move authentik from docker to nix

flake.nix

@@ -122,6 +122,7 @@
     secretsDir = ./secrets;
 
     sharedPatches = patchesPath [
+      "authentik-271885.patch"
       "vaultwarden.patch"
       "webhooks.patch"
     ];

modules/authentik.nix

@@ -0,0 +1,320 @@
+# Thanks for original module, anpin! https://gist.github.com/anpin/ecbdb6625400908856ef9482eca3380c
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.authentik;
+  databaseActuallyCreateLocally = cfg.database.createLocally
+    && cfg.database.host == "/run/postgresql";
+
+  inherit (lib)
+    mkIf mkEnableOption mkOption types mdDoc literalExpression optional attrsets;
+  inherit (attrsets) optionalAttrs;
+  inherit (types) str bool port submodule package nullOr path enum;
+
+  hostWithPort = h: p: "${h}:${toString p}";
+
+  authentikBaseService = {
+    after = [ "network.target" ]
+      ++ optional databaseActuallyCreateLocally "postgresql.service";
+    wantedBy = [ "multi-user.target" ];
+    path = [ cfg.package ];
+    environment = let
+      listenAddress = hostWithPort cfg.listen.address;
+    in {
+      AUTHENTIK_REDIS__HOST = cfg.redis.host;
+      AUTHENTIK_REDIS__PORT = toString cfg.redis.port;
+
+      AUTHENTIK_POSTGRESQL__HOST = cfg.database.host;
+      AUTHENTIK_POSTGRESQL__PORT = toString cfg.database.port;
+      AUTHENTIK_POSTGRESQL__USER = cfg.database.user;
+      AUTHENTIK_POSTGRESQL__NAME = cfg.database.name;
+
+      AUTHENTIK_LISTEN__HTTP = listenAddress cfg.listen.http;
+      AUTHENTIK_LISTEN__HTTPS = listenAddress cfg.listen.https;
+
+      # initial password for admin user
+      AUTHENTIK_BOOTSTRAP_PASSWORD = cfg.defaultPassword;
+
+      # disable outbound connections
+      AUTHENTIK_DISABLE_UPDATE_CHECK = "true";
+      AUTHENTIK_ERROR_REPORTING__ENABLED = "false";
+      AUTHENTIK_DISABLE_STARTUP_ANALYTICS = "true";
+      AUTHENTIK_AVATARS = "initials";
+
+      AUTHENTIK_LOG_LEVEL = cfg.logLevel;
+    };
+    serviceConfig = {
+      User = "authentik";
+      Group = "authentik";
+      EnvironmentFile = cfg.environmentFile;
+      WorkingDirectory = cfg.package;
+      DynamicUser = true;
+      RuntimeDirectory = "authentik";
+      NoNewPrivileges = true;
+      PrivateTmp = true;
+      ProtectHome = true;
+      ProtectSystem = "strict";
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      SystemCallFilter= "~@cpu-emulation @keyring @module @obsolete @raw-io @reboot @swap @sync";
+      ConfigurationDirectory = "authentik";
+      StateDirectoryMode = "0750";
+    };
+  };
+in {
+  options.services.authentik = {
+    enable = mkEnableOption "Enables Authentik service";
+
+    package = mkOption {
+      type = package;
+      default = pkgs.authentik;
+      defaultText = literalExpression "pkgs.authentik";
+      description = mdDoc "Authentik package to use.";
+    };
+
+    defaultPassword = mkOption {
+      description = mdDoc "Default admin password. Only read on first startup.";
+      type = str;
+      default = "change-me";
+    };
+
+    logLevel = mkOption {
+      description = mdDoc
+        "Log level for the server and worker containers. Setting the log level to trace will include sensitive details in logs, so it shouldn't be used in most cases.";
+      type = enum [ "trace" "debug" "info" "warning" "error" ];
+      default = "info";
+    };
+
+    listen = mkOption {
+      description = mdDoc "Listen ports";
+      default = { };
+      type = submodule {
+        options = {
+          http = mkOption {
+            description = mdDoc "HTTP port.";
+            type = port;
+            default = 9000;
+          };
+          https = mkOption {
+            description = mdDoc "HTTPS port.";
+            type = port;
+            default = 9443;
+          };
+          address = mkOption {
+            description = mdDoc "Address to listen on.";
+            type = str;
+            default = "0.0.0.0";
+          };
+        };
+      };
+    };
+    redis = {
+      createLocally = mkOption {
+        description = mdDoc "Configure local Redis server for Authentik.";
+        type = bool;
+        default = true;
+      };
+
+      host = mkOption {
+        description = mdDoc "Redis host.";
+        type = str;
+        default = "127.0.0.1";
+      };
+
+      port = mkOption {
+        description = mdDoc "Redis port.";
+        type = port;
+        default = 31637;
+      };
+    };
+    ssl = {
+      cert = mkOption {
+        type = nullOr path;
+        default = null;
+      };
+
+      key = mkOption {
+        type = nullOr path;
+        default = null;
+      };
+
+      name = mkOption {
+        type = str;
+        default = "SSL from NIXOS";
+      };
+    };
+
+    environmentFile = mkOption {
+      type = nullOr path;
+      default = null;
+      example = "/var/lib/authentik/secrets/db-password";
+      description = mdDoc ''
+        Environment variables including :
+        -  Secret key used for cookie signing and unique user IDs, don't change this after the first install.
