc05d5ce25
commit f7fa85cc1f
No known key found for this signature in database
GPG key ID: FB0513677AB15BEA
3 changed files with 55 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

11
flake.nix
View file

@ -197,10 +197,13 @@
''; '';
}; };
}; };
checks.default = (import ./test.nix { checks = {
inherit pkgs authentik-version; default = self.checks.${system}.vmtest;
inherit (self) nixosModules; vmtest = (import ./test.nix {
}); inherit pkgs authentik-version;
inherit (self) nixosModules;
});
};
devShells.default = pkgs.mkShell { devShells.default = pkgs.mkShell {
packages = [ packages = [
# to generate a v2 lockfile from the v3 lockfile provided by upstream: # to generate a v2 lockfile from the v3 lockfile provided by upstream:

35
module.nix
View file

@ -7,6 +7,9 @@ let
inherit (lib) inherit (lib)
types; types;
inherit (lib.attrsets)
recursiveUpdate;
inherit (lib.modules) inherit (lib.modules)
mkDefault mkDefault
mkIf mkIf
@ -47,6 +50,19 @@ in
default = true; default = true;
}; };
nginx = {
enable = mkEnableOption "basic nginx configuration";
enableACME = mkEnableOption "Let's Encrypt and certificate discovery";
host = mkOption {
type = types.str;
example = "auth.example.com";
description = mdDoc ''
Specify the name for the server in {option}`services.nginx.virtualHosts` and
for the associated Let's Encrypt certificate.
'';
};
};
environmentFile = mkOption { environmentFile = mkOption {
type = types.nullOr types.path; type = types.nullOr types.path;
default = null; default = null;
@ -106,6 +122,7 @@ in
name = mkDefault "authentik"; name = mkDefault "authentik";
host = mkDefault ""; host = mkDefault "";
}; };
cert_discovery_dir = mkIf (cfg.nginx.enable && cfg.nginx.enableACME) "env://CREDENTIALS_DIRECTORY";
}; };
redis.servers.authentik = { redis.servers.authentik = {
enable = true; enable = true;
@ -154,6 +171,10 @@ in
# TODO maybe make this configurable # TODO maybe make this configurable
ExecStart = "${cfg.authentikComponents.celery}/bin/celery -A authentik.root.celery worker -Ofair --max-tasks-per-child=1 --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events"; ExecStart = "${cfg.authentikComponents.celery}/bin/celery -A authentik.root.celery worker -Ofair --max-tasks-per-child=1 --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events";
EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ]; EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
LoadCredential = mkIf (cfg.nginx.enable && cfg.nginx.enableACME) [
"${cfg.nginx.host}.pem:${config.security.acme.certs.${cfg.nginx.host}.directory}/fullchain.pem"
"${cfg.nginx.host}.key:${config.security.acme.certs.${cfg.nginx.host}.directory}/key.pem"
];
}; };
}; };
authentik = { authentik = {
@ -184,6 +205,20 @@ in
}; };
}; };
}; };
services.nginx = mkIf cfg.nginx.enable {
enable = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
virtualHosts.${cfg.nginx.host} = {
inherit (cfg.nginx) enableACME;
forceSSL = cfg.nginx.enableACME;
locations."/" = {
proxyWebsockets = true;
proxyPass = "https://localhost:9443";
};
};
};
})) }))
# LDAP outpost # LDAP outpost

17
test.nix
View file

@ -25,6 +25,10 @@ pkgs.nixosTest {
services.authentik = { services.authentik = {
enable = true; enable = true;
environmentFile = authentik-env; environmentFile = authentik-env;
nginx = {
enable = true;
host = "localhost";
};
}; };
services.xserver.enable = true; services.xserver.enable = true;
@ -53,7 +57,7 @@ pkgs.nixosTest {
with subtest("Frontend renders"): with subtest("Frontend renders"):
machine.succeed("su - alice -c 'firefox http://localhost:9000/if/flow/initial-setup' >&2 &") machine.succeed("su - alice -c 'firefox http://localhost:9000/if/flow/initial-setup' >&2 &")
machine.wait_for_text("Welcome to authentik") machine.wait_for_text("Welcome to authentik")
machine.screenshot("initial-setup_1") machine.screenshot("1_rendered_frontend")
with subtest("admin account setup works"): with subtest("admin account setup works"):
machine.send_key("tab") machine.send_key("tab")
@ -66,15 +70,20 @@ pkgs.nixosTest {
machine.send_key("ret") machine.send_key("ret")
machine.wait_for_text("My applications") machine.wait_for_text("My applications")
machine.send_key("esc") machine.send_key("esc")
machine.screenshot("initial-setup_2") machine.screenshot("2_initial_setup_successful")
with subtest("admin settings render and version as expected"): with subtest("admin settings render and version as expected"):
machine.succeed("su - alice -c 'firefox http://localhost:9000/if/admin' >&2 &") machine.succeed("su - alice -c 'firefox http://localhost:9000/if/admin' >&2 &")
machine.wait_for_text("General system status") machine.wait_for_text("General system status")
machine.screenshot("initial-setup_3") machine.screenshot("3_rendered_admin_interface")
machine.succeed("su - alice -c 'xdotool click 1' >&2") machine.succeed("su - alice -c 'xdotool click 1' >&2")
machine.succeed("su - alice -c 'xdotool key --delay 100 Page_Down Page_Down' >&2") machine.succeed("su - alice -c 'xdotool key --delay 100 Page_Down Page_Down' >&2")
machine.wait_for_text("${authentik-version}") machine.wait_for_text("${authentik-version}")
machine.screenshot("initial-setup_4") machine.screenshot("4_correct_version_in_admin_interface")
with subtest("nginx proxies to authentik"):
machine.succeed("su - alice -c 'firefox http://localhost/' >&2 &")
machine.wait_for_text("authentik")
machine.screenshot("5_nginx_proxies_requests")
''; '';
} }