{
nixhelm,
system,
config,
lib,
...
}: {
options.authentik.enable = lib.mkEnableOption "authentik";
config = lib.mkIf config.authentik.enable {
kubernetes = {
helm.releases.authentik = {
chart = nixhelm.chartsDerivations.${system}.authentik.authentik;
includeCRDs = true;
namespace = "authentik";
values = {
authentik = {
email = {
host = "mail.smtp2go.com";
port = 2525;
from = "Authentik authentik@kun.is";
};
};
postgresql = {
enabled = true;
auth.password = "ref+sops://secrets.yml#/authentik/postgresql_password";
primary.persistence.existingClaim = "db";
primary.extraEnvVarsSecret = "postgresql-env";
};
redis = {
enabled = true;
master.persistence.existingClaim = "redis";
};
};
};
resources = let
env = {
AUTHENTIK_POSTGRESQL__PASSWORD.value = "ref+sops://secrets.yml#/authentik/postgresql_password";
AUTHENTIK_SECRET_KEY.value = "ref+sops://secrets.yml#/authentik/secret_key";
AUTHENTIK_EMAIL__USERNAME.value = "ref+sops://secrets.yml#/smtp2go/username";
AUTHENTIK_EMAIL__PASSWORD.value = "ref+sops://secrets.yml#/smtp2go/password";
};
in {
secrets.postgresql-env.stringData = {
POSTGRES_PASSWORD = "ref+sops://secrets.yml#/authentik/postgresql_password";
};
deployments = {
authentik-server.spec.template.spec.containers.server.env = env;
authentik-worker.spec.template.spec.containers.worker.env = env;
};
};
};
lab = {
longhorn.persistentVolumeClaim = {
db = {
volumeName = "authentik-db";
storage = "10Gi";
};
redis = {
volumeName = "authentik-redis";
storage = "5Gi";
};
};
ingresses.authentik = {
host = "authentik.kun.is";
service = {
name = "authentik-server";
portName = "http";
};
};
tailscaleIngresses = {
tailscale-authentik = {
host = "authentik";
service = {
name = "authentik-server";
portName = "http";
};
};
};
};
};
}