+      '';
+    };
+
+    database = {
+      createLocally = mkOption {
+        description =
+          mdDoc "Configure local PostgreSQL database server for authentik.";
+        type = bool;
+        default = true;
+      };
+
+      host = mkOption {
+        type = str;
+        default = "/run/postgresql";
+        example = "192.168.23.42";
+        description = mdDoc "Database host address or unix socket.";
+      };
+
+      port = mkOption {
+        type = nullOr port;
+        default = if cfg.database.createLocally then null else 5432;
+        defaultText = literalExpression ''
+          if config.database.createLocally then null else 5432
+        '';
+        description = mdDoc "Database host port.";
+      };
+
+      name = mkOption {
+        type = str;
+        default = "authentik";
+        description = mdDoc "Database name.";
+      };
+
+      user = mkOption {
+        type = str;
+        default = "authentik";
+        description = mdDoc "Database user.";
+      };
+    };
+
+    outposts = mkOption {
+      type = submodule {
+        options = {
+          ldap = mkOption {
+            type = submodule {
+              options = {
+                enable =
+                  mkEnableOption (lib.mdDoc "the authentik ldap outpost");
+                package = mkOption {
+                  type = path;
+                  default = pkgs.authentik-outposts.ldap;
+                };
+                host = mkOption {
+                  type = str;
+                  default = if cfg.outposts.ldap.insecure then
+                    "http://127.0.0.1:${toString cfg.listen.http}"
+                  else
+                    "https://127.0.0.1:${toString cfg.listen.https}";
+                };
+                insecure = mkOption {
+                  type = bool;
+                  default = false;
+                };
+                environmentFile = mkOption {
+                  type = nullOr path;
+                  default = null;
+                  example = "/var/lib/authentik-ldap/secrets/env";
+                  description = mdDoc ''
+                    Environment variables including :
+                    -  API TOKEN
+                  '';
+                };
+                listen = mkOption {
+                  description = mdDoc "Listen ports";
+                  default = { };
+                  type = submodule {
+                    options = {
+                      ldap = mkOption {
+                        description = mdDoc "LDAP port.";
+                        type = port;
+                        default = 3389;
+                      };
+                      ldaps = mkOption {
+                        description = mdDoc "LDAPS port.";
+                        type = port;
+                        default = 6636;
+                      };
+                      address = mkOption {
+                        description = mdDoc "Address to listen on.";
+                        type = str;
+                        default = "0.0.0.0";
+                      };
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+      default = { ldap = { enable = false; }; };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users.authentik = {
+      isSystemUser = true;
+      home = cfg.package;
+      group = "authentik";
+    };
+    users.groups.authentik = { };
+
+    services.postgresql = mkIf databaseActuallyCreateLocally {
+      enable = true;
+      ensureUsers = [{
+        name = cfg.database.name;
+        ensureDBOwnership = true;
+      }];
+      ensureDatabases = [ cfg.database.name ];
+    };
+
+    services.redis.servers.authentik =
+      mkIf (cfg.redis.createLocally && cfg.redis.host == "127.0.0.1") {
+        enable = true;
+        port = cfg.redis.port;
