kubernetes-deployments/modules/authentik.nix

{
  nixhelm,
  system,
  config,
  lib,
  ...
}: {
  options.authentik.enable = lib.mkEnableOption "authentik";

  config = lib.mkIf config.authentik.enable {
    kubernetes = {
      helm.releases.authentik = {
        chart = nixhelm.chartsDerivations.${system}.authentik.authentik;
        includeCRDs = true;
        namespace = "authentik";

        values = {
          authentik = {
            email = {
              host = "mail.smtp2go.com";
              port = 2525;
              from = "Authentik authentik@kun.is";
            };
          };

          postgresql = {
            enabled = true;
            auth.password = "ref+sops://secrets.yml#/authentik/postgresql_password";
            primary.persistence.existingClaim = "db";
            primary.extraEnvVarsSecret = "postgresql-env";
          };

          redis = {
            enabled = true;
            master.persistence.existingClaim = "redis";
          };
        };
      };

      resources = let
        env = {
          AUTHENTIK_POSTGRESQL__PASSWORD.value = "ref+sops://secrets.yml#/authentik/postgresql_password";
          AUTHENTIK_SECRET_KEY.value = "ref+sops://secrets.yml#/authentik/secret_key";
          AUTHENTIK_EMAIL__USERNAME.value = "ref+sops://secrets.yml#/smtp2go/username";
          AUTHENTIK_EMAIL__PASSWORD.value = "ref+sops://secrets.yml#/smtp2go/password";
        };
      in {
        secrets.postgresql-env.stringData = {
          POSTGRES_PASSWORD = "ref+sops://secrets.yml#/authentik/postgresql_password";
        };

        deployments = {
          authentik-server.spec.template.spec.containers.server.env = env;
          authentik-worker.spec.template.spec.containers.worker.env = env;
        };
      };
    };

    lab = {
      longhorn.persistentVolumeClaim = {
        db = {
          volumeName = "authentik-db";
          storage = "10Gi";
        };

        redis = {
          volumeName = "authentik-redis";
          storage = "5Gi";
        };
      };

      ingresses.authentik = {
        host = "authentik.kun.is";

        service = {
          name = "authentik-server";
          portName = "http";
        };
      };

      tailscaleIngresses = {
        tailscale-authentik = {
          host = "authentik";
          service = {
            name = "authentik-server";
            portName = "http";
          };
        };
      };
    };
  };
}