Gleipnir/nixos-systems
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Get authentik working on the new corp server without podman

Browse source 
The podman integration was pretty janky because it relied on running a
pod and the NixOS integration with pods are essentially non-existent.
This led to issues with the port being improperly forwarded when
partially restarted.

Now instead I use a flake dedicated to running authentik. This allows me
to specify some of the config in the module directly and some in
secrets, which is really nice. I've additionally added some changes to
the listen address so that the service isn't exposed over public IP
addresses.
This commit is contained in:
Eli Ribble 2025-09-09 13:01:14 +00:00
parent 696273efb8
commit 4d5de177b5
7 changed files with 375 additions and 94 deletions
Download patch file Download diff file Expand all files Collapse all files

271
flake.lock generated
View file

@ -1,5 +1,49 @@
{ {
"nodes": { "nodes": {
"authentik-nix": {
"inputs": {
"authentik-src": "authentik-src",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"napalm": "napalm",
"nixpkgs": "nixpkgs",
"pyproject-build-systems": "pyproject-build-systems",
"pyproject-nix": "pyproject-nix",
"systems": "systems",
"uv2nix": "uv2nix"
},
"locked": {
"lastModified": 1757062396,
"narHash": "sha256-403iuoMVVjk64sF1GgZfrRwOnVU1H14sflE+LNp927c=",
"owner": "nix-community",
"repo": "authentik-nix",
"rev": "22827e9a0cc002a076ee8bd14c3433ebc6c87f95",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "authentik-nix",
"type": "github"
}
},
"authentik-src": {
"flake": false,
"locked": {
"lastModified": 1755873658,
"narHash": "sha256-5l1g55b0xozGg0NaZFimiO5JbHGcudaNSEn1/XsweaU=",
"owner": "goauthentik",
"repo": "authentik",
"rev": "dd7c6b29d950664deadbcf5390272619a8bf9a5e",
"type": "github"
},
"original": {
"owner": "goauthentik",
"ref": "version/2025.8.1",
"repo": "authentik",
"type": "github"
}
},
"disko": { "disko": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -20,7 +64,41 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": { "flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1754487366,
"narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"nixvim", "nixvim",
@ -43,7 +121,28 @@
}, },
"flake-utils": { "flake-utils": {
"inputs": { "inputs": {
"systems": "systems" "systems": [
"authentik-nix",
"systems"
]
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1731533236, "lastModified": 1731533236,
@ -108,7 +207,64 @@
"type": "github" "type": "github"
} }
}, },
"napalm": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nixpkgs": [
"authentik-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1725806412,
"narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
"owner": "willibutz",
"repo": "napalm",
"rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
"type": "github"
},
"original": {
"owner": "willibutz",
"ref": "avoid-foldl-stack-overflow",
"repo": "napalm",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": {
"lastModified": 1756386758,
"narHash": "sha256-1wxxznpW2CKvI9VdniaUnTT2Os6rdRJcRUf65ZK9OtE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dfb2f12e899db4876308eba6d93455ab7da304cd",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1753579242,
"narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1752436162, "lastModified": 1752436162,
"narHash": "sha256-Kt1UIPi7kZqkSc5HVj6UY5YLHHEzPBkgpNUByuyxtlw=", "narHash": "sha256-Kt1UIPi7kZqkSc5HVj6UY5YLHHEzPBkgpNUByuyxtlw=",
@ -124,7 +280,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_2": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1744868846, "lastModified": 1744868846,
"narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=",
@ -142,12 +298,12 @@
}, },
"nixvim": { "nixvim": {
"inputs": { "inputs": {
"flake-parts": "flake-parts", "flake-parts": "flake-parts_2",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"nuschtosSearch": "nuschtosSearch", "nuschtosSearch": "nuschtosSearch",
"systems": "systems_2" "systems": "systems_3"
}, },
"locked": { "locked": {
"lastModified": 1752010420, "lastModified": 1752010420,
@ -166,7 +322,7 @@
}, },
"nuschtosSearch": { "nuschtosSearch": {
"inputs": { "inputs": {
"flake-utils": "flake-utils", "flake-utils": "flake-utils_2",
"ixx": "ixx", "ixx": "ixx",
"nixpkgs": [ "nixpkgs": [
"nixvim", "nixvim",
@ -187,18 +343,69 @@
"type": "github" "type": "github"
} }
}, },
"pyproject-build-systems": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"nixpkgs"
],
"pyproject-nix": [
"authentik-nix",
"pyproject-nix"
],
"uv2nix": [
"authentik-nix",
"uv2nix"
]
},
"locked": {
"lastModified": 1756087852,
"narHash": "sha256-4jc3JDQt75fYXFrglgqyzF6C6zLU0QGLymzian4aP+U=",
"owner": "pyproject-nix",
"repo": "build-system-pkgs",
"rev": "6edb3ae27395cd88be3d64b732d1539957dad59c",
"type": "github"
},
"original": {
"owner": "pyproject-nix",
"repo": "build-system-pkgs",
"type": "github"
}
},
"pyproject-nix": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1756395552,
"narHash": "sha256-5aJM14MpoLk2cdZAetu60OkLQrtFLWTICAyn1EP7ZpM=",
"owner": "pyproject-nix",
"repo": "pyproject.nix",
"rev": "030dffc235dcf240d918c651c78dc5f158067b51",
"type": "github"
},
"original": {
"owner": "pyproject-nix",
"repo": "pyproject.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"authentik-nix": "authentik-nix",
"disko": "disko", "disko": "disko",
"home-manager": "home-manager", "home-manager": "home-manager",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_2",
"nixvim": "nixvim", "nixvim": "nixvim",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
} }
}, },
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {
"lastModified": 1752544651, "lastModified": 1752544651,
@ -216,16 +423,16 @@
}, },
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1689347949,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems", "owner": "nix-systems",
"repo": "default", "repo": "default-linux",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-systems", "owner": "nix-systems",
"repo": "default", "repo": "default-linux",
"type": "github" "type": "github"
} }
}, },
@ -243,6 +450,46 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"uv2nix": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"nixpkgs"
],
"pyproject-nix": [
"authentik-nix",
"pyproject-nix"
]
},
"locked": {
"lastModified": 1756466761,
"narHash": "sha256-ALXRHIMXQ4qVNfCbcWykC23MjMwUoHn9BreoBfqmq0Y=",
"owner": "pyproject-nix",
"repo": "uv2nix",
"rev": "0529e6d8227517205afcd1b37eee3088db745730",
"type": "github"
},
"original": {
"owner": "pyproject-nix",
"repo": "uv2nix",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