+        bind = "127.0.0.1";
+      };
+
+    systemd.services.authentik-server = authentikBaseService // {
+      serviceConfig = authentikBaseService.serviceConfig // {
+        ExecStart = "${cfg.package}/bin/ak server";
+      };
+    };
+
+    systemd.services.authentik-worker = authentikBaseService // {
+      serviceConfig = authentikBaseService.serviceConfig // {
+        ExecStart = "${cfg.package}/bin/ak worker";
+      };
+    };
+
+    # systemd.services.authentik-ssl-import = authentikBaseService // {
+    #   before = [ "authentik-server.service" ];
+    #   serviceConfig = authentikBaseService.serviceConfig // {
+    #     Type = "oneshot";
+    #     RemainAfterExit = true;
+    #     ExecStart = ''
+    #       ${cfg.package}/bin/ak import_certificate --name "${cfg.ssl.name}" --certificate "${cfg.ssl.cert}" --private-key "${cfg.ssl.key}"'';
+    #   };
+    # };
+
+    systemd.services.authentik-ldap-outpost = let
+      ldapCfg = cfg.outposts.ldap;
+    in mkIf ldapCfg.enable (authentikBaseService // {
+      description = "authentik ldap outpost";
+      environment = let listenAddress = hostWithPort ldapCfg.listen.address;
+      in {
+        AUTHENTIK_HOST = ldapCfg.host;
+        AUTHENTIK_LISTEN__LDAP = listenAddress ldapCfg.listen.ldap;
+        AUTHENTIK_LISTEN__LDAPS = listenAddress ldapCfg.listen.ldaps;
+      } // optionalAttrs ldapCfg.insecure { AUTHENTIK_INSECURE = "true"; };
+      serviceConfig = authentikBaseService.serviceConfig // {
+        ExecStart = "${cfg.outposts.ldap.package}/bin/ldap";
+        EnvironmentFile = ldapCfg.environmentFile;
+      };
+    });
+  };
+}

patches/authentik-271885.patch

@@ -0,0 +1,346 @@
+From 274b4ab18950b22bd9d6e313a8238f24da685814 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20van=20Br=C3=BCgge?= <supermanitu@gmail.com>
+Date: Mon, 20 Nov 2023 13:49:35 +0000
+Subject: [PATCH 1/3] openapi-generator-cli: set meta.mainProgram
+
+---
+ pkgs/tools/networking/openapi-generator-cli/default.nix | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/pkgs/tools/networking/openapi-generator-cli/default.nix b/pkgs/tools/networking/openapi-generator-cli/default.nix
+index f557030f991d2e..c1d8172ca7926c 100644
+--- a/pkgs/tools/networking/openapi-generator-cli/default.nix
++++ b/pkgs/tools/networking/openapi-generator-cli/default.nix
+@@ -33,6 +33,7 @@ let this = stdenv.mkDerivation rec {
+     homepage = "https://github.com/OpenAPITools/openapi-generator";
+     changelog = "https://github.com/OpenAPITools/openapi-generator/releases/tag/v${version}";
+     sourceProvenance = with sourceTypes; [ binaryBytecode ];
++    mainProgram = "openapi-generator-cli";
+     license = licenses.asl20;
+     maintainers = with maintainers; [ shou ];
+   };
+
+From c4362996949240d5c4a535285b00745976be4be8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20van=20Br=C3=BCgge?= <supermanitu@gmail.com>
+Date: Mon, 20 Nov 2023 13:50:12 +0000
+Subject: [PATCH 2/3] authentik: init at 2023.10.6
+
+---
+ pkgs/by-name/au/authentik/package.nix | 246 ++++++++++++++++++++++++++
+ 1 file changed, 246 insertions(+)
+ create mode 100644 pkgs/by-name/au/authentik/package.nix
+
+diff --git a/pkgs/by-name/au/authentik/package.nix b/pkgs/by-name/au/authentik/package.nix
+new file mode 100644
+index 00000000000000..cef6ef210547ce
+--- /dev/null
++++ b/pkgs/by-name/au/authentik/package.nix
+@@ -0,0 +1,246 @@
++{ lib
++, stdenvNoCC
++, fetchFromGitHub
++, buildNpmPackage
++, buildGoModule
++, runCommand
++, openapi-generator-cli
++, nodejs
++, python3
++, codespell
++, makeWrapper }:
++
++let
++  version = "2023.10.6";
++
++  src = fetchFromGitHub {
++    owner = "goauthentik";
++    repo = "authentik";
++    rev = "version/${version}";
