From 4d5de177b5eb75e8c0c39ba9c9d87a535505258b Mon Sep 17 00:00:00 2001 From: Eli Ribble Date: Tue, 9 Sep 2025 13:01:14 +0000 Subject: [PATCH] Get authentik working on the new corp server without podman The podman integration was pretty janky because it relied on running a pod and the NixOS integration with pods are essentially non-existent. This led to issues with the port being improperly forwarded when partially restarted. Now instead I use a flake dedicated to running authentik. This allows me to specify some of the config in the module directly and some in secrets, which is really nice. I've additionally added some changes to the listen address so that the service isn't exposed over public IP addresses. --- flake.lock | 271 ++++++++++++++++++++++++++-- flake.nix | 11 +- host/corp/configuration.nix | 1 + modules/system/authentik-backup.nix | 36 ++-- modules/system/authentik.nix | 129 ++++++++----- secrets/authentik.env | 18 +- system.nix | 3 +- 7 files changed, 375 insertions(+), 94 deletions(-) diff --git a/flake.lock b/flake.lock index f334a10..f37b204 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,49 @@ { "nodes": { + "authentik-nix": { + "inputs": { + "authentik-src": "authentik-src", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "napalm": "napalm", + "nixpkgs": "nixpkgs", + "pyproject-build-systems": "pyproject-build-systems", + "pyproject-nix": "pyproject-nix", + "systems": "systems", + "uv2nix": "uv2nix" + }, + "locked": { + "lastModified": 1757062396, + "narHash": "sha256-403iuoMVVjk64sF1GgZfrRwOnVU1H14sflE+LNp927c=", + "owner": "nix-community", + "repo": "authentik-nix", + "rev": "22827e9a0cc002a076ee8bd14c3433ebc6c87f95", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "authentik-nix", + "type": "github" + } + }, + "authentik-src": { + "flake": false, + "locked": { + "lastModified": 1755873658, + "narHash": "sha256-5l1g55b0xozGg0NaZFimiO5JbHGcudaNSEn1/XsweaU=", + "owner": "goauthentik", + "repo": "authentik", + "rev": "dd7c6b29d950664deadbcf5390272619a8bf9a5e", + "type": "github" + }, + "original": { + "owner": "goauthentik", + "ref": "version/2025.8.1", + "repo": "authentik", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -20,7 +64,41 @@ "type": "github" } }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1754487366, + "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nixvim", @@ -43,7 +121,28 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": [ + "authentik-nix", + "systems" + ] + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -108,7 +207,64 @@ "type": "github" } }, + "napalm": { + "inputs": { + "flake-utils": [ + "authentik-nix", + "flake-utils" + ], + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1725806412, + "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=", + "owner": "willibutz", + "repo": "napalm", + "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5", + "type": "github" + }, + "original": { + "owner": "willibutz", + "ref": "avoid-foldl-stack-overflow", + "repo": "napalm", + "type": "github" + } + }, "nixpkgs": { + "locked": { + "lastModified": 