11
flake.nix
View file

@ -2,6 +2,9 @@
description = "Multi-host NixOS configuration"; description = "Multi-host NixOS configuration";
inputs = { inputs = {
authentik-nix = {
url = "github:nix-community/authentik-nix";
};
disko = { disko = {
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
url = "github:nix-community/disko"; url = "github:nix-community/disko";
@ -18,7 +21,7 @@
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
}; };
outputs = { self, disko, home-manager, nixpkgs, nixvim, sops-nix, ...}: outputs = { self, authentik-nix, disko, home-manager, nixpkgs, nixvim, sops-nix, ...}:
let let
configFiles = pkgs.stdenv.mkDerivation { configFiles = pkgs.stdenv.mkDerivation {
name = "config-files"; name = "config-files";
@ -34,15 +37,15 @@
nixosConfigurations = { nixosConfigurations = {
corp = import ./system.nix { corp = import ./system.nix {
configuration = ./host/corp/configuration.nix; configuration = ./host/corp/configuration.nix;
inherit configFiles disko home-manager nixpkgs nixvim sops-nix system; inherit authentik-nix configFiles disko home-manager nixpkgs nixvim sops-nix system;
}; };
"sync.nidus.cloud" = import ./system.nix { "sync.nidus.cloud" = import ./system.nix {
configuration = ./host/sync/configuration.nix; configuration = ./host/sync/configuration.nix;
inherit configFiles disko home-manager nixpkgs nixvim sops-nix system; inherit authentik-nix configFiles disko home-manager nixpkgs nixvim sops-nix system;
}; };
test-corp = nixpkgs.lib.nixosSystem { test-corp = nixpkgs.lib.nixosSystem {
configuration = ./host/test-corp/configuration.nix; configuration = ./host/test-corp/configuration.nix;
inherit configFiles disko home-manager nixpkgs nixvim sops-nix system; inherit authentik-nix configFiles disko home-manager nixpkgs nixvim sops-nix system;
}; };
}; };
}; };