++    hash = "sha256-N6FeNUlenbBQPAAUSqC+2GWFfte3G+Zfu5KGVJOqNZQ=";
++  };
++
++  website = buildNpmPackage {
++    pname = "authentik-website";
++    inherit version src;
++    npmDepsHash = "sha256-4dgFxEvMnp+35nSQNsEchtN1qoS5X2KzEbLPvMnyR+k=";
++
++    NODE_ENV = "production";
++    NODE_OPTIONS = "--openssl-legacy-provider";
++
++    postPatch = ''
++      cd website
++    '';
++
++    installPhase = ''
++      cp -r help $out
++    '';
++
++    npmInstallFlags = [ "--include=dev" ];
++    npmBuildScript = "build-docs-only";
++  };
++
++  clientapi = stdenvNoCC.mkDerivation {
++    pname = "authentik-client-api";
++    inherit version src;
++
++    postPatch = ''
++      rm Makefile
++
++      substituteInPlace ./scripts/api-ts-config.yaml \
++        --replace '/local' "$(pwd)/"
++    '';
++
++    nativeBuildInputs = [ openapi-generator-cli ];
++    buildPhase = ''
++      runHook preBuild
++      openapi-generator-cli generate -i ./schema.yml \
++      -g typescript-fetch -o $out \
++      -c ./scripts/api-ts-config.yaml \
++        --additional-properties=npmVersion=${nodejs.pkgs.npm.version} \
++        --git-repo-id authentik --git-user-id goauthentik
++      runHook postBuild
++    '';
++  };
++
++  webui = buildNpmPackage {
++    pname = "authentik-webui";
++    inherit version;
++
++    src = runCommand "authentik-webui-source" {} ''
++      mkdir -p $out/web/node_modules/@goauthentik/
++      cp -r ${src}/web $out/
++      ln -s ${src}/website $out/
++      ln -s ${clientapi} $out/web/node_modules/@goauthentik/api
++    '';
++    npmDepsHash = "sha256-5aCKlArtoEijGqeYiY3zoV0Qo7/Xt5hSXbmy2uYZpok=";
++
++    postPatch = ''
++      cd web
++    '';
++
++    installPhase = ''
++      runHook preInstall
++      mkdir $out
++      cp -r dist $out/dist
++      cp -r authentik $out/authentik
++      runHook postInstall
++    '';
++
++    NODE_ENV = "production";
++    NODE_OPTIONS = "--openssl-legacy-provider";
++
++    npmInstallFlags = [ "--include=dev" ];
++  };
++
++  python = python3.override {
++    self = python;
++    packageOverrides = final: prev: {
++      authentik-django = prev.buildPythonPackage {
++        pname = "authentik-django";
++        inherit version src;
++        pyproject = true;
++
++        postPatch = ''
++          substituteInPlace authentik/root/settings.py \
++            --replace 'Path(__file__).absolute().parent.parent.parent' "\"$out\""
++          substituteInPlace authentik/lib/default.yml \
++            --replace '/blueprints' "$out/blueprints"
++        '';
++
++        nativeBuildInputs = [ prev.poetry-core ];
++        propagatedBuildInputs = with prev; [
++          argon2-cffi
++          celery
++          channels
++          channels-redis
++          colorama
++          dacite
++          daphne
++          deepmerge
++          defusedxml
++          django
++          django-filter
++          django-guardian
++          django-model-utils
++          django-prometheus
++          django-redis
++          djangorestframework
++          djangorestframework-guardian2
++          docker
++          drf-spectacular
++          duo-client
++          facebook-sdk
++          flower
++          geoip2
++          gunicorn
++          httptools
++          kubernetes
++          ldap3
++          lxml
++          opencontainers
++          packaging
++          paramiko
++          psycopg
++          pycryptodome
++          pydantic
++          pydantic-scim
++          pyjwt
++          pyyaml
++          requests-oauthlib
++          sentry-sdk
++          structlog
++          swagger-spec-validator
++          twilio
++          twisted
++          ua-parser
++          urllib3
++          uvicorn
++          uvloop
++          watchdog
++          webauthn
++          websockets
