diff --git a/flake.lock b/flake.lock index f334a10..f37b204 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,49 @@ { "nodes": { + "authentik-nix": { + "inputs": { + "authentik-src": "authentik-src", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "napalm": "napalm", + "nixpkgs": "nixpkgs", + "pyproject-build-systems": "pyproject-build-systems", + "pyproject-nix": "pyproject-nix", + "systems": "systems", + "uv2nix": "uv2nix" + }, + "locked": { + "lastModified": 1757062396, + "narHash": "sha256-403iuoMVVjk64sF1GgZfrRwOnVU1H14sflE+LNp927c=", + "owner": "nix-community", + "repo": "authentik-nix", + "rev": "22827e9a0cc002a076ee8bd14c3433ebc6c87f95", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "authentik-nix", + "type": "github" + } + }, + "authentik-src": { + "flake": false, + "locked": { + "lastModified": 1755873658, + "narHash": "sha256-5l1g55b0xozGg0NaZFimiO5JbHGcudaNSEn1/XsweaU=", + "owner": "goauthentik", + "repo": "authentik", + "rev": "dd7c6b29d950664deadbcf5390272619a8bf9a5e", + "type": "github" + }, + "original": { + "owner": "goauthentik", + "ref": "version/2025.8.1", + "repo": "authentik", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -20,7 +64,41 @@ "type": "github" } }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1754487366, + "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nixvim", @@ -43,7 +121,28 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": [ + "authentik-nix", + "systems" + ] + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -108,7 +207,64 @@ "type": "github" } }, + "napalm": { + "inputs": { + "flake-utils": [ + "authentik-nix", + "flake-utils" + ], + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1725806412, + "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=", + "owner": "willibutz", + "repo": "napalm", + "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5", + "type": "github" + }, + "original": { + "owner": "willibutz", + "ref": "avoid-foldl-stack-overflow", + "repo": "napalm", + "type": "github" + } + }, "nixpkgs": { + "locked": { + "lastModified": 1756386758, + "narHash": "sha256-1wxxznpW2CKvI9VdniaUnTT2Os6rdRJcRUf65ZK9OtE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "dfb2f12e899db4876308eba6d93455ab7da304cd", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1753579242, + "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1752436162, "narHash": "sha256-Kt1UIPi7kZqkSc5HVj6UY5YLHHEzPBkgpNUByuyxtlw=", @@ -124,7 +280,7 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs_3": { "locked": { "lastModified": 1744868846, "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", @@ -142,12 +298,12 @@ }, "nixvim": { "inputs": { - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "nixpkgs": [ "nixpkgs" ], "nuschtosSearch": "nuschtosSearch", - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1752010420, @@ -166,7 +322,7 @@ }, "nuschtosSearch": { "inputs": { - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "ixx": "ixx", "nixpkgs": [ "nixvim", @@ -187,18 +343,69 @@ "type": "github" } }, + "pyproject-build-systems": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ], + "pyproject-nix": [ + "authentik-nix", + "pyproject-nix" + ], + "uv2nix": [ + "authentik-nix", + "uv2nix" + ] + }, + "locked": { + "lastModified": 1756087852, + "narHash": "sha256-4jc3JDQt75fYXFrglgqyzF6C6zLU0QGLymzian4aP+U=", + "owner": "pyproject-nix", + "repo": "build-system-pkgs", + "rev": "6edb3ae27395cd88be3d64b732d1539957dad59c", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "build-system-pkgs", + "type": "github" + } + }, + "pyproject-nix": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1756395552, + "narHash": "sha256-5aJM14MpoLk2cdZAetu60OkLQrtFLWTICAyn1EP7ZpM=", + "owner": "pyproject-nix", + "repo": "pyproject.nix", + "rev": "030dffc235dcf240d918c651c78dc5f158067b51", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "pyproject.nix", + "type": "github" + } + }, "root": { "inputs": { + "authentik-nix": "authentik-nix", "disko": "disko", "home-manager": "home-manager", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixvim": "nixvim", "sops-nix": "sops-nix" } }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1752544651, @@ -216,16 +423,16 @@ }, "systems": { "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", "type": "github" }, "original": { "owner": "nix-systems", - "repo": "default", + "repo": "default-linux", "type": "github" } }, @@ -243,6 +450,46 @@ "repo": "default", "type": "github" } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "uv2nix": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ], + "pyproject-nix": [ + "authentik-nix", + "pyproject-nix" + ] + }, + "locked": { + "lastModified": 1756466761, + "narHash": "sha256-ALXRHIMXQ4qVNfCbcWykC23MjMwUoHn9BreoBfqmq0Y=", + "owner": "pyproject-nix", + "repo": "uv2nix", + "rev": "0529e6d8227517205afcd1b37eee3088db745730", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "uv2nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 9e0cff9..a65bb90 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,9 @@ description = "Multi-host NixOS configuration"; inputs = { + authentik-nix = { + url = "github:nix-community/authentik-nix"; + }; disko = { inputs.nixpkgs.follows = "nixpkgs"; url = "github:nix-community/disko"; @@ -18,7 +21,7 @@ sops-nix.url = "github:Mic92/sops-nix"; }; - outputs = { self, disko, home-manager, nixpkgs, nixvim, sops-nix, ...}: + outputs = { self, authentik-nix, disko, home-manager, nixpkgs, nixvim, sops-nix, ...}: let configFiles = pkgs.stdenv.mkDerivation { name = "config-files"; @@ -34,15 +37,15 @@ nixosConfigurations = { corp = import ./system.nix { configuration = ./host/corp/configuration.nix; - inherit configFiles disko home-manager nixpkgs nixvim sops-nix system; + inherit authentik-nix configFiles disko home-manager nixpkgs nixvim sops-nix system; }; "sync.nidus.cloud" = import ./system.nix { configuration = ./host/sync/configuration.nix; - inherit configFiles disko home-manager nixpkgs nixvim sops-nix system; + inherit authentik-nix configFiles disko