Gleipnir/nixos-systems
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Get authentik working on the new corp server without podman

Browse source 
The podman integration was pretty janky because it relied on running a
pod and the NixOS integration with pods are essentially non-existent.
This led to issues with the port being improperly forwarded when
partially restarted.

Now instead I use a flake dedicated to running authentik. This allows me
to specify some of the config in the module directly and some in
secrets, which is really nice. I've additionally added some changes to
the listen address so that the service isn't exposed over public IP
addresses.
This commit is contained in:
Eli Ribble 2025-09-09 13:01:14 +00:00
parent 696273efb8
commit 4d5de177b5
7 changed files with 375 additions and 94 deletions
Download patch file Download diff file Expand all files Collapse all files

271
flake.lock generated
View file

@ -1,5 +1,49 @@
{
"nodes": {
"authentik-nix": {
"inputs": {
"authentik-src": "authentik-src",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"napalm": "napalm",
"nixpkgs": "nixpkgs",
"pyproject-build-systems": "pyproject-build-systems",
"pyproject-nix": "pyproject-nix",
"systems": "systems",
"uv2nix": "uv2nix"
},
"locked": {
"lastModified": 1757062396,
"narHash": "sha256-403iuoMVVjk64sF1GgZfrRwOnVU1H14sflE+LNp927c=",
"owner": "nix-community",
"repo": "authentik-nix",
"rev": "22827e9a0cc002a076ee8bd14c3433ebc6c87f95",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "authentik-nix",
"type": "github"
}
},
"authentik-src": {
"flake": false,
"locked": {
"lastModified": 1755873658,
"narHash": "sha256-5l1g55b0xozGg0NaZFimiO5JbHGcudaNSEn1/XsweaU=",
"owner": "goauthentik",
"repo": "authentik",
"rev": "dd7c6b29d950664deadbcf5390272619a8bf9a5e",
"type": "github"
},
"original": {
"owner": "goauthentik",
"ref": "version/2025.8.1",
"repo": "authentik",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
@ -20,7 +64,41 @@
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1754487366,
"narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"nixvim",
@ -43,7 +121,28 @@
},
"flake-utils": {
"inputs": {
"systems": "systems"
"systems": [
"authentik-nix",
"systems"
]
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
@ -108,7 +207,64 @@
"type": "github"
}
},
"napalm": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nixpkgs": [
"authentik-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1725806412,
"narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
"owner": "willibutz",
"repo": "napalm",
"rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
"type": "github"
},
"original": {
"owner": "willibutz",
"ref": "avoid-foldl-stack-overflow",
"repo": "napalm",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1756386758,
"narHash": "sha256-1wxxznpW2CKvI9VdniaUnTT2Os6rdRJcRUf65ZK9OtE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dfb2f12e899db4876308eba6d93455ab7da304cd",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1753579242,
"narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1752436162,
"narHash": "sha256-Kt1UIPi7kZqkSc5HVj6UY5YLHHEzPBkgpNUByuyxtlw=",
@ -124,7 +280,7 @@
"type": "github"
}
},
"nixpkgs_2": {
"nixpkgs_3": {
"locked": {
"lastModified": 1744868846,
"narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=",
@ -142,12 +298,12 @@
},
"nixvim": {
"inputs": {
"flake-parts": "flake-parts",
"flake-parts": "flake-parts_2",
"nixpkgs": [
"nixpkgs"
],
"nuschtosSearch": "nuschtosSearch",
"systems": "systems_2"
"systems": "systems_3"
},
"locked": {
"lastModified": 1752010420,
@ -166,7 +322,7 @@
},
"nuschtosSearch": {
"inputs": {
"flake-utils": "flake-utils",
"flake-utils": "flake-utils_2",
"ixx": "ixx",
"nixpkgs": [
"nixvim",
@ -187,18 +343,69 @@
"type": "github"
}
},
"pyproject-build-systems": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"nixpkgs"
],
"pyproject-nix": [
"authentik-nix",
"pyproject-nix"
],
"uv2nix": [
"authentik-nix",
"uv2nix"
]
},
"locked": {
"lastModified": 1756087852,
"narHash": "sha256-4jc3JDQt75fYXFrglgqyzF6C6zLU0QGLymzian4aP+U=",
"owner": "pyproject-nix",
"repo": "build-system-pkgs",
"rev": "6edb3ae27395cd88be3d64b732d1539957dad59c",
"type": "github"
},
"original": {
"owner": "pyproject-nix",
"repo": "build-system-pkgs",
"type": "github"
}
},
"pyproject-nix": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1756395552,
"narHash": "sha256-5aJM14MpoLk2cdZAetu60OkLQrtFLWTICAyn1EP7ZpM=",
"owner": "pyproject-nix",
"repo": "pyproject.nix",
"rev": "030dffc235dcf240d918c651c78dc5f158067b51",
"type": "github"
},
"original": {
"owner": "pyproject-nix",
"repo": "pyproject.nix",
"type": "github"
}
},
"root": {
"inputs": {
"authentik-nix": "authentik-nix",
"disko": "disko",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"nixpkgs": "nixpkgs_2",
"nixvim": "nixvim",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_2"
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1752544651,
@ -216,16 +423,16 @@
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"repo": "default-linux",
"type": "github"
}
},
@ -243,6 +450,46 @@
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"uv2nix": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"nixpkgs"
],
"pyproject-nix": [
"authentik-nix",
"pyproject-nix"
]
},
"locked": {
"lastModified": 1756466761,
"narHash": "sha256-ALXRHIMXQ4qVNfCbcWykC23MjMwUoHn9BreoBfqmq0Y=",
"owner": "pyproject-nix",
"repo": "uv2nix",
"rev": "0529e6d8227517205afcd1b37eee3088db745730",
"type": "github"
},
"original": {
"owner": "pyproject-nix",
"repo": "uv2nix",
"type": "github"
}
}
},
"root": "root",