++          wsproto
++          xmlsec
++          zxcvbn
++          jsonpatch
++        ] ++ [
++          codespell
++        ];
++
++        postInstall = ''
++          mkdir -p $out/web $out/website
++          cp -r lifecycle manage.py $out/${prev.python.sitePackages}/
++          cp -r blueprints $out/
++          cp -r ${webui}/dist ${webui}/authentik $out/web/
++          cp -r ${website} $out/website/help
++          ln -s $out/${prev.python.sitePackages}/lifecycle $out/lifecycle
++        '';
++      };
++    };
++  };
++
++  inherit (python.pkgs) authentik-django;
++
++  proxy = buildGoModule {
++    pname = "authentik-proxy";
++    inherit version src;
++
++    postPatch = ''
++      substituteInPlace internal/gounicorn/gounicorn.go \
++        --replace './lifecycle' "${authentik-django}/lifecycle"
++      substituteInPlace web/static.go \
++        --replace './web' "${authentik-django}/web"
++      substituteInPlace internal/web/static.go \
++        --replace './web' "${authentik-django}/web"
++    '';
++
++    CGO_ENABLED = 0;
++
++    vendorHash = "sha256-8F9emmQmbe7R+xtGrjV5ht0adGasU6WAvLa8Wxr+j8M=";
++
++    postInstall = ''
++      mv $out/bin/server $out/bin/authentik
++    '';
++
++    subPackages = [ "cmd/server" ];
++  };
++
++in stdenvNoCC.mkDerivation {
++  pname = "authentik";
++  inherit src version;
++
++  postPatch = ''
++    rm Makefile
++    patchShebangs lifecycle/ak
++
++    # This causes issues in systemd services
++    substituteInPlace lifecycle/ak \
++      --replace 'printf' '>&2 printf' \
++      --replace '> /dev/stderr' ""
++  '';
++
++  installPhase = ''
++    runHook preInstall
++    mkdir -p $out/bin
++    cp -r lifecycle/ak $out/bin/
++
++    wrapProgram $out/bin/ak \
++      --prefix PATH : ${lib.makeBinPath [ (python.withPackages (ps: [ps.authentik-django])) proxy ]} \
++      --set TMPDIR /dev/shm \
++      --set PYTHONDONTWRITEBYTECODE 1 \
++      --set PYTHONUNBUFFERED 1
++    runHook postInstall
++  '';
++
++  nativeBuildInputs = [ makeWrapper ];
++
++  meta = with lib; {
++    description = "The authentication glue you need";
++    changelog = "https://github.com/goauthentik/authentik/releases/tag/version%2F${version}";
++    homepage = "https://goauthentik.io/";
++    license = licenses.mit;
++    maintainers = with maintainers; [ jvanbruegge ];
++    mainProgram = "ak";
++  };
++}
+
+From 54baa29146853cca4a8acd4bf93bad59c573035f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20van=20Br=C3=BCgge?= <supermanitu@gmail.com>
+Date: Sat, 2 Dec 2023 16:08:25 +0000
+Subject: [PATCH 3/3] authentik: Add ldap outpost
+
+---
+ pkgs/by-name/au/authentik/ldap.nix     | 18 ++++++++++++++++++
+ pkgs/by-name/au/authentik/outposts.nix |  5 +++++
+ pkgs/top-level/all-packages.nix        |  2 ++
+ 3 files changed, 25 insertions(+)
+ create mode 100644 pkgs/by-name/au/authentik/ldap.nix
+ create mode 100644 pkgs/by-name/au/authentik/outposts.nix
+
+diff --git a/pkgs/by-name/au/authentik/ldap.nix b/pkgs/by-name/au/authentik/ldap.nix
+new file mode 100644
+index 00000000000000..7945c3021dfd90
+--- /dev/null
++++ b/pkgs/by-name/au/authentik/ldap.nix
+@@ -0,0 +1,18 @@
++{ lib, buildGoModule, authentik }:
++
++buildGoModule {
++  pname = "authentik-ldap-outpost";
++  inherit (authentik) version src;
++
++  vendorHash = "sha256-8F9emmQmbe7R+xtGrjV5ht0adGasU6WAvLa8Wxr+j8M=";
++
++  CGO_ENABLED = 0;
++
++  subPackages = [ "cmd/ldap" ];
++
++  meta = authentik.meta // {
++    description = "The authentik ldap outpost. Needed for the extendal ldap API.";
++    homepage = "https://goauthentik.io/docs/providers/ldap/";
++    mainProgram = "ldap";
++  };
++}
+diff --git a/pkgs/by-name/au/authentik/outposts.nix b/pkgs/by-name/au/authentik/outposts.nix
+new file mode 100644
