{ nixhelm, system, config, lib, ... }: { options.authentik.enable = lib.mkEnableOption "authentik"; config = lib.mkIf config.authentik.enable { kubernetes = { helm.releases.authentik = { chart = nixhelm.chartsDerivations.${system}.authentik.authentik; includeCRDs = true; namespace = "authentik"; values = { authentik = { email = { host = "mail.smtp2go.com"; port = 2525; from = "Authentik authentik@kun.is"; }; }; postgresql = { enabled = true; auth.password = "ref+sops://secrets.yml#/authentik/postgresql_password"; primary.persistence.existingClaim = "db"; primary.extraEnvVarsSecret = "postgresql-env"; }; redis = { enabled = true; master.persistence.existingClaim = "redis"; }; }; }; resources = let env = { AUTHENTIK_POSTGRESQL__PASSWORD.value = "ref+sops://secrets.yml#/authentik/postgresql_password"; AUTHENTIK_SECRET_KEY.value = "ref+sops://secrets.yml#/authentik/secret_key"; AUTHENTIK_EMAIL__USERNAME.value = "ref+sops://secrets.yml#/smtp2go/username"; AUTHENTIK_EMAIL__PASSWORD.value = "ref+sops://secrets.yml#/smtp2go/password"; }; in { secrets.postgresql-env.stringData = { POSTGRES_PASSWORD = "ref+sops://secrets.yml#/authentik/postgresql_password"; }; deployments = { authentik-server.spec.template.spec.containers.server.env = env; authentik-worker.spec.template.spec.containers.worker.env = env; }; }; }; lab = { longhorn.persistentVolumeClaim = { db = { volumeName = "authentik-db"; storage = "10Gi"; }; redis = { volumeName = "authentik-redis"; storage = "5Gi"; }; }; ingresses.authentik = { host = "authentik.kun.is"; service = { name = "authentik-server"; portName = "http"; }; }; tailscaleIngresses = { tailscale-authentik = { host = "authentik"; service = { name = "authentik-server"; portName = "http"; }; }; }; }; }; }