11
flake.nix
View file

@ -2,6 +2,9 @@
description = "Multi-host NixOS configuration";
inputs = {
authentik-nix = {
url = "github:nix-community/authentik-nix";
};
disko = {
inputs.nixpkgs.follows = "nixpkgs";
url = "github:nix-community/disko";
@ -18,7 +21,7 @@
sops-nix.url = "github:Mic92/sops-nix";
};
outputs = { self, disko, home-manager, nixpkgs, nixvim, sops-nix, ...}:
outputs = { self, authentik-nix, disko, home-manager, nixpkgs, nixvim, sops-nix, ...}:
let
configFiles = pkgs.stdenv.mkDerivation {
name = "config-files";
@ -34,15 +37,15 @@
nixosConfigurations = {
corp = import ./system.nix {
configuration = ./host/corp/configuration.nix;
inherit configFiles disko home-manager nixpkgs nixvim sops-nix system;
inherit authentik-nix configFiles disko home-manager nixpkgs nixvim sops-nix system;
};
"sync.nidus.cloud" = import ./system.nix {
configuration = ./host/sync/configuration.nix;
inherit configFiles disko home-manager nixpkgs nixvim sops-nix system;
inherit authentik-nix configFiles disko home-manager nixpkgs nixvim sops-nix system;
};
test-corp = nixpkgs.lib.nixosSystem {
configuration = ./host/test-corp/configuration.nix;
inherit configFiles disko home-manager nixpkgs nixvim sops-nix system;
inherit authentik-nix configFiles disko home-manager nixpkgs nixvim sops-nix system;
};
};
};

1
host/corp/configuration.nix
View file

@ -31,6 +31,7 @@
vikunja.enable = true;
};
services.openssh.enable = true;
services.postgresql.enable = true;
users.users.deploy = {
extraGroups = [ "deploy" ];
isNormalUser = true;