1
host/corp/configuration.nix
View file

@ -31,6 +31,7 @@
vikunja.enable = true; vikunja.enable = true;
}; };
services.openssh.enable = true; services.openssh.enable = true;
services.postgresql.enable = true;
users.users.deploy = { users.users.deploy = {
extraGroups = [ "deploy" ]; extraGroups = [ "deploy" ];
isNormalUser = true; isNormalUser = true;

36
modules/system/authentik-backup.nix
View file

@ -17,24 +17,24 @@ in
sops.secrets.authentik-backup-pgpass = { sops.secrets.authentik-backup-pgpass = {
mode = "0400"; mode = "0400";
}; };
systemd.services.backup-authentik-db = { # systemd.services.backup-authentik-db = {
description = "Backup authentik database"; # description = "Backup authentik database";
after = [ "network-online.target" ]; # after = [ "network-online.target" ];
wants = [ "network-online.target" ]; # wants = [ "network-online.target" ];
path = [ pkgs.bash pkgs.postgresql ]; # path = [ pkgs.bash pkgs.postgresql ];
requires = [ "podman-authentik-worker.service" ]; # Ensure authentik is running first # requires = [ "podman-authentik-worker.service" ]; # Ensure authentik is running first
script = "${backupScript}/bin/backup-authentik-db.sh"; # script = "${backupScript}/bin/backup-authentik-db.sh";
serviceConfig = { # serviceConfig = {
# Needs root so it can stop other services # # Needs root so it can stop other services
User = "root"; # User = "root";
Group = "root"; # Group = "root";
Environment = "PGPASSFILE=${config.sops.secrets.authentik-backup-pgpass.path}"; # Environment = "PGPASSFILE=${config.sops.secrets.authentik-backup-pgpass.path}";
EnvironmentFile = "/var/run/secrets/authentik-env"; # EnvironmentFile = "/var/run/secrets/authentik-env";
Type = "oneshot"; # Type = "oneshot";
Restart = "on-failure"; # Restart = "on-failure";
}; # };
wantedBy = [ "timers.target" ]; # wantedBy = [ "timers.target" ];
}; # };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /var/backups/authentik-db 0755 root root" "d /var/backups/authentik-db 0755 root root"