+index 00000000000000..05649628b3e8e6
+--- /dev/null
++++ b/pkgs/by-name/au/authentik/outposts.nix
+@@ -0,0 +1,5 @@
++{ callPackage }:
++
++{
++  ldap = callPackage ./ldap.nix { };
++}
+diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
+index e59de08224d3df..756ad8582a25ed 100644
+--- a/pkgs/top-level/all-packages.nix
++++ b/pkgs/top-level/all-packages.nix
+@@ -3377,6 +3377,8 @@ with pkgs;
+ 
+   authelia = callPackage ../servers/authelia { };
+ 
++  authentik-outposts = recurseIntoAttrs (callPackages ../by-name/au/authentik/outposts.nix { });
++
+   autoflake = with python3.pkgs; toPythonApplication autoflake;
+ 
+   autospotting = callPackage ../applications/misc/autospotting { };

profiles/servers/authentik.nix

@@ -1,122 +1,27 @@
-{ config, lib, pkgs, inputs, ... }:
-let
-  backend = config.virtualisation.oci-containers.backend;
-  data-dir = "/srv/authentik";
-  pod-name = "authentik-pod";
-  pod-dns = "192.168.0.1";
-  open-ports = [
-    # authentik
-    "127.0.0.1:9000:9000/tcp" "127.0.0.1:9443:9443/tcp"
-    # ldap
-    "127.0.0.1:389:3389/tcp" "127.0.0.1:636:6636/tcp"
-  ];
-  owner = "1000";
-  authentik-version = "2023.10.6";
-in {
+{ config, inputs, ... }: {
   sops.secrets.authentik-env.sopsFile = inputs.self.secretsDir + /home-hypervisor/authentik.yaml;
   sops.secrets.authentik-ldap.sopsFile = inputs.self.secretsDir + /home-hypervisor/authentik.yaml;
-  sops.secrets.authentik-env.restartUnits = [ "${backend}-authentik-server.service" ];
-  sops.secrets.authentik-ldap.restartUnits = [ "${backend}-authentik-ldap.service" ];
+  sops.secrets.authentik-env.restartUnits = [ "authentik-server.service" "authentik-worker.service" ];
+  sops.secrets.authentik-ldap.restartUnits = [ "authentik-ldap-outpost.service" ];
 
-  virtualisation.oci-containers.containers = {
-    authentik-postgresql = {
-      autoStart = true;
-      image = "docker.io/library/postgres:12-alpine";
-      extraOptions = [ "--pod=${pod-name}" ];
-      environmentFiles = [ config.sops.secrets.authentik-env.path ];
-      volumes = [
-        "${data-dir}/db:/var/lib/postgresql/data"
-      ];
-    };
-    authentik-redis = {
-      autoStart = true;
-      image = "docker.io/library/redis:alpine";
-      cmd = [ "--save" "60" "1" "--loglevel" "warning" ];
-      extraOptions = [ "--pod=${pod-name}" ];
-      volumes = [
-        "${data-dir}/redis:/data"
-      ];
-    };
-    authentik-server = {
-      autoStart = true;
-      dependsOn = [ "authentik-postgresql" "authentik-redis" ];
-      image = "ghcr.io/goauthentik/server:${authentik-version}";
-      cmd = [ "server" ];
-      extraOptions = [ "--pod=${pod-name}" ];
-      environment = {
-        AUTHENTIK_REDIS__HOST = "authentik-redis";
-        AUTHENTIK_POSTGRESQL__HOST = "authentik-postgresql";
-      };
-      environmentFiles = [ config.sops.secrets.authentik-env.path ];
-      volumes = [
-        "${data-dir}/media:/media"
-        "${data-dir}/custom-templates:/templates"
-      ];
-    };
-    authentik-worker = {
-      autoStart = true;
-      dependsOn = [ "authentik-server" ];
-      image = "ghcr.io/goauthentik/server:${authentik-version}";
-      cmd = [ "worker" ];
-      extraOptions = [ "--pod=${pod-name}" ];
-      environment = {
-        AUTHENTIK_REDIS__HOST = "authentik-redis";
-        AUTHENTIK_POSTGRESQL__HOST = "authentik-postgresql";
-      };
-      environmentFiles = [ config.sops.secrets.authentik-env.path ];
-      # user = "root";
-      volumes = [
-        # "/var/run/${backend}/${backend}.sock"
-        "${data-dir}/media:/media"
-        "${data-dir}/certs:/certs"
-        "${data-dir}/custom-templates:/templates"
-      ];
-    };
-    authentik-ldap = {
-      autoStart = true;
-      dependsOn = [ "authentik-server" ];
