This currently has the architecture hard-coded. That's bad, but nix is
hard, and there's probably a much better way to integrate this into the
system when I can be bothered to do it.
This was a huge hassle. I really wanted to see it working under a
non-root user since it writes files, but that ended up being impossible
because of several bugs in podman's rootless integration with NixOS.
I've kept pieces of the logic around and commented out in case I can fix
it in the future as it would be more secure.
I also tried to connect to Postgres over the unix domain socket, but the
problem here is that the container is built to run as root and I'd need
to do some elaborate mapping of the root user inside the container, the
non-root user outside the container, and the Postgres auth scheme.
This would be great stuff to sort out, but I'm out of time now to work
on it.
I move the secrets file to be more consistent with the naming.
I removed parts of the postgres config that is no longer needed now that
the database is running locally.
The podman integration was pretty janky because it relied on running a
pod and the NixOS integration with pods are essentially non-existent.
This led to issues with the port being improperly forwarded when
partially restarted.
Now instead I use a flake dedicated to running authentik. This allows me
to specify some of the config in the module directly and some in
secrets, which is really nice. I've additionally added some changes to
the listen address so that the service isn't exposed over public IP
addresses.
I believe this is caused by having a number of virtual interfaces from
OCI containers and the system wants to see them all online before
considering networkd online
This includes a new paradigm for using a pgpass file, which is great, as
well as sorting out how to properly do a bash script shebang in a
service file.
I'm going to spin up some dev resources to see if I can figure out how
to compile the latest. In the mean time, this is doing what I want and
is going to get deployed.
With these changes I have librechat running and being properly
reverse-proxied and I can login via SSO. I was not able to get a
reasonable response yet from Claude.