1756386758, + "narHash": "sha256-1wxxznpW2CKvI9VdniaUnTT2Os6rdRJcRUf65ZK9OtE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "dfb2f12e899db4876308eba6d93455ab7da304cd", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1753579242, + "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1752436162, "narHash": "sha256-Kt1UIPi7kZqkSc5HVj6UY5YLHHEzPBkgpNUByuyxtlw=", @@ -124,7 +280,7 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs_3": { "locked": { "lastModified": 1744868846, "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", @@ -142,12 +298,12 @@ }, "nixvim": { "inputs": { - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "nixpkgs": [ "nixpkgs" ], "nuschtosSearch": "nuschtosSearch", - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1752010420, @@ -166,7 +322,7 @@ }, "nuschtosSearch": { "inputs": { - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "ixx": "ixx", "nixpkgs": [ "nixvim", @@ -187,18 +343,69 @@ "type": "github" } }, + "pyproject-build-systems": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ], + "pyproject-nix": [ + "authentik-nix", + "pyproject-nix" + ], + "uv2nix": [ + "authentik-nix", + "uv2nix" + ] + }, + "locked": { + "lastModified": 1756087852, + "narHash": "sha256-4jc3JDQt75fYXFrglgqyzF6C6zLU0QGLymzian4aP+U=", + "owner": "pyproject-nix", + "repo": "build-system-pkgs", + "rev": "6edb3ae27395cd88be3d64b732d1539957dad59c", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "build-system-pkgs", + "type": "github" + } + }, + "pyproject-nix": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1756395552, + "narHash": "sha256-5aJM14MpoLk2cdZAetu60OkLQrtFLWTICAyn1EP7ZpM=", + "owner": "pyproject-nix", + "repo": "pyproject.nix", + "rev": "030dffc235dcf240d918c651c78dc5f158067b51", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "pyproject.nix", + "type": "github" + } + }, "root": { "inputs": { + "authentik-nix": "authentik-nix", "disko": "disko", "home-manager": "home-manager", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixvim": "nixvim", "sops-nix": "sops-nix" } }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1752544651, @@ -216,16 +423,16 @@ }, "systems": { "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", "type": "github" }, "original": { "owner": "nix-systems", - "repo": "default", + "repo": "default-linux", "type": "github" } }, @@ -243,6 +450,46 @@ "repo": "default", "type": "github" } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "uv2nix": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ], + "pyproject-nix": [ + "authentik-nix", + "pyproject-nix" + ] + }, + "locked": { + "lastModified": 1756466761, + "narHash": "sha256-ALXRHIMXQ4qVNfCbcWykC23MjMwUoHn9BreoBfqmq0Y=", + "owner": "pyproject-nix", + "repo": "uv2nix", + "rev": "0529e6d8227517205afcd1b37eee3088db745730", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "uv2nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 9e0cff9..a65bb90 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,9 @@ description = "Multi-host NixOS configuration"; inputs = { + authentik-nix = { + url = "github:nix-community/authentik-nix"; + }; disko = { inputs.nixpkgs.follows = "nixpkgs"; url = "github:nix-community/disko"; @@ -18,7 +21,7 @@ sops-nix.url = "github:Mic92/sops-nix"; }; - outputs = { self, disko, home-manager, nixpkgs, nixvim, sops-nix, ...