This is a pretty big refactor of the way systems work, but it avoids
bifurcating further. At this commit point I actually used nixos-anywhere
on the staging server and it came out okay, which is encouraging.
This actually breaks on any servers that don't define the fieldseeker
deployments as an empty list. Instead we do the clunkier, but working,
import-then-merge-each-attr.
This currently has the architecture hard-coded. That's bad, but nix is
hard, and there's probably a much better way to integrate this into the
system when I can be bothered to do it.
The podman integration was pretty janky because it relied on running a
pod and the NixOS integration with pods are essentially non-existent.
This led to issues with the port being improperly forwarded when
partially restarted.
Now instead I use a flake dedicated to running authentik. This allows me
to specify some of the config in the module directly and some in
secrets, which is really nice. I've additionally added some changes to
the listen address so that the service isn't exposed over public IP
addresses.
This is...a big change. If I run this on the old corp server it will
break a lot, LOT of stuff. So don't do that. This is also the first time
I'm attempting to use disko to fully define a server in a single step
rather than as a bootstrapping step.
