# authentik-nix A Nix flake providing a package, NixOS module and basic VM test for [authentik](https://github.com/goauthentik/authentik) ## TOC - [Important Note](#important-note) - [Overview](#overview) - [Usage](#usage) - [Updating](#updating) - [License](#license) ## Important Note Please note that this project is not directly affiliated with the official [authentik](https://github.com/goauthentik/authentik) project. Most importantly this means that there is no official support for this packaging and deployment approach. Therefore, please refrain from opening issues for the official project when running into problems with this flake. Feel free to open issues here. If in doubt, please open an issue here first so we can make sure that it's not directly related to this packaging/deployment approach before escalating to the official project. ## Overview * [flake.nix](./flake.nix) This flake provides packages (server, worker, outposts, ...) as outputs, a NixOS module and a simple VM integration test for the module. * [module.nix](./module.nix) The NixOS module configures authentik services, redis and (by default) a local postgres instance. The upstream default authentik configuration can be partially overridden by setting desired parameters under `services.authentik.settings`. * [poetry2nix-python-overrides.nix](./poetry2nix-python-overrides.nix) contains overrides and fixes for building the python env * [test.nix](./test.nix) A minimal NixOS VM test. Confirms that the services configured by the module start and manually goes through the initial setup flow. Two screenshots are taken during test execution to confirm that the frontend is rendered correctly. ## Usage Example configuration: ```nix { services.authentik = { enable = true; # The environmentFile needs to be on the target host! # Best use something like sops-nix or agenix to manage it environmentFile = "/run/secrets/authentik/authentik-env"; settings = { email = { host = "smtp.example.com"; port = 587; username = "authentik@example.com"; use_tls = true; use_ssl = false; from = "authentik@example.com"; }; disable_startup_analytics = true; avatars = "initials"; }; }; } ``` ### With flakes Add authentik-nix to your flake, import the module and configure it. Relevant sections of the flake: ```nix # flake.nix { inputs.authentik-nix = { url = "github:mayflower/authentik-nix"; ## optional overrides. Note that using a different version of nixpkgs can cause issues, especially with python dependencies # inputs.nixpkgs.follows = "nixpkgs" # inputs.flake-parts.follows = "flake-parts" }; outputs = inputs@{ ... }: { ## regular NixOS example # # nixosConfigurations = { # authentik-host = inputs.nixpkgs.lib.nixosSystem { # system = "x86_64-linux"; # modules = [ # inputs.authentik-nix.nixosModules.default # { # services.authentik = { # # ... further configuration; see example configuration above # }; # } # ]; # }; # }; ## Colmena example # # colmena = { # meta.specialArgs.inputs = { inherit (inputs) authentik-nix; }; # # authentik-host = { inputs, ... }: { # imports = [ inputs.authentik-nix.nixosModules.default ]; # # services.authentik = { # # ... further configuration; see example configuration above # }; # }; # }; }; } ``` ## Nginx + Let's Encrypt Example configuration: ```nix { services.authentik = { # other authentik options as in the example configuration at the top nginx = { enable = true; enableACME = true; host = "auth.example.com"; }; }; } ``` The configuration above configures authentik to auto-discover the Let's Encrypt certificate and key. Initial auto-discovery might take a while because the authentik certificate discovery task runs once per hour. ## Testing To run the tests execute the following: ``` nix flake check --print-build-logs ``` ## License This project is released under the terms of the MIT License. See [LICENSE](./LICENSE). Consult [the upstream project](https://github.com/goauthentik/authentik) for information about authentik licensing.