home-manager nixpkgs nixvim sops-nix system; }; test-corp = nixpkgs.lib.nixosSystem { configuration = ./host/test-corp/configuration.nix; - inherit configFiles disko home-manager nixpkgs nixvim sops-nix system; + inherit authentik-nix configFiles disko home-manager nixpkgs nixvim sops-nix system; }; }; }; diff --git a/host/corp/configuration.nix b/host/corp/configuration.nix index 532199d..01326b6 100644 --- a/host/corp/configuration.nix +++ b/host/corp/configuration.nix @@ -31,6 +31,7 @@ vikunja.enable = true; }; services.openssh.enable = true; + services.postgresql.enable = true; users.users.deploy = { extraGroups = [ "deploy" ]; isNormalUser = true; diff --git a/modules/system/authentik-backup.nix b/modules/system/authentik-backup.nix index c83d0d1..86a759a 100644 --- a/modules/system/authentik-backup.nix +++ b/modules/system/authentik-backup.nix @@ -17,24 +17,24 @@ in sops.secrets.authentik-backup-pgpass = { mode = "0400"; }; - systemd.services.backup-authentik-db = { - description = "Backup authentik database"; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - path = [ pkgs.bash pkgs.postgresql ]; - requires = [ "podman-authentik-worker.service" ]; # Ensure authentik is running first - script = "${backupScript}/bin/backup-authentik-db.sh"; - serviceConfig = { - # Needs root so it can stop other services - User = "root"; - Group = "root"; - Environment = "PGPASSFILE=${config.sops.secrets.authentik-backup-pgpass.path}"; - EnvironmentFile = "/var/run/secrets/authentik-env"; - Type = "oneshot"; - Restart = "on-failure"; - }; - wantedBy = [ "timers.target" ]; - }; + # systemd.services.backup-authentik-db = { + # description = "Backup authentik database"; + # after = [ "network-online.target" ]; + # wants = [ "network-online.target" ]; + # path = [ pkgs.bash pkgs.postgresql ]; + # requires = [ "podman-authentik-worker.service" ]; # Ensure authentik is running first + # script = "${backupScript}/bin/backup-authentik-db.sh"; + # serviceConfig = { + # # Needs root so it can stop other services + # User = "root"; + # Group = "root"; + # Environment = "PGPASSFILE=${config.sops.secrets.authentik-backup-pgpass.path}"; + # EnvironmentFile = "/var/run/secrets/authentik-env"; + # Type = "oneshot"; + # Restart = "on-failure"; + # }; + # wantedBy = [ "timers.target" ]; + # }; systemd.tmpfiles.rules = [ "d /var/backups/authentik-db 0755 root root" diff --git a/modules/system/authentik.nix b/modules/system/authentik.nix index a385ef5..fd4382f 100644 --- a/modules/system/authentik.nix +++ b/modules/system/authentik.nix @@ -4,27 +4,70 @@ with lib; options.myModules.authentik.enable = mkEnableOption "custom authentik configuration"; config = mkIf config.myModules.authentik.enable { + environment.systemPackages = [ + pkgs.authentik + ]; + services.authentik = { + enable = true; + environmentFile = "/run/secrets/authentik-env"; + settings = { + database = { + host = "127.0.0.1"; + name = "authentik"; + }; + email = { + host = "smtp.forwardemail.net"; + port = 2465; + use_tls = false; + use_ssl = true; + from = "auth@corp.gleipnir.technology"; + }; + listen = { + listen_debug = "127.0.0.1:9900"; + listen_debug_py = "127.0.0.1:9901"; + listen_http = "127.0.0.1:9000"; + listen_https = "127.0.0.1:9443"; + listen_ldap = "127.0.0.1:3389"; + listen_ldaps = "127.0.0.1:6636"; + listen_radius = "127.0.0.1:1812"; + listen_metrics = "127.0.0.1:9300"; + }; + }; + }; services.caddy.virtualHosts."auth.gleipnir.technology".extraConfig = '' - reverse_proxy http://127.0.0.1:10000 + reverse_proxy http://127.0.0.1:9000 ''; + services.postgresql = { + authentication = pkgs.lib.mkOverride 10 '' + #type database DBuser auth-method + local all all trust + ''; + enable = true; + ensureDatabases = [ "authentik" ]; + ensureUsers = [{ + ensureClauses.login = true; + ensureDBOwnership = true; + name = "authentik"; + }]; + }; sops.secrets.authentik-env = with config.virtualisation.oci-containers; { format = "dotenv"; group = "authentik"; mode = "0440"; owner = "authentik"; - restartUnits = ["${backend}-authentik-server" "${backend}-authentik-worker"]; + restartUnits = ["authentik" "authentik-migrate" "authentik-worker"]; sopsFile = ../../secrets/authentik.env; }; - systemd.services.podman-create-authentik-pod = with config.virtualisation.oci-containers; { - serviceConfig.Type = "oneshot"; - wantedBy = [ "${backend}-authentik-server.service" "${backend}-authentik-worker.service"]; - script = '' - ${pkgs.podman}/bin/podman pod exists authentik || \ - ${pkgs.podman}/bin/podman pod create \ - --name authentik \ - -p 127.0.0.1:10000:9000 - ''; - }; +# systemd.services.podman-create-authentik-pod = with config.virtualisation.oci-containers; { +# serviceConfig.Type = "oneshot"; +# wantedBy = [ "${backend}-authentik-server.service" "${backend}-authentik-worker.service"]; +# script = '' +# ${pkgs.podman}/bin/podman pod exists authentik || \ +# ${pkgs.podman}/bin/podman pod create \ +# --name authentik \ +# -p 127.0.0.1:10000:9000 +# ''; +# }; systemd.tmpfiles.rules = [ "d /opt/authentik/certs 0755 authentik authentik" "d /opt/authentik/media 0755 authentik authentik" @@ -36,36 +79,36 @@ with lib; isNormalUser = false; isSystemUser = true; }; - virtualisation.oci-containers.containers = { - authentik-redis = { - extraOptions = [ "--pod=authentik" ]; - image = "docker.io/redis:8.0.3-alpine"; - }; - authentik-server = { - cmd = ["server"]; - environmentFiles = [ - "/var/run/secrets/authentik-env" - ]; - extraOptions = [ "--pod=authentik" ]; - image = "ghcr.io/goauthentik/server:2025.4"; - volumes = [ - "/opt/authentik/media:/media" - "/opt/authentik/templates:/templates" - ]; - }; - authentik-worker = { - cmd = ["worker"]; - environmentFiles = [ - "/var/run/secrets/authentik-env" - ]; - extraOptions = [ "--pod=authentik" ]; - image = "ghcr.io/goauthentik/server:2025.4"; - volumes = [ - "/opt/authentik/certs:/certs" - "/opt/authentik/media:/media" - "/opt/authentik/templates:/templates" - ]; - }; - }; + # virtualisation.oci-containers.containers = { + # authentik-redis = { + # extraOptions = [ "--pod=authentik" ]; + # image = "docker.io/redis:8.0.3-alpine"; + # }; + # authentik-server = { + # cmd = ["server"]; + # environmentFiles = [ + # "/var/run/secrets/authentik-env" + # ]; + # extraOptions = [ "--pod=authentik" ]; + # image = "ghcr.io/goauthentik/server:2025.4"; + # volumes = [ + # "/opt/authentik/media:/media" + # "/opt/authentik/templates:/templates" + # ]; + # }; + # authentik-worker = { + # cmd = ["worker"]; + # environmentFiles = [ + # "/var/run/secrets/authentik-env" + # ]; + # extraOptions = [ "--pod=authentik" ]; + # image = "ghcr.io/goauthentik/server:2025.4"; + # volumes = [ + # "/opt/authentik/certs:/certs" + # "/opt/authentik/media:/media" + # "/opt/authentik/templates:/templates" + # ]; + # }; + # }; }; } diff --git a/secrets/authentik.env b/secrets/authentik.env index 4b9a63e..43683e8 100644 --- a/secrets/authentik.env +++ b/secrets/authentik.env @@ -1,19 +1,5 @@ -AUTHENTIK_EMAIL__HOST=ENC[AES256_GCM,data:kb2N1evWoc7AINYuQGoG3G2bsi6n,iv:tAOieZNCOgcGCtHtrlYXBtp09a++WH79A+E7M4irIN0=,tag:4dfcXmJfRI4de2et1dkh7Q==,type:str] -AUTHENTIK_EMAIL__PORT=ENC[AES256_GCM,data:Ne3Kgg==,iv:OHHdIjNEeP9QPTDdjim39jQy5vZTxyTuCDjuubqj4cM=,tag:vHELeE8N4/Hrl3TAuKlbVw==,type:str] AUTHENTIK_EMAIL__USERNAME=ENC[AES256_GCM,data:4PMcNtQZOCcepXOFoHQJe8A+0AdOUGQk76rI2EE=,iv:C5ATwjfF+/lkMhUPUF1u4EMmlfe0oCuagrajKVsmsbQ=,tag:PNM+kYe8rgDmOumtfvzE8A==,type:str] AUTHENTIK_EMAIL__PASSWORD=ENC[AES256_GCM,data:761BeyOs9Ay9rb64FQAk14SqD54tcy2P,iv:D9Dn+jXKeSBWXvsyvMHcnM4NkNm1FAph/j1XAOYVG00=,tag:pDJzzlLlpNpQPAyr/IIyFQ==,type:str] -AUTHENTIK_EMAIL__USE_TLS=ENC[AES256_GCM,data:eo/gi3M=,iv:M91bZsoVwsk6uXv/B6S1y7JODDWmeAvwBwInKnZTnPM=,tag:WWsy2gccV/Wb9DPFLcK+xg==,type:str] -AUTHENTIK_EMAIL__USE_SSL=ENC[AES256_GCM,data:VmgNFw==,iv:e+wPUyS1Lh4ertUTQJYeGlJQUfnsROZiKUKLVPOrDMQ=,tag:aKm2EHUmsoYFfja2EJImFQ==,type:str] -AUTHENTIK_EMAIL__TIMEOUT=ENC[AES256_GCM,data:r7w=,iv:CuqardKt0jMVPfefmit02Nl/FX7TedPfAqr/nHpidq4=,tag:2ylJuYA+Cs9bTogv4bBpKQ==,type:str] -AUTHENTIK_EMAIL__FROM=ENC[AES256_GCM,data:E5AT4uoc9A89Yj/fgeGXoTJ/hn2ymNtmZuCXQJ8=,iv:xdQPETFf8PQ3Hi1jM0w0tfmihSzJyzzk9Z93nF21Mcc=,tag:afzrOpHJ4/fDwVUW7S1hqw==,type:str] -AUTHENTIK_ERROR_REPORTING__ENABLED=ENC[AES256_GCM,data:95RHqg==,iv:4aEsQGqMPZAHEl2a2mEPQgE03FmxXX1oFLzYPeDXcAA=,tag:Bkh+GRxfGOximBNfJV0ZZg==,type:str] -AUTHENTIK_LOG_LEVEL=ENC[AES256_GCM,data:s6mBg616vw==,iv:i+hVmUOtUIrbKvxlD8E3Kkq+yYOYb+/xYYqKtyQdB1Q=,tag:DeSHTfgXtWJLkkWQbPydOQ==,type:str] -AUTHENTIK_POSTGRESQL__HOST=ENC[AES256_GCM,data:XvfqJG6+OzmWV6KmXP9d1KmyR5C2aOmpDGWKzJG34JyTR4DuabJbU9nY0iXjf+bjPBk9vvuaFw3j40ZzmLf0r1hhd648fBhKk/MkgRQ2UEg=,iv:+STIftFRvsCXB0jt2QNIYCJWyH8nGi9mHgSQGK8a3tQ=,tag:0EHgHq8lF38wm5Wm4q9Ang==,type:str] -AUTHENTIK_POSTGRESQL__NAME=ENC[AES256_GCM,data:2G3q8ujcsRCb,iv:O+UPxZqrBjQkRegXRyv1+YdOduZcGREo3ZnLAU6uytE=,tag:gh9IbsEp/rszIpaZ34Chag==,type:str] -AUTHENTIK_POSTGRESQL__PASSWORD=ENC[AES256_GCM,data:nFRhrE5L9dTX0S5E94EsV5QXlvTL,iv:GBi4EY+p7AoFdF7pslpfUjUWH6yUAE/2sXScPrEv9hU=,tag:UdkiYgEGxeRpXo4atG4ceQ==,type:str] -AUTHENTIK_POSTGRESQL__PORT=ENC[AES256_GCM,data:Fgt54Jw=,iv:vowf1xrkXGIJOutrTvsXWhhLGRLUtUvulxO84BfHP+E=,tag:1alr1aXLiS9lvSBCE24ngQ==,type:str] -AUTHENTIK_POSTGRESQL__USER=ENC[AES256_GCM,data:Eav02SqSk7EbJByQyyk=,iv:TRm0Z17Hx4wwkG29D00Dx/fJ7E+0fgweW72YnKK3kmo=,tag:vwYp8VFCO3LjsYvWaHadNw==,type:str] -AUTHENTIK_REDIS__HOST=ENC[AES256_GCM,data:xuh25ku0Px74yZmZg3cC,iv:xZoppWzkMTXcTW+grfuNZ15J+6Wosh0U9Vzo0AVNzrE=,tag:IF/+DvVjznGC3bzRGskPPw==,type:str] AUTHENTIK_SECRET_KEY=ENC[AES256_GCM,data:8jb7qazlI3luTrBuUWNOy/TTkiiYLW+XYqFKmFo8rgRmbfMqKwM6485U7i7GNFHSVqQEaOXc39WEZR6dZILIZ47nJDETeSnMGGgLz8T7UwU=,iv:GV+cfsX+kXED//ladyo9jg5XLOmg8l1bGTqNB7JnwfU=,tag:ddGxFUKrMSVWWjBrDP1N2w==,type:str] sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTm1Zb1picVdVRTBiQjRK\nNkVMVHhWa2lsWEVYVllVaW1wdkpKSFVpc0VnCnBXRlVZVk11b0xjV3k2bkJpczVG\nZEZQekljRVJ5VmNOU3R2UXZUMm9CR1UKLS0tIHFHV0VmUHZzTTV3U0w2ZHJKc3Vz\nVEt4RUNBMlBGOFRoUjI0QUlvVVlIb0EKeLJRLIYTakdoc244pXBu6oqoni9ZM9PQ\nyp02oXiyqmlZZqAfTJ4emnVqPv/fJKquiN2izsOtHs4PONc1n5eJcg==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age1fnkhk9rv7r8gh84vxnhvndk4fgh20qcj4hvnfhdpumcydl6m6vrse50lrz @@ -27,7 +13,7 @@ sops_age__list_4__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb2 sops_age__list_4__map_recipient=age1t3ryfktuhr3cysf49m9q2n8fkjf9ajjjnhztxw9hz8paxgk4lpcq065jge sops_age__list_5__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByMU52ajRCZG9zdy90WXVx\naVdkSy9IYk0xbXpIUHdMc09McVBNSzNQemxZCkdVUVllemEvaWJEWldWbTF4Vzk1\nRmwxWUplRGE0VE9nRko0TzNERU04SGsKLS0tIHJib2RCcE5neS9VMzIyMFdLdUtQ\nUkQ3ZFo3aTA1bWNFWC9hS3V2dmdLbkkKQpvIwDvGbK1hh7L76fjDYN2cpVQ6tmMH\nx/yrABcRT54Q36zynPYlk18tWh19hjpkExNxPu6zdEoQ8MXUto8vFw==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_5__map_recipient=age1j90h7hcp4fctr2xwj4zf9cxuelm43wkujvryc9hk6rzzc37rwdmss035w7 -sops_lastmodified=2025-07-18T18:03:58Z -sops_mac=ENC[AES256_GCM,data:8EvENcMYRr735qFHBWlo/PT92kKKa6Qsq4IOYnf8na/b+PqHf2U4nUFC38BrfagbVUzB8YKaSE7mFwdzSPWCBa1do8aQgxxBav4sMWorp/bq85LXSk01t/0CWmkjvb/YEOE3OX5hDO+0l0y22fNwKb6OJ/4uv6PRMbhGwjJ4/CA=,iv:0s0PZQxIP/dE6IZLcT6v6lp3wXf3Ds+QSgRl1MaeCoY=,tag:E5dgeqJcYAa86lD1+nL5Sg==,type:str] +sops_lastmodified=2025-09-09T12:49:14Z +sops_mac=ENC[AES256_GCM,data:l28mT7peCNM8I0g0UdH1OsFHMDAQ7YRo4GBSXMGbVfTmvIO3Qlkav/07ByBnv1HaGbSuRnMeF8zYilNLRO5JXdgUmFrt+QNXYrbFtkEd4boldVIHDDjtj5lyO6xdX/S5BL+engyE+7+DXz1UFkKBKoKqnQupzFLhWoIsFkGxbq0=,iv:IfzlXWHN0LLhVU/T79Wn8kraENMibtijWj8l7LiT4uE=,tag:RNFlpyEd+QBUFGGZC9CvDA==,type:str] sops_unencrypted_suffix=_unencrypted sops_version=3.10.2 diff --git a/system.nix b/system.nix index 4c61de8..97e1513 100644 --- a/system.nix +++ b/system.nix @@ -1,4 +1,4 @@ -{ configFiles, configuration, disko, home-manager, nixpkgs, nixvim, sops-nix, system, ... }: +{ authentik-nix, configFiles, configuration, disko, home-manager, nixpkgs, nixvim, sops-nix, system, ... }: let allowed-unfree-packages = [ "corefonts" @@ -6,6 +6,7 @@ let ]; in nixpkgs.lib.nixosSystem { modules = [ + authentik-nix.nixosModules.default disko.nixosModules.disko home-manager.nixosModules.home-manager {