-      image = "ghcr.io/goauthentik/ldap:${authentik-version}";
-      extraOptions = [ "--pod=${pod-name}" ];
-      environment = {
-        AUTHENTIK_HOST = "https://auth.ataraxiadev.com";
-        AUTHENTIK_INSECURE = "false";
-      };
-      environmentFiles = [ config.sops.secrets.authentik-ldap.path ];
+  backups.postgresql.authentik = {};
+
+  services.authentik = {
+    enable = true;
+    logLevel = "info";
+    listen.address = "127.0.0.1";
+    listen.http = 9000;
+    listen.https = 9443;
+    environmentFile = config.sops.secrets.authentik-env.path;
+    outposts.ldap = {
+      enable = true;
+      host = "https://auth.ataraxiadev.com";
+      environmentFile = config.sops.secrets.authentik-ldap.path;
+      listen.address = "127.0.0.1";
+      listen.ldap = 3389;
+      listen.ldaps = 6636;
     };
   };
 
-  systemd.tmpfiles.rules = [
-    "d ${data-dir}/db 0700 70 root -"
-    "d ${data-dir}/redis 0755 999 root -"
-    "d ${data-dir}/media 0755 ${owner} ${owner} -"
-    "d ${data-dir}/certs 0755 ${owner} ${owner} -"
-    "d ${data-dir}/custom-templates 0755 ${owner} ${owner} -"
-  ];
-
-  systemd.services."podman-create-${pod-name}" = let
-    portsMapping = lib.concatMapStrings (port: " -p " + port) open-ports;
-    start = pkgs.writeShellScript "create-pod-${pod-name}" ''
-      podman pod exists ${pod-name} || podman pod create -n ${pod-name} ${portsMapping} --dns ${pod-dns}
-    '';
-    stop = "podman pod rm -i -f ${pod-name}";
-  in rec {
-    path = [ pkgs.coreutils config.virtualisation.podman.package ];
-    before = [
-      "${backend}-authentik-postgresql.service"
-      "${backend}-authentik-redis.service"
-      "${backend}-authentik-server.service"
-      "${backend}-authentik-worker.service"
-      "${backend}-authentik-ldap.service"
-    ];
-    requiredBy = before;
-    partOf = before;
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = "yes";
-      ExecStart = start;
-      ExecStop = stop;
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 389 ];
+  # networking.firewall.allowedTCPPorts = [ 389 ];
 }

secrets/home-hypervisor/authentik.yaml

@@ -1,4 +1,6 @@
-authentik-env: ENC[AES256_GCM,data:gyQWquVp/HOa4M07NNZ1cfzxAB2fTtGhc1CCQlHnU6HyRaGoIVHLl5syRQP3CJtCrxtd4FwmtetjGoOzouIEFo9m0EoXdr9iGc05GE3WZ9Ms2KLLeTOr6ZMQTbT9Z0LW94tnyiAZmDboSC+GTSA+Lh737sF8pr58YLPtoOlIdwP0YLgIVZdhckQ4n9VJ8MW9TuP5PorDKikG/JPHBdq6ke82qi1o0P/vruAXffGgrNcczCZUx1GcCznA+H6kubPD8vhoNx7i+/ZobGWXbnwhsmh8Sn1DUgpmV/hQeOm/2kssbLB3JgV2IBsB35fZ8nSijvOfV4tc/vYc0kcRT2Tm3KiopCTb1a6WKdR4goFSDk/16uzX5L6RpgFiQaR/Z01ACiWuj0CIMjVHJqtzKm3BkvxUnN1mOP7gvvqu72igV6bMasWbQ0uHR1wpASsR1N6qLLOznQAmz1zfWOpewTxPJVVyGS+l7QU7QN5ogbMgzX8n2BjWuce6Tv9fSmLtR7vdw/kPYUpFKr08h7cBEC4Vlb76cK7L4PqvIRtm6q652I/7t0h4fPwMJmCMrgwp8estgDrekkQwZdArDxm7dKdyAdG9HNj5TZ+f3aXXdMBIXn8WrX04iFJPq/Um49Bk7LRYVhEiFTmml2jXhV6l68E/U0s3DUOVvAo/UBD8E/dMKlQ9kzuwz+uR92KyWNLlqt0odOYw2FVvRKCRBobc1S8CBQo4uzteJo4NNB1Y68HbkGVtO6xTrsmOEhzHwzeW4VBRkEhvNSbCp9YIC0VrxtupFPBBszPVJ3tIZEjGX/X3Px0QqFI5ri78326xWwNtTtvGMzb6ggBFBfNb3v1tthiz8fphF/OHbtivhDtUbdY4UWcuJmjVdcNcUFNTi7Npdf/mlMoDGDQKFmX+HtjFs39zAu/CFF7R9fA0bfZqjyLapqFShmAJwtSxYHQllkQPWu4JViPpaV7HtmpU28mcEMiHoUpPnhrBTkTSv4H1hLC/AOrJLF0gJQ5nsowLTb2x0J14niaYQzHadzgl1bS8RozShAizskvHzfRb1AyTJPoIJHMv8RwHOBIxriEq0H6UwkuNkSqJdCOzX3evI8roQ9okvBNkb86ILKXpCsDy6Dl2YW8S9inMMCWB8RgQDBLmL7SO8se2NgrcHPviix2zucUX04jVoAvVz2cO2Eday2Mhl6y+t1YDnQ8UgretDIc6cfmhHKqS2GZcOf2fFWJ/PbSK4qI9H2geySubOhidsjW/zoP71GPJ0lbMCADLFK6i0dGJvf0YmRv1wJBrH0vFILFEaSqgbKYE0QKUAiwsSkilJLVgK1K4dgDzqlJ9q0pTyg==,iv:QMfMecO5xgnHakjTQOJlMyh9am12n23pHIL+CndhVDI=,tag:k2+Yx6hpjjgPskBPiq+hSw==,type:str]