36
modules/system/authentik-backup.nix
View file

@ -17,24 +17,24 @@ in
sops.secrets.authentik-backup-pgpass = {
mode = "0400";
};
systemd.services.backup-authentik-db = {
description = "Backup authentik database";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
path = [ pkgs.bash pkgs.postgresql ];
requires = [ "podman-authentik-worker.service" ]; # Ensure authentik is running first
script = "${backupScript}/bin/backup-authentik-db.sh";
serviceConfig = {
# Needs root so it can stop other services
User = "root";
Group = "root";
Environment = "PGPASSFILE=${config.sops.secrets.authentik-backup-pgpass.path}";
EnvironmentFile = "/var/run/secrets/authentik-env";
Type = "oneshot";
Restart = "on-failure";
};
wantedBy = [ "timers.target" ];
};
# systemd.services.backup-authentik-db = {
# description = "Backup authentik database";
# after = [ "network-online.target" ];
# wants = [ "network-online.target" ];
# path = [ pkgs.bash pkgs.postgresql ];
# requires = [ "podman-authentik-worker.service" ]; # Ensure authentik is running first
# script = "${backupScript}/bin/backup-authentik-db.sh";
# serviceConfig = {
# # Needs root so it can stop other services
# User = "root";
# Group = "root";
# Environment = "PGPASSFILE=${config.sops.secrets.authentik-backup-pgpass.path}";
# EnvironmentFile = "/var/run/secrets/authentik-env";
# Type = "oneshot";
# Restart = "on-failure";
# };
# wantedBy = [ "timers.target" ];
# };
systemd.tmpfiles.rules = [
"d /var/backups/authentik-db 0755 root root"

129
modules/system/authentik.nix
View file

@ -4,27 +4,70 @@ with lib;
options.myModules.authentik.enable = mkEnableOption "custom authentik configuration";
config = mkIf config.myModules.authentik.enable {
environment.systemPackages = [
pkgs.authentik
];
services.authentik = {
enable = true;
environmentFile = "/run/secrets/authentik-env";
settings = {
database = {
host = "127.0.0.1";
name = "authentik";
};
email = {
host = "smtp.forwardemail.net";
port = 2465;
use_tls = false;
use_ssl = true;
from = "auth@corp.gleipnir.technology";
};
listen = {
listen_debug = "127.0.0.1:9900";
listen_debug_py = "127.0.0.1:9901";
listen_http = "127.0.0.1:9000";
listen_https = "127.0.0.1:9443";
listen_ldap = "127.0.0.1:3389";
listen_ldaps = "127.0.0.1:6636";
listen_radius = "127.0.0.1:1812";
listen_metrics = "127.0.0.1:9300";
};
};
};
services.caddy.virtualHosts."auth.gleipnir.technology".extraConfig = ''
reverse_proxy http://127.0.0.1:10000
reverse_proxy http://127.0.0.1:9000
'';
services.postgresql = {
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
enable = true;
ensureDatabases = [ "authentik" ];
ensureUsers = [{
ensureClauses.login = true;
ensureDBOwnership = true;
name = "authentik";
}];
};
sops.secrets.authentik-env = with config.virtualisation.oci-containers; {
