{ lib, pkgs, flakes, ... }: with lib; { imports = [flakes.authentik-nix.nixosModules.default]; options = { services.nginx.virtualHosts = mkOption { type = with lib.types; attrsOf ( submodule ( {config, ...}: { options = { enableAuthentik = mkOption { default = false; type = bool; }; locations = mkOption { type = attrsOf ( submodule { config = mkIf config.enableAuthentik { extraConfig = '' auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; ''; }; } ); }; }; config = mkIf config.enableAuthentik { extraConfig = '' proxy_buffers 8 16k; proxy_buffer_size 32k; location /outpost.goauthentik.io { proxy_pass http://localhost:9000/outpost.goauthentik.io; # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; proxy_redirect http://localhost:9000 https://auth.posixlycorrect.com; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; # required for POST requests to work proxy_pass_request_body off; proxy_set_header Content-Length ""; } location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; } ''; }; } ) ); }; }; config = { services = { authentik = { enable = true; environmentFile = "/var/trust/authentik/authentik-env"; nginx = { enable = true; enableACME = true; host = "auth.posixlycorrect.com"; }; settings = { email = { host = "smtp.fastmail.com"; port = 587; username = "fabianmontero@fastmail.com"; use_tls = true; use_ssl = false; from = "auth@posixlycorrect.com"; }; disable_startup_analytics = true; avatars = "initials"; }; }; }; }; }