129
modules/system/authentik.nix
View file

@ -4,27 +4,70 @@ with lib;
options.myModules.authentik.enable = mkEnableOption "custom authentik configuration"; options.myModules.authentik.enable = mkEnableOption "custom authentik configuration";
config = mkIf config.myModules.authentik.enable { config = mkIf config.myModules.authentik.enable {
environment.systemPackages = [
pkgs.authentik
];
services.authentik = {
enable = true;
environmentFile = "/run/secrets/authentik-env";
settings = {
database = {
host = "127.0.0.1";
name = "authentik";
};
email = {
host = "smtp.forwardemail.net";
port = 2465;
use_tls = false;
use_ssl = true;
from = "auth@corp.gleipnir.technology";
};
listen = {
listen_debug = "127.0.0.1:9900";
listen_debug_py = "127.0.0.1:9901";
listen_http = "127.0.0.1:9000";
listen_https = "127.0.0.1:9443";
listen_ldap = "127.0.0.1:3389";
listen_ldaps = "127.0.0.1:6636";
listen_radius = "127.0.0.1:1812";
listen_metrics = "127.0.0.1:9300";
};
};
};
services.caddy.virtualHosts."auth.gleipnir.technology".extraConfig = '' services.caddy.virtualHosts."auth.gleipnir.technology".extraConfig = ''
reverse_proxy http://127.0.0.1:10000 reverse_proxy http://127.0.0.1:9000
''; '';
services.postgresql = {
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
enable = true;
ensureDatabases = [ "authentik" ];
ensureUsers = [{
ensureClauses.login = true;
ensureDBOwnership = true;
name = "authentik";
}];
};
sops.secrets.authentik-env = with config.virtualisation.oci-containers; { sops.secrets.authentik-env = with config.virtualisation.oci-containers; {
format = "dotenv"; format = "dotenv";
group = "authentik"; group = "authentik";
mode = "0440"; mode = "0440";
owner = "authentik"; owner = "authentik";
restartUnits = ["${backend}-authentik-server" "${backend}-authentik-worker"]; restartUnits = ["authentik" "authentik-migrate" "authentik-worker"];
sopsFile = ../../secrets/authentik.env; sopsFile = ../../secrets/authentik.env;
}; };
systemd.services.podman-create-authentik-pod = with config.virtualisation.oci-containers; { # systemd.services.podman-create-authentik-pod = with config.virtualisation.oci-containers; {
serviceConfig.Type = "oneshot"; # serviceConfig.Type = "oneshot";
wantedBy = [ "${backend}-authentik-server.service" "${backend}-authentik-worker.service"]; # wantedBy = [ "${backend}-authentik-server.service" "${backend}-authentik-worker.service"];
script = '' # script = ''
${pkgs.podman}/bin/podman pod exists authentik || \ # ${pkgs.podman}/bin/podman pod exists authentik || \
${pkgs.podman}/bin/podman pod create \ # ${pkgs.podman}/bin/podman pod create \
--name authentik \ # --name authentik \
-p 127.0.0.1:10000:9000 # -p 127.0.0.1:10000:9000
''; # '';
}; # };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /opt/authentik/certs 0755 authentik authentik" "d /opt/authentik/certs 0755 authentik authentik"
"d /opt/authentik/media 0755 authentik authentik" "d /opt/authentik/media 0755 authentik authentik"
@ -36,36 +79,36 @@ with lib;
isNormalUser = false; isNormalUser = false;
isSystemUser = true; isSystemUser = true;
}; };
virtualisation.oci-containers.containers = { # virtualisation.oci-containers.containers = {
authentik-redis = { # authentik-redis = {
extraOptions = [ "--pod=authentik" ]; # extraOptions = [ "--pod=authentik" ];
image = "docker.io/redis:8.0.3-alpine"; # image = "docker.io/redis:8.0.3-alpine";
}; # };
authentik-server = { # authentik-server = {
cmd = ["server"]; # cmd = ["server"];
environmentFiles = [ # environmentFiles = [
"/var/run/secrets/authentik-env" # "/var/run/secrets/authentik-env"
]; # ];
extraOptions = [ "--pod=authentik" ]; # extraOptions = [ "--pod=authentik" ];
image = "ghcr.io/goauthentik/server:2025.4"; # image = "ghcr.io/goauthentik/server:2025.4";
volumes = [ # volumes = [
"/opt/authentik/media:/media" # "/opt/authentik/media:/media"
"/opt/authentik/templates:/templates" # "/opt/authentik/templates:/templates"
]; # ];
}; # };
authentik-worker = { # authentik-worker = {
cmd = ["worker"]; # cmd = ["worker"];
environmentFiles = [ # environmentFiles = [
"/var/run/secrets/authentik-env" # "/var/run/secrets/authentik-env"
]; # ];
extraOptions = [ "--pod=authentik" ]; # extraOptions = [ "--pod=authentik" ];
image = "ghcr.io/goauthentik/server:2025.4"; # image = "ghcr.io/goauthentik/server:2025.4";
volumes = [ # volumes = [
"/opt/authentik/certs:/certs" # "/opt/authentik/certs:/certs"
"/opt/authentik/media:/media" # "/opt/authentik/media:/media"
"/opt/authentik/templates:/templates" # "/opt/authentik/templates:/templates"
]; # ];
}; # };
}; # };
}; };
} }