format = "dotenv";
group = "authentik";
mode = "0440";
owner = "authentik";
restartUnits = ["${backend}-authentik-server" "${backend}-authentik-worker"];
restartUnits = ["authentik" "authentik-migrate" "authentik-worker"];
sopsFile = ../../secrets/authentik.env;
};
systemd.services.podman-create-authentik-pod = with config.virtualisation.oci-containers; {
serviceConfig.Type = "oneshot";
wantedBy = [ "${backend}-authentik-server.service" "${backend}-authentik-worker.service"];
script = ''
${pkgs.podman}/bin/podman pod exists authentik || \
${pkgs.podman}/bin/podman pod create \
--name authentik \
-p 127.0.0.1:10000:9000
'';
};
# systemd.services.podman-create-authentik-pod = with config.virtualisation.oci-containers; {
# serviceConfig.Type = "oneshot";
# wantedBy = [ "${backend}-authentik-server.service" "${backend}-authentik-worker.service"];
# script = ''
# ${pkgs.podman}/bin/podman pod exists authentik || \
# ${pkgs.podman}/bin/podman pod create \
# --name authentik \
# -p 127.0.0.1:10000:9000
# '';
# };
systemd.tmpfiles.rules = [
"d /opt/authentik/certs 0755 authentik authentik"
"d /opt/authentik/media 0755 authentik authentik"
@ -36,36 +79,36 @@ with lib;
isNormalUser = false;
isSystemUser = true;
};
virtualisation.oci-containers.containers = {
authentik-redis = {
extraOptions = [ "--pod=authentik" ];
image = "docker.io/redis:8.0.3-alpine";
};
authentik-server = {
cmd = ["server"];
environmentFiles = [
"/var/run/secrets/authentik-env"
];
extraOptions = [ "--pod=authentik" ];
image = "ghcr.io/goauthentik/server:2025.4";
volumes = [
"/opt/authentik/media:/media"
"/opt/authentik/templates:/templates"
];
};
authentik-worker = {
cmd = ["worker"];
environmentFiles = [
"/var/run/secrets/authentik-env"
];
extraOptions = [ "--pod=authentik" ];
image = "ghcr.io/goauthentik/server:2025.4";
volumes = [
"/opt/authentik/certs:/certs"
"/opt/authentik/media:/media"
"/opt/authentik/templates:/templates"
];
};
};
# virtualisation.oci-containers.containers = {
# authentik-redis = {
# extraOptions = [ "--pod=authentik" ];
# image = "docker.io/redis:8.0.3-alpine";
# };
# authentik-server = {
# cmd = ["server"];
# environmentFiles = [
# "/var/run/secrets/authentik-env"
# ];
# extraOptions = [ "--pod=authentik" ];
# image = "ghcr.io/goauthentik/server:2025.4";
# volumes = [
# "/opt/authentik/media:/media"
# "/opt/authentik/templates:/templates"
# ];
# };
# authentik-worker = {
# cmd = ["worker"];
# environmentFiles = [
# "/var/run/secrets/authentik-env"
# ];
# extraOptions = [ "--pod=authentik" ];
# image = "ghcr.io/goauthentik/server:2025.4";
# volumes = [
# "/opt/authentik/certs:/certs"
# "/opt/authentik/media:/media"
# "/opt/authentik/templates:/templates"
# ];
# };
# };
};
}