}: + outputs = { self, authentik-nix, disko, home-manager, nixpkgs, nixvim, sops-nix, ...}: let configFiles = pkgs.stdenv.mkDerivation { name = "config-files"; @@ -34,15 +37,15 @@ nixosConfigurations = { corp = import ./system.nix { configuration = ./host/corp/configuration.nix; - inherit configFiles disko home-manager nixpkgs nixvim sops-nix system; + inherit authentik-nix configFiles disko home-manager nixpkgs nixvim sops-nix system; }; "sync.nidus.cloud" = import ./system.nix { configuration = ./host/sync/configuration.nix; - inherit configFiles disko home-manager nixpkgs nixvim sops-nix system; + inherit authentik-nix configFiles disko home-manager nixpkgs nixvim sops-nix system; }; test-corp = nixpkgs.lib.nixosSystem { configuration = ./host/test-corp/configuration.nix; - inherit configFiles disko home-manager nixpkgs nixvim sops-nix system; + inherit authentik-nix configFiles disko home-manager nixpkgs nixvim sops-nix system; }; }; }; diff --git a/host/corp/configuration.nix b/host/corp/configuration.nix index 532199d..01326b6 100644 --- a/host/corp/configuration.nix +++ b/host/corp/configuration.nix @@ -31,6 +31,7 @@ vikunja.enable = true; }; services.openssh.enable = true; + services.postgresql.enable = true; users.users.deploy = { extraGroups = [ "deploy" ]; isNormalUser = true; diff --git a/modules/system/authentik-backup.nix b/modules/system/authentik-backup.nix index c83d0d1..86a759a 100644 --- a/modules/system/authentik-backup.nix +++ b/modules/system/authentik-backup.nix @@ -17,24 +17,24 @@ in sops.secrets.authentik-backup-pgpass = { mode = "0400"; }; - systemd.services.backup-authentik-db = { - description = "Backup authentik database"; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - path = [ pkgs.bash pkgs.postgresql ]; - requires = [ "podman-authentik-worker.service" ]; # Ensure authentik is running first - script = "${backupScript}/bin/backup-authentik-db.sh"; - serviceConfig = { - # Needs root so it can stop other services - User = "root"; - Group = "root"; - Environment = "PGPASSFILE=${config.sops.secrets.authentik-backup-pgpass.path}"; - EnvironmentFile = "/var/run/secrets/authentik-env"; - Type = "oneshot"; - Restart = "on-failure"; - }; - wantedBy = [ "timers.target" ]; - }; + # systemd.services.backup-authentik-db = { + # description = "Backup authentik database"; + # after = [ "network-online.target" ]; + # wants = [ "network-online.target" ]; + # path = [ pkgs.bash pkgs.postgresql ]; + # requires = [ "podman-authentik-worker.service" ]; # Ensure authentik is running first + # script = "${backupScript}/bin/backup-authentik-db.sh"; + # serviceConfig = { + # # Needs root so it can stop other services + # User = "root"; + # Group = "root"; + # Environment = "PGPASSFILE=${config.sops.secrets.authentik-backup-pgpass.path}"; + # EnvironmentFile = "/var/run/secrets/authentik-env"; + # Type = "oneshot"; + # Restart = "on-failure"; + # }; + # wantedBy = [ "timers.target" ]; + # }; systemd.tmpfiles.rules = [ "d /var/backups/authentik-db 0755 root root" diff --git a/modules/system/authentik.nix b/modules/system/authentik.nix index a385ef5..fd4382f 100644 --- a/modules/system/authentik.nix +++ b/modules/system/authentik.nix @@ -4,27 +4,70 @@ with lib; options.myModules.authentik.enable = mkEnableOption "custom authentik configuration"; config = mkIf config.myModules.authentik.enable { + environment.systemPackages = [ + pkgs.authentik + ]; + services.authentik = { + enable = true; + environmentFile = "/run/secrets/authentik-env"; + settings = { + database = { + host = "127.0.0.1"; + name = "authentik"; + }; + email = { + host = "smtp.forwardemail.net"; + port = 2465; + use_tls = false; + use_ssl = true; + from = "auth@corp.gleipnir.technology"; + }; + listen = { + listen_debug = "127.0.0.1:9900"; + listen_debug_py = "127.0.0.1:9901"; + listen_http = "127.0.0.1:9000"; + listen_https = "127.0.0.1:9443"; + listen_ldap = "127.0.0.1:3389"; + listen_ldaps = "127.0.0.1:6636"; + listen_radius = "127.0.0.1:1812"; + listen_metrics = "127.0.0.1:9300"; + }; + }; + }; services.caddy.virtualHosts."auth.gleipnir.technology".extraConfig = '' - reverse_proxy http://127.0.0.1:10000 + reverse_proxy http://127.0.0.1:9000 ''; + services.postgresql = { + authentication = pkgs.lib.mkOverride 10 '' + #type database DBuser auth-method + local all all trust + ''; + enable = true; + ensureDatabases = [ "authentik" ]; + ensureUsers = [{ + ensureClauses.login = true; + ensureDBOwnership = true; + name = "authentik"; + }]; + }; sops.secrets.authentik-env = with config.virtualisation.oci-containers; { format = "dotenv"; group = "authentik"; mode = "0440"; owner = "authentik"; - restartUnits = ["${backend}-authentik-server" "${backend}-authentik-worker"]; + restartUnits = ["authentik" "authentik-migrate" "authentik-worker"]; sopsFile = ../../secrets/authentik.env; }; - systemd.services.podman-create-authentik-pod = with config.virtualisation.oci-containers; { - serviceConfig.Type = "oneshot"; - wantedBy = [ "${backend}-authentik-server.service" "${backend}-authentik-worker.service"]; - script = '' - ${pkgs.podman}/bin/podman pod exists authentik || \ - ${pkgs.podman}/bin/podman pod create \ - --name authentik \ - -p 127.0.0.1:10000:9000 - ''; - }; +# systemd.services.podman-create-authentik-pod = with config.virtualisation.oci-containers; { +# serviceConfig.Type = "oneshot"; +# wantedBy = [ "${backend}-authentik-server.service" "${backend}-authentik-worker.service"]; +# script = '' +# ${pkgs.podman}/bin/podman pod exists authentik || \ +# ${pkgs.podman}/bin/podman pod create \ +# --name authentik \ +# -p 127.0.0.1:10000:9000 +# ''; +# }; systemd.tmpfiles.rules = [ "d /opt/authentik/certs 0755 authentik authentik" "d /opt/authentik/media 0755 authentik authentik" @@ -36,36 +79,36 @@ with lib; isNormalUser = false; isSystemUser = true; }; - virtualisation.oci-containers.containers = { - authentik-redis = { - extraOptions = [ "--pod=authentik" ]; - image = "docker.io/redis:8.0.3-alpine"; - }; - authentik-server = { - cmd = ["server"]; - environmentFiles = [ - "/var/run/secrets/authentik-env" - ]; - extraOptions = [ "--pod=authentik" ]; - image = "ghcr.io/goauthentik/server:2025.4"; - volumes = [ - "/opt/authentik/media:/media" - "/opt/authentik/templates:/templates" - ]; - }; - authentik-worker = { - cmd = ["worker"]; - environmentFiles = [ - "/var/run/secrets/authentik-env" - ]; - extraOptions = [ "--pod=authentik" ]; - image = "ghcr.io/goauthentik/server:2025.4"; - volumes = [ - "/opt/authentik/certs:/certs" - "/opt/authentik/media:/media" - "/opt/authentik/templates:/templates" - ]; - }; - }; + # virtualisation.oci-containers.containers = { + # authentik-redis = { + # extraOptions = [ "--pod=authentik" ]; + # image = "docker.io/redis:8.0.3-alpine"; + # }; + # authentik-server = { + # cmd = ["server"]; + # environmentFiles = [ + # "/var/run/secrets/authentik-env" + # ]; + # extraOptions = [ "--pod=authentik" ]; + # image = "ghcr.io/goauthentik/server:2025.4"; + # volumes = [ + # "/opt/authentik/media:/media" + # "/opt/authentik/templates:/templates" + # ]; + # }; + # authentik-worker = { + # cmd = ["worker"]; + # environmentFiles = [ + # "/var/run/secrets/authentik-env" + # ]; + # extraOptions = [ "--pod=authentik" ]; + # image = "ghcr.io/goauthentik/server:2025.4"; + # volumes = [ + # "/opt/authentik/certs:/certs" + # "/opt/authentik/media:/media" + # "/opt/authentik/templates:/templates" + # ]; + # }; + # }; }; } diff --git a/secrets/authentik.env b/secrets/authentik.env index 4b9a63e..43683e8 100644 --- a/secrets/authentik.env +++ b/secrets/authentik.env @@ -1,19 +1,5 @@ -AUTHENTIK_EMAIL__HOST=ENC[AES256_GCM,data:kb2N1evWoc7AINYuQGoG3G2bsi6n,iv:tAOieZNCOgcGCtHtrlYXBtp09a++WH79A+E7M4irIN0=,tag:4dfcXmJfRI4de2et1dkh7Q==,type:str] -AUTHENTIK_EMAIL__PORT=ENC[AES256_GCM,data:Ne3Kgg==,iv:OHHdIjNEeP9QPTDdjim39jQy5vZTxyTuCDjuubqj4cM=,tag:vHELeE8N4/Hrl3TAuKlbVw==,type:str] AUTHENTIK_EMAIL__USERNAME=ENC[AES256_GCM,data:4PMcNtQZOCcepXOFoHQJe8A+0AdOUGQk76rI2EE=,iv:C5ATwjfF+/lkMhUPUF1u4EMmlfe0oCuagrajKVsmsbQ=,tag:PNM+kYe8rgDmOumtfvzE8A==,type:str] AUTHENTIK_EMAIL__PASSWORD=ENC[AES256_GCM,data:761BeyOs9Ay9rb64FQAk14SqD54tcy2P,iv:D9Dn+jXKeSBWXvsyvMHcnM4NkNm1FAph/j1XAOYVG00=,tag:pDJzzlLlpNpQPAyr/IIyFQ==,type:str] -AUTHENTIK_EMAIL__USE_TLS=ENC[AES256_GCM,data:eo/gi3M=,iv:M91bZsoVwsk6uXv/B6S1y7JODDWmeAvwBwInKnZTnPM=,tag:WWsy2gccV/Wb9DPFLcK+xg==,type:str] -AUTHENTIK_EMAIL__USE_SSL=ENC[AES256_GCM,data:VmgNFw==,iv:e+wPUyS1Lh4ertUTQJYeGlJQUfnsROZiKUKLVPOrDMQ=,tag:aKm2EHUmsoYFfja2EJImFQ==,type:str] -AUTHENTIK_EMAIL__TIMEOUT=ENC[AES256_GCM,data:r7w=,iv:CuqardKt0jMVPfefmit02Nl/FX7TedPfAqr/nHpidq4=,tag:2ylJuYA+Cs9bTogv4bBpKQ==,type:str] -AUTHENTIK_EMAIL__FROM=ENC[AES256_GCM,data:E5AT4uoc9A89Yj/fgeGXoTJ/hn2ymNtmZuCXQJ8=,iv:xdQPETFf8PQ3Hi1jM0w0tfmihSzJyzzk9Z93nF21Mcc=,tag:afzrOpHJ4/fDwVUW7S1hqw==,type:str] -AUTHENTIK_ERROR_REPORTING__ENABLED=ENC[AES256_GCM,data:95RHqg==,iv:4aEsQGqMPZAHEl2a2mEPQgE03FmxXX1oFLzYPeDXcAA=,tag:Bkh+GRxfGOximBNfJV0ZZg==,type:str] -AUTHENTIK_LOG_LEVEL=ENC[AES256_GCM,data:s6mBg616vw==,iv:i+hVmUOtUIrbKvxlD8E3Kkq+yYOYb+/xYYqKtyQdB1Q=,tag:DeSHTfgXtWJLkkWQbPydOQ==,type:str] -AUTHENTIK_POSTGRESQL__HOST=ENC[AES256_GCM,data:XvfqJG6+OzmWV6KmXP9d1KmyR5C2aOmpDGWKzJG34JyTR4DuabJbU9nY0iXjf+bjPBk9vvuaFw3j40ZzmLf0r1hhd648fBhKk/MkgRQ2UEg=,iv:+STIftFRvsCXB0jt2QNIYCJWyH8nGi9mHgSQGK8a3tQ=,tag:0EHgHq8lF38wm5Wm4q9Ang==,type:str] -AUTHENTIK_POSTGRESQL__NAME=ENC[AES256_GCM,data:2G3q8ujcsRCb,iv:O+UPxZqrBjQkRegXRyv1+YdOduZcGREo3ZnLAU6uytE=,tag:gh9IbsEp/rszIpaZ34Chag==,type:str] -AUTHENTIK_POSTGRESQL__PASSWORD=ENC[AES256_GCM,data:nFRhrE5L9dTX0S5E94EsV5QXlvTL,iv:GBi4EY+p7AoFdF7pslpfUjUWH6yUAE/2sXScPrEv9hU=,tag:UdkiYgEGxeRpXo4atG4ceQ==,type:str] -AUTHENTIK_POSTGRESQL__PORT=ENC[AES256_GCM,data:Fgt54Jw=,iv:vowf1xrkXGIJOutrTvsXWhhLGRLUtUvulxO84BfHP+E=,tag:1alr1aXLiS9lvSBCE24ngQ==,type:str] -AUTHENTIK_POSTGRESQL__USER=ENC[AES256_GCM,data:Eav02SqSk7EbJByQyyk=,iv:TRm0Z17Hx4wwkG29D00Dx/fJ7E+0fgweW72YnKK3kmo=,tag:vwYp8VFCO3LjsYvWaHadNw==,type:str] -AUTHENTIK_REDIS__HOST=ENC[AES256_GCM,data:xuh25ku0Px74yZmZg3cC,iv:xZoppWzkMTXcTW+grfuNZ15J+6Wosh0U9Vzo0AVNzrE=,tag:IF/+DvVjznGC3bzRGskPPw==,type:str] AUTHENTIK_SECRET_KEY=ENC[AES256_GCM,data:8jb7qazlI3luTrBuUWNOy/TTkiiYLW+XYqFKmFo8rgRmbfMqKwM6485U7i7GNFHSVqQEaOXc39WEZR6dZILIZ47nJDETeSnMGGgLz8T7UwU=,iv:GV+cfsX+kXED//ladyo9jg5XLOmg8l1bGTqNB7JnwfU=,tag:ddGxFUKrMSVWWjBrDP1N2w==,type:str] sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTm1Zb1picVdVRTBiQjRK\nNkVMVHhWa2lsWEVYVllVaW1wdkpKSFVpc0VnCnBXRlVZVk11b0xjV3k2bkJpczVG\nZEZQekljRVJ5VmNOU3R2UXZUMm9CR1UKLS0tIHFHV0VmUHZzTTV3U0w2ZHJKc3Vz\nVEt4RUNBMlBGOFRoUjI0QUlvVVlIb0EKeLJRLIYTakdoc244pXBu6oqoni9ZM9PQ\nyp02oXiyqmlZZqAfTJ4emnVqPv/fJKquiN2izsOtHs4PONc1n5eJcg==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age1fnkhk9rv7r8gh84vxnhvndk4fgh20qcj4hvnfhdpumcydl6m6vrse50lrz @@ -27,7 +13,7 @@ sops_age__list_4__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb2 sops_age__list_4__map_recipient=age1t3ryfktuhr3cysf49m9q2n8fkjf9ajjjnhztxw9hz8paxgk4lpcq065jge sops_age__list_5__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByMU52ajRCZG9zdy90WXVx\naVdkSy9IYk0xbXpIUHdMc09McVBNSzNQemxZCkdVUVllemEvaWJEWldWbTF4Vzk1\nRmwxWUplRGE0VE9nRko0TzNERU04SGsKLS0tIHJib2RCcE5neS9VMzIyMFdLdUtQ\nUkQ3ZFo3aTA1bWNFWC9hS3V2dmdLbkkKQpvIwDvGbK1hh7L76fjDYN2cpVQ6tmMH\nx/yrABcRT54Q36zynPYlk18tWh19hjpkExNxPu6zdEoQ8MXUto8vFw==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_5__map_recipient=age1j90h7hcp4fctr2xwj4zf9cxuelm43wkujvryc9hk6rzzc37rwdmss035w7 -sops_lastmodified=2025-07-18T18:03:58Z -sops_mac=ENC[AES256_GCM,data:8EvENcMYRr735qFHBWlo/PT92kKKa6Qsq4IOYnf8na/b+PqHf2U4nUFC38BrfagbVUzB8YKaSE7mFwdzSPWCBa1do8aQgxxBav4sMWorp/bq85LXSk01t/0CWmkjvb/YEOE3OX5hDO+0l0y22fNwKb6OJ/4uv6PRMbhGwjJ4/CA=,iv:0s0PZQxIP/dE6IZLcT6v6lp3wXf3Ds+QSgRl1MaeCoY=,tag:E5dgeqJcYAa86lD1+nL5Sg==,type:str] +sops_lastmodified=2025-09-09T12:49:14Z +sops_mac=ENC[AES256_GCM,data:l28mT7peCNM8I0g0UdH1OsFHMDAQ7YRo4GBSXMGbVfTmvIO3Qlkav/07ByBnv1HaGbSuRnMeF8zYilNLRO5JXdgUmFrt+QNXYrbFtkEd4boldVIHDDjtj5lyO6xdX/S5BL+engyE+7+DXz1UFkKBKoKqnQupzFLhWoIsFkGxbq0=,iv:IfzlXWHN0LLhVU/T79Wn8kraENMibtijWj8l7LiT4uE=,tag:RNFlpyEd+QBUFGGZC9CvDA==,type:str] sops_unencrypted_suffix=_unencrypted sops_version=3.10.2 diff --git a/system.nix b/system.nix index 4c61de8..97e1513 100644 --- a/system.nix +++ b/system.nix @@ -1,4 +1,4 @@ -{ configFiles, configuration, disko, home-manager, nixpkgs, nixvim, sops-nix, system, ... }: +{ authentik-nix, configFiles, configuration, disko, home-manager, nixpkgs, nixvim, sops-nix, system, ... }: let allowed-unfree-packages = [ "corefonts" @@ -6,6 +6,7 @@ let ]; in nixpkgs.lib.nixosSystem { modules = [ + authentik-nix.nixosModules.default disko.nixosModules.disko home-manager.nixosModules.home-manager {