18
secrets/authentik.env
View file

@ -1,19 +1,5 @@
AUTHENTIK_EMAIL__HOST=ENC[AES256_GCM,data:kb2N1evWoc7AINYuQGoG3G2bsi6n,iv:tAOieZNCOgcGCtHtrlYXBtp09a++WH79A+E7M4irIN0=,tag:4dfcXmJfRI4de2et1dkh7Q==,type:str]
AUTHENTIK_EMAIL__PORT=ENC[AES256_GCM,data:Ne3Kgg==,iv:OHHdIjNEeP9QPTDdjim39jQy5vZTxyTuCDjuubqj4cM=,tag:vHELeE8N4/Hrl3TAuKlbVw==,type:str]
AUTHENTIK_EMAIL__USERNAME=ENC[AES256_GCM,data:4PMcNtQZOCcepXOFoHQJe8A+0AdOUGQk76rI2EE=,iv:C5ATwjfF+/lkMhUPUF1u4EMmlfe0oCuagrajKVsmsbQ=,tag:PNM+kYe8rgDmOumtfvzE8A==,type:str] AUTHENTIK_EMAIL__USERNAME=ENC[AES256_GCM,data:4PMcNtQZOCcepXOFoHQJe8A+0AdOUGQk76rI2EE=,iv:C5ATwjfF+/lkMhUPUF1u4EMmlfe0oCuagrajKVsmsbQ=,tag:PNM+kYe8rgDmOumtfvzE8A==,type:str]
AUTHENTIK_EMAIL__PASSWORD=ENC[AES256_GCM,data:761BeyOs9Ay9rb64FQAk14SqD54tcy2P,iv:D9Dn+jXKeSBWXvsyvMHcnM4NkNm1FAph/j1XAOYVG00=,tag:pDJzzlLlpNpQPAyr/IIyFQ==,type:str] AUTHENTIK_EMAIL__PASSWORD=ENC[AES256_GCM,data:761BeyOs9Ay9rb64FQAk14SqD54tcy2P,iv:D9Dn+jXKeSBWXvsyvMHcnM4NkNm1FAph/j1XAOYVG00=,tag:pDJzzlLlpNpQPAyr/IIyFQ==,type:str]
AUTHENTIK_EMAIL__USE_TLS=ENC[AES256_GCM,data:eo/gi3M=,iv:M91bZsoVwsk6uXv/B6S1y7JODDWmeAvwBwInKnZTnPM=,tag:WWsy2gccV/Wb9DPFLcK+xg==,type:str]
AUTHENTIK_EMAIL__USE_SSL=ENC[AES256_GCM,data:VmgNFw==,iv:e+wPUyS1Lh4ertUTQJYeGlJQUfnsROZiKUKLVPOrDMQ=,tag:aKm2EHUmsoYFfja2EJImFQ==,type:str]
AUTHENTIK_EMAIL__TIMEOUT=ENC[AES256_GCM,data:r7w=,iv:CuqardKt0jMVPfefmit02Nl/FX7TedPfAqr/nHpidq4=,tag:2ylJuYA+Cs9bTogv4bBpKQ==,type:str]
AUTHENTIK_EMAIL__FROM=ENC[AES256_GCM,data:E5AT4uoc9A89Yj/fgeGXoTJ/hn2ymNtmZuCXQJ8=,iv:xdQPETFf8PQ3Hi1jM0w0tfmihSzJyzzk9Z93nF21Mcc=,tag:afzrOpHJ4/fDwVUW7S1hqw==,type:str]
AUTHENTIK_ERROR_REPORTING__ENABLED=ENC[AES256_GCM,data:95RHqg==,iv:4aEsQGqMPZAHEl2a2mEPQgE03FmxXX1oFLzYPeDXcAA=,tag:Bkh+GRxfGOximBNfJV0ZZg==,type:str]
AUTHENTIK_LOG_LEVEL=ENC[AES256_GCM,data:s6mBg616vw==,iv:i+hVmUOtUIrbKvxlD8E3Kkq+yYOYb+/xYYqKtyQdB1Q=,tag:DeSHTfgXtWJLkkWQbPydOQ==,type:str]
AUTHENTIK_POSTGRESQL__HOST=ENC[AES256_GCM,data:XvfqJG6+OzmWV6KmXP9d1KmyR5C2aOmpDGWKzJG34JyTR4DuabJbU9nY0iXjf+bjPBk9vvuaFw3j40ZzmLf0r1hhd648fBhKk/MkgRQ2UEg=,iv:+STIftFRvsCXB0jt2QNIYCJWyH8nGi9mHgSQGK8a3tQ=,tag:0EHgHq8lF38wm5Wm4q9Ang==,type:str]
AUTHENTIK_POSTGRESQL__NAME=ENC[AES256_GCM,data:2G3q8ujcsRCb,iv:O+UPxZqrBjQkRegXRyv1+YdOduZcGREo3ZnLAU6uytE=,tag:gh9IbsEp/rszIpaZ34Chag==,type:str]