18
secrets/authentik.env
View file

@ -1,19 +1,5 @@
AUTHENTIK_EMAIL__HOST=ENC[AES256_GCM,data:kb2N1evWoc7AINYuQGoG3G2bsi6n,iv:tAOieZNCOgcGCtHtrlYXBtp09a++WH79A+E7M4irIN0=,tag:4dfcXmJfRI4de2et1dkh7Q==,type:str]
AUTHENTIK_EMAIL__PORT=ENC[AES256_GCM,data:Ne3Kgg==,iv:OHHdIjNEeP9QPTDdjim39jQy5vZTxyTuCDjuubqj4cM=,tag:vHELeE8N4/Hrl3TAuKlbVw==,type:str]
AUTHENTIK_EMAIL__USERNAME=ENC[AES256_GCM,data:4PMcNtQZOCcepXOFoHQJe8A+0AdOUGQk76rI2EE=,iv:C5ATwjfF+/lkMhUPUF1u4EMmlfe0oCuagrajKVsmsbQ=,tag:PNM+kYe8rgDmOumtfvzE8A==,type:str]
AUTHENTIK_EMAIL__PASSWORD=ENC[AES256_GCM,data:761BeyOs9Ay9rb64FQAk14SqD54tcy2P,iv:D9Dn+jXKeSBWXvsyvMHcnM4NkNm1FAph/j1XAOYVG00=,tag:pDJzzlLlpNpQPAyr/IIyFQ==,type:str]
AUTHENTIK_EMAIL__USE_TLS=ENC[AES256_GCM,data:eo/gi3M=,iv:M91bZsoVwsk6uXv/B6S1y7JODDWmeAvwBwInKnZTnPM=,tag:WWsy2gccV/Wb9DPFLcK+xg==,type:str]
AUTHENTIK_EMAIL__USE_SSL=ENC[AES256_GCM,data:VmgNFw==,iv:e+wPUyS1Lh4ertUTQJYeGlJQUfnsROZiKUKLVPOrDMQ=,tag:aKm2EHUmsoYFfja2EJImFQ==,type:str]
AUTHENTIK_EMAIL__TIMEOUT=ENC[AES256_GCM,data:r7w=,iv:CuqardKt0jMVPfefmit02Nl/FX7TedPfAqr/nHpidq4=,tag:2ylJuYA+Cs9bTogv4bBpKQ==,type:str]
AUTHENTIK_EMAIL__FROM=ENC[AES256_GCM,data:E5AT4uoc9A89Yj/fgeGXoTJ/hn2ymNtmZuCXQJ8=,iv:xdQPETFf8PQ3Hi1jM0w0tfmihSzJyzzk9Z93nF21Mcc=,tag:afzrOpHJ4/fDwVUW7S1hqw==,type:str]
AUTHENTIK_ERROR_REPORTING__ENABLED=ENC[AES256_GCM,data:95RHqg==,iv:4aEsQGqMPZAHEl2a2mEPQgE03FmxXX1oFLzYPeDXcAA=,tag:Bkh+GRxfGOximBNfJV0ZZg==,type:str]
AUTHENTIK_LOG_LEVEL=ENC[AES256_GCM,data:s6mBg616vw==,iv:i+hVmUOtUIrbKvxlD8E3Kkq+yYOYb+/xYYqKtyQdB1Q=,tag:DeSHTfgXtWJLkkWQbPydOQ==,type:str]
AUTHENTIK_POSTGRESQL__HOST=ENC[AES256_GCM,data:XvfqJG6+OzmWV6KmXP9d1KmyR5C2aOmpDGWKzJG34JyTR4DuabJbU9nY0iXjf+bjPBk9vvuaFw3j40ZzmLf0r1hhd648fBhKk/MkgRQ2UEg=,iv:+STIftFRvsCXB0jt2QNIYCJWyH8nGi9mHgSQGK8a3tQ=,tag:0EHgHq8lF38wm5Wm4q9Ang==,type:str]
AUTHENTIK_POSTGRESQL__NAME=ENC[AES256_GCM,data:2G3q8ujcsRCb,iv:O+UPxZqrBjQkRegXRyv1+YdOduZcGREo3ZnLAU6uytE=,tag:gh9IbsEp/rszIpaZ34Chag==,type:str]
AUTHENTIK_POSTGRESQL__PASSWORD=ENC[AES256_GCM,data:nFRhrE5L9dTX0S5E94EsV5QXlvTL,iv:GBi4EY+p7AoFdF7pslpfUjUWH6yUAE/2sXScPrEv9hU=,tag:UdkiYgEGxeRpXo4atG4ceQ==,type:str]
AUTHENTIK_POSTGRESQL__PORT=ENC[AES256_GCM,data:Fgt54Jw=,iv:vowf1xrkXGIJOutrTvsXWhhLGRLUtUvulxO84BfHP+E=,tag:1alr1aXLiS9lvSBCE24ngQ==,type:str]
AUTHENTIK_POSTGRESQL__USER=ENC[AES256_GCM,data:Eav02SqSk7EbJByQyyk=,iv:TRm0Z17Hx4wwkG29D00Dx/fJ7E+0fgweW72YnKK3kmo=,tag:vwYp8VFCO3LjsYvWaHadNw==,type:str]
AUTHENTIK_REDIS__HOST=ENC[AES256_GCM,data:xuh25ku0Px74yZmZg3cC,iv:xZoppWzkMTXcTW+grfuNZ15J+6Wosh0U9Vzo0AVNzrE=,tag:IF/+DvVjznGC3bzRGskPPw==,type:str]