+authentik-docker-env: ENC[AES256_GCM,data:gQgij38e/InGVurVfXNkLTWuydSKu0InOXBooltqu7hpctm1noSGFXtfT2dgXcmftTXPzDx3Mah5zqAHXeygv4gWqnTaCXIw9IKmsz4V0VeycfUVzdtli2oo5Dyf1lyJHzSrxWVuatdQYafVQomIHswKHqSMIGg0LE7HR1HHDoPm57v8JMEbMGaw4PQ7cIasRPYwTQyzqiLAlohXpyovYlVd7yUZZQNWSozlD8mFwVaKPDEmnSfzEBxYMwnzY3d8MtHaI+S/kGKWcKBDQ58WXuLysjuIu7bgRiHnvbz/aUlKiF7r4deaIX4tWZsOarjYliSTBraZEHbFqO00viRISX1IBP4BVD7N1QsuczMk9MILWy5NZzUVT73MK2Y9WY4A3TYofdxjjSBnhXQnwfZlm3IY5cJxAVLjVXIUqMaQ+GHiJsnxdl9qVvvsJ/hadYgTpf+JZ9G4X6hE84/2vFrXItY/5VRyh1Hv4Z43wsCALw6pzWJcp8HbzkbyAJpROFXD9XPm28ocAEmc92mu0X4a3vevJq2cfvHTAYb5Gwyo868G/DZdgIq9MPpK3ZBGUtJnacIS5jtYowf9TncGpRSkxC0iUCwbl/aY02o9cfEuYhJK57e7o0N3oVxKhP3aelgrpq5sdy6QBNAc4IgTJwUucwTpqFSj4z7TDSIjtLA4BTlSEfwTRFVuF7VAakhoeSkW8YvHRaZB+Dq/2P3nLpFbPAjqW7XthlDypQ5ADRWBFfj9BzMbf+Kcd4rtO9bTtnyZPzpkbsbuWkF/I0NWeAlc7ozW3O37+n4Flt42fuHg2Vh0ncV7MSk6vETVBvtV04JSr65bBqhuKhBrGV7UHTHQAov3gyML3Gica0ZCcJvK9lKGaX+hEYaB0nb9qmtCQc4JKxGwboG5Lo59tIYGN3yPNf0QtiAMFWzZ8sTL1b2pV1NKIgoMtrx7l5dga2Mng4bhUIkLii0H/bqeY6qD/a2PV2B7zU3EInoK9UjieOGM6DaGJXcbj/JPJKMg23ZR/wbNM2LE59U8IomuXeJ+vRlRpZvxn9148qwJcF+DlgZlVFdGBnyUucLHZMZogtmcfe48QGYv5oKdBk2ZOVnvSxodiw1jPWgLmRATnWK4zaqBXlnMsoNZGyp57pYpTpaklulXy1kUwooMGyJo7TEOQj4zzgEjII5mrA6xb73Sg1qGIbSHyqMvg2f+CWgWPgwrlwug+6IepQHgPeIaukSIuDzhq5SJLZpBig+b4qNuVwUqtuWeoW1V2H/iaNojLsizcGVgiIlTnOU16mpn40G5tbpmsZLjSJnDhrPScz2kn1kA6mDjNmZ7s4s7ouAGxFpL3A==,iv:RoNU+sz4ibBnCZEwhrZOCZ8L2f4AKlA2HDkjGOd75HU=,tag:GmXqPgen7ZJ/hVqQhO+DbQ==,type:str]
+authentik-docker-ldap: ENC[AES256_GCM,data:Ex6g0F9krdKj1Zn4V6oafV7PXrkdIHYsh6z287yEDkJdUUsz73QXKYjMIyF6AhoDFtOCPqmEB7J6qFxCzQjJsHYDbDT/pDHjJMpmnA==,iv:DrifVWgEak8Pd7V50UOnEs6lVH3+LhSNDmZ6z4QMS14=,tag:snAy/ebpo1yyHGmy9l12Ww==,type:str]
+authentik-env: ENC[AES256_GCM,data:G2/zs34u73Iyob0ZBV2xRh6sAbr9LgvXeupfQeg7UhafEfFe9Izki7ig8ZzFwaoWMeewWvF2/LOlegK5n05D6CnDL0hMBCbRiGEd2df3zHLT0lbN5jbZ9mNw+p13+qT5lm3paV26PCsvERGQNQLJ8+SHrgB6S847fHqWANmQJRoiA2LFPWNj2VJfn2By1ZyH/JtQPERNuLGZJCz6PgecC4qM88+Rubqw3Jj9ebw3xvQFqAt1rhD08xSO6yFSBQRG0SxDmhX2L7dI2mm4CQl9LIA5dTF3tw/nqlVby5j2TqrfICoP87eunifcus16TNRHjDdpfKpWBpFuROoiBdzCRakkORcNzDegyNb9UI0hsklnT9c01b9vC75Jrmv6fcZFRbw7diwcs85Ty6aHKZAANhShYHx5TmO+SFIR2lZpXPpXQgJuXNz8EDYyflZfIBagwpD5G7NawDeGFrnqd7ioJqO/yoAQNaF5b8z5Fdw6xpwWCCmJ7MHUkIioHE8/82egi5d2lBPM+BHiMvTyi0jC1AwrL0cD+efdG19/vkEk2Vdvx4EQb+JaAzQeSYpcl4r78s9IWTEberibWi6dfu9bf+Wf4RZ3XA9x7ij2fK2VP+C1rbwsx35SWFME+XouBMYdnfZINKl4lEqawfilbTjfqNBrZMVarWBEnQ579q9MPuXWH1TAIoWXZnZkFJIZRmotXzO84/NSNSkcyeMZPqmASD2Wi5oS+szb+iPf5w1N1LLmj407lEo8zcQrc63Du77d4KRl+ClrHCGIkcE4wENn1PZO8pBtqke+d/OGJ2xf4n2FTa7ShwBWG6vfwD3JFswv/uFrIjlcwviRVakK3taRFdPrWacMACyDLlOVFWsXUJRE+QZUvcF+F6NgKI2OoEObg0TpIepBFafg09P+9t8iHhFB1/7JUdefLUQrP6mNecUoJdJHV12r5DGN0GfeFiUijXCXAwRQvskYMEHxCaL+a3WL4zVoKhxiE+c+N8rQeneypnSvOFgQZLe3GpzrGpuyT2scw89WbEkequ54xbKnKOjNQiNcXuIvofTn4l8sWaK6JPLltZzvbCH3L3NLOIcadkvLxH2Mprp0FKUb,iv:/fR2FJan/QRCKLKBaPdagcfMD4xsaezZAXHIYmwZ484=,tag:1u/EXA+4KdsVrchKUMY41A==,type:str]
 authentik-ldap: ENC[AES256_GCM,data:trkAbd1/delgSdV2nvPjbDV4fK0Eeu0X3c8xGYFIotHhPrYqZeBlgh9m6W1dEBeH/DOqPDlc6hqwGCE7D39Ael/WV5dgQepzB+7eYQ==,iv:dNGa2YW2nm21lLuX0efxYO8TLyi6Or4IOID0Zvl3neQ=,tag:wBDWNxeuahiNw+vupGNPqw==,type:str]
 sops:
     kms: []
@@ -6,8 +8,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-01-21T19:05:38Z"
-    mac: ENC[AES256_GCM,data:7OiHNkvt6RqCSHtwHSlU8Fu3Lz02J4hKZTmIUNfRiisECa35nFTsDPHT5Tk9C8jKCyaScjiJLR4hGRBkBhKrjsJj0gDZSDKmWErIq26RBdDSjGWLzG71i4TD1PsYYSOfeftwuoRaC3boDsQ5EzTzZCF99rCEkf33YkeUFCWFjg0=,iv:ou900k1mW/SXnw2Bl2pSvazbcjsZia+55acE3narTBw=,tag:IlBmeN2cTVbxxBJbfQrmAQ==,type:str]
+    lastmodified: "2024-01-24T16:13:04Z"
+    mac: ENC[AES256_GCM,data:OKANPvWhQCG/iFwc2zWVnaQ2799ai8l40styj60kpWB1Id7ccLomPCvzMMtZS/tCrp9HxrbYkN/9GgRnMrMoNvp2QtL19c4pmN2V9VKrEklm77UMeN5KEOemk5Iiqnjk6LF3mPuRa5nFTSwoLSsYPZ1v+vX7oob7WlhR57WAb+g=,iv:2waLQWzcqXT/9NN1rkaoc1Ym2qziGVOgRhc2nvDtMCI=,tag:ayzPdyGxts/02kIyayDPpQ==,type:str]
     pgp:
         - created_at: "2024-01-21T19:04:47Z"
           enc: |-