AUTHENTIK_POSTGRESQL__PASSWORD=ENC[AES256_GCM,data:nFRhrE5L9dTX0S5E94EsV5QXlvTL,iv:GBi4EY+p7AoFdF7pslpfUjUWH6yUAE/2sXScPrEv9hU=,tag:UdkiYgEGxeRpXo4atG4ceQ==,type:str]
AUTHENTIK_POSTGRESQL__PORT=ENC[AES256_GCM,data:Fgt54Jw=,iv:vowf1xrkXGIJOutrTvsXWhhLGRLUtUvulxO84BfHP+E=,tag:1alr1aXLiS9lvSBCE24ngQ==,type:str]
AUTHENTIK_POSTGRESQL__USER=ENC[AES256_GCM,data:Eav02SqSk7EbJByQyyk=,iv:TRm0Z17Hx4wwkG29D00Dx/fJ7E+0fgweW72YnKK3kmo=,tag:vwYp8VFCO3LjsYvWaHadNw==,type:str]
AUTHENTIK_REDIS__HOST=ENC[AES256_GCM,data:xuh25ku0Px74yZmZg3cC,iv:xZoppWzkMTXcTW+grfuNZ15J+6Wosh0U9Vzo0AVNzrE=,tag:IF/+DvVjznGC3bzRGskPPw==,type:str]
AUTHENTIK_SECRET_KEY=ENC[AES256_GCM,data:8jb7qazlI3luTrBuUWNOy/TTkiiYLW+XYqFKmFo8rgRmbfMqKwM6485U7i7GNFHSVqQEaOXc39WEZR6dZILIZ47nJDETeSnMGGgLz8T7UwU=,iv:GV+cfsX+kXED//ladyo9jg5XLOmg8l1bGTqNB7JnwfU=,tag:ddGxFUKrMSVWWjBrDP1N2w==,type:str] AUTHENTIK_SECRET_KEY=ENC[AES256_GCM,data:8jb7qazlI3luTrBuUWNOy/TTkiiYLW+XYqFKmFo8rgRmbfMqKwM6485U7i7GNFHSVqQEaOXc39WEZR6dZILIZ47nJDETeSnMGGgLz8T7UwU=,iv:GV+cfsX+kXED//ladyo9jg5XLOmg8l1bGTqNB7JnwfU=,tag:ddGxFUKrMSVWWjBrDP1N2w==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTm1Zb1picVdVRTBiQjRK\nNkVMVHhWa2lsWEVYVllVaW1wdkpKSFVpc0VnCnBXRlVZVk11b0xjV3k2bkJpczVG\nZEZQekljRVJ5VmNOU3R2UXZUMm9CR1UKLS0tIHFHV0VmUHZzTTV3U0w2ZHJKc3Vz\nVEt4RUNBMlBGOFRoUjI0QUlvVVlIb0EKeLJRLIYTakdoc244pXBu6oqoni9ZM9PQ\nyp02oXiyqmlZZqAfTJ4emnVqPv/fJKquiN2izsOtHs4PONc1n5eJcg==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTm1Zb1picVdVRTBiQjRK\nNkVMVHhWa2lsWEVYVllVaW1wdkpKSFVpc0VnCnBXRlVZVk11b0xjV3k2bkJpczVG\nZEZQekljRVJ5VmNOU3R2UXZUMm9CR1UKLS0tIHFHV0VmUHZzTTV3U0w2ZHJKc3Vz\nVEt4RUNBMlBGOFRoUjI0QUlvVVlIb0EKeLJRLIYTakdoc244pXBu6oqoni9ZM9PQ\nyp02oXiyqmlZZqAfTJ4emnVqPv/fJKquiN2izsOtHs4PONc1n5eJcg==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age1fnkhk9rv7r8gh84vxnhvndk4fgh20qcj4hvnfhdpumcydl6m6vrse50lrz sops_age__list_0__map_recipient=age1fnkhk9rv7r8gh84vxnhvndk4fgh20qcj4hvnfhdpumcydl6m6vrse50lrz
@ -27,7 +13,7 @@ sops_age__list_4__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb2
sops_age__list_4__map_recipient=age1t3ryfktuhr3cysf49m9q2n8fkjf9ajjjnhztxw9hz8paxgk4lpcq065jge sops_age__list_4__map_recipient=age1t3ryfktuhr3cysf49m9q2n8fkjf9ajjjnhztxw9hz8paxgk4lpcq065jge