AUTHENTIK_SECRET_KEY=ENC[AES256_GCM,data:8jb7qazlI3luTrBuUWNOy/TTkiiYLW+XYqFKmFo8rgRmbfMqKwM6485U7i7GNFHSVqQEaOXc39WEZR6dZILIZ47nJDETeSnMGGgLz8T7UwU=,iv:GV+cfsX+kXED//ladyo9jg5XLOmg8l1bGTqNB7JnwfU=,tag:ddGxFUKrMSVWWjBrDP1N2w==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTm1Zb1picVdVRTBiQjRK\nNkVMVHhWa2lsWEVYVllVaW1wdkpKSFVpc0VnCnBXRlVZVk11b0xjV3k2bkJpczVG\nZEZQekljRVJ5VmNOU3R2UXZUMm9CR1UKLS0tIHFHV0VmUHZzTTV3U0w2ZHJKc3Vz\nVEt4RUNBMlBGOFRoUjI0QUlvVVlIb0EKeLJRLIYTakdoc244pXBu6oqoni9ZM9PQ\nyp02oXiyqmlZZqAfTJ4emnVqPv/fJKquiN2izsOtHs4PONc1n5eJcg==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age1fnkhk9rv7r8gh84vxnhvndk4fgh20qcj4hvnfhdpumcydl6m6vrse50lrz
@ -27,7 +13,7 @@ sops_age__list_4__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb2
sops_age__list_4__map_recipient=age1t3ryfktuhr3cysf49m9q2n8fkjf9ajjjnhztxw9hz8paxgk4lpcq065jge
sops_age__list_5__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByMU52ajRCZG9zdy90WXVx\naVdkSy9IYk0xbXpIUHdMc09McVBNSzNQemxZCkdVUVllemEvaWJEWldWbTF4Vzk1\nRmwxWUplRGE0VE9nRko0TzNERU04SGsKLS0tIHJib2RCcE5neS9VMzIyMFdLdUtQ\nUkQ3ZFo3aTA1bWNFWC9hS3V2dmdLbkkKQpvIwDvGbK1hh7L76fjDYN2cpVQ6tmMH\nx/yrABcRT54Q36zynPYlk18tWh19hjpkExNxPu6zdEoQ8MXUto8vFw==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_5__map_recipient=age1j90h7hcp4fctr2xwj4zf9cxuelm43wkujvryc9hk6rzzc37rwdmss035w7
sops_lastmodified=2025-07-18T18:03:58Z
sops_mac=ENC[AES256_GCM,data:8EvENcMYRr735qFHBWlo/PT92kKKa6Qsq4IOYnf8na/b+PqHf2U4nUFC38BrfagbVUzB8YKaSE7mFwdzSPWCBa1do8aQgxxBav4sMWorp/bq85LXSk01t/0CWmkjvb/YEOE3OX5hDO+0l0y22fNwKb6OJ/4uv6PRMbhGwjJ4/CA=,iv:0s0PZQxIP/dE6IZLcT6v6lp3wXf3Ds+QSgRl1MaeCoY=,tag:E5dgeqJcYAa86lD1+nL5Sg==,type:str]
sops_lastmodified=2025-09-09T12:49:14Z
sops_mac=ENC[AES256_GCM,data:l28mT7peCNM8I0g0UdH1OsFHMDAQ7YRo4GBSXMGbVfTmvIO3Qlkav/07ByBnv1HaGbSuRnMeF8zYilNLRO5JXdgUmFrt+QNXYrbFtkEd4boldVIHDDjtj5lyO6xdX/S5BL+engyE+7+DXz1UFkKBKoKqnQupzFLhWoIsFkGxbq0=,iv:IfzlXWHN0LLhVU/T79Wn8kraENMibtijWj8l7LiT4uE=,tag:RNFlpyEd+QBUFGGZC9CvDA==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_version=3.10.2

3
system.nix
View file

@ -1,4 +1,4 @@
{ configFiles, configuration, disko, home-manager, nixpkgs, nixvim, sops-nix, system, ... }:
{ authentik-nix, configFiles, configuration, disko, home-manager, nixpkgs, nixvim, sops-nix, system, ... }:
let
allowed-unfree-packages = [
"corefonts"
@ -6,6 +6,7 @@ let
];
in nixpkgs.lib.nixosSystem {
modules = [
authentik-nix.nixosModules.default
disko.nixosModules.disko
home-manager.nixosModules.home-manager
{