sops_age__list_5__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByMU52ajRCZG9zdy90WXVx\naVdkSy9IYk0xbXpIUHdMc09McVBNSzNQemxZCkdVUVllemEvaWJEWldWbTF4Vzk1\nRmwxWUplRGE0VE9nRko0TzNERU04SGsKLS0tIHJib2RCcE5neS9VMzIyMFdLdUtQ\nUkQ3ZFo3aTA1bWNFWC9hS3V2dmdLbkkKQpvIwDvGbK1hh7L76fjDYN2cpVQ6tmMH\nx/yrABcRT54Q36zynPYlk18tWh19hjpkExNxPu6zdEoQ8MXUto8vFw==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_5__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByMU52ajRCZG9zdy90WXVx\naVdkSy9IYk0xbXpIUHdMc09McVBNSzNQemxZCkdVUVllemEvaWJEWldWbTF4Vzk1\nRmwxWUplRGE0VE9nRko0TzNERU04SGsKLS0tIHJib2RCcE5neS9VMzIyMFdLdUtQ\nUkQ3ZFo3aTA1bWNFWC9hS3V2dmdLbkkKQpvIwDvGbK1hh7L76fjDYN2cpVQ6tmMH\nx/yrABcRT54Q36zynPYlk18tWh19hjpkExNxPu6zdEoQ8MXUto8vFw==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_5__map_recipient=age1j90h7hcp4fctr2xwj4zf9cxuelm43wkujvryc9hk6rzzc37rwdmss035w7 sops_age__list_5__map_recipient=age1j90h7hcp4fctr2xwj4zf9cxuelm43wkujvryc9hk6rzzc37rwdmss035w7
sops_lastmodified=2025-07-18T18:03:58Z sops_lastmodified=2025-09-09T12:49:14Z
sops_mac=ENC[AES256_GCM,data:8EvENcMYRr735qFHBWlo/PT92kKKa6Qsq4IOYnf8na/b+PqHf2U4nUFC38BrfagbVUzB8YKaSE7mFwdzSPWCBa1do8aQgxxBav4sMWorp/bq85LXSk01t/0CWmkjvb/YEOE3OX5hDO+0l0y22fNwKb6OJ/4uv6PRMbhGwjJ4/CA=,iv:0s0PZQxIP/dE6IZLcT6v6lp3wXf3Ds+QSgRl1MaeCoY=,tag:E5dgeqJcYAa86lD1+nL5Sg==,type:str] sops_mac=ENC[AES256_GCM,data:l28mT7peCNM8I0g0UdH1OsFHMDAQ7YRo4GBSXMGbVfTmvIO3Qlkav/07ByBnv1HaGbSuRnMeF8zYilNLRO5JXdgUmFrt+QNXYrbFtkEd4boldVIHDDjtj5lyO6xdX/S5BL+engyE+7+DXz1UFkKBKoKqnQupzFLhWoIsFkGxbq0=,iv:IfzlXWHN0LLhVU/T79Wn8kraENMibtijWj8l7LiT4uE=,tag:RNFlpyEd+QBUFGGZC9CvDA==,type:str]
sops_unencrypted_suffix=_unencrypted sops_unencrypted_suffix=_unencrypted
sops_version=3.10.2 sops_version=3.10.2

3
system.nix
View file

@ -1,4 +1,4 @@
{ configFiles, configuration, disko, home-manager, nixpkgs, nixvim, sops-nix, system, ... }: { authentik-nix, configFiles, configuration, disko, home-manager, nixpkgs, nixvim, sops-nix, system, ... }:
let let
allowed-unfree-packages = [ allowed-unfree-packages = [
"corefonts" "corefonts"
@ -6,6 +6,7 @@ let
]; ];
in nixpkgs.lib.nixosSystem { in nixpkgs.lib.nixosSystem {
modules = [ modules = [
authentik-nix.nixosModules.default
disko.nixosModules.disko disko.nixosModules.disko
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
{ {