From 8ca88da93a0b3238e4642da5b5e299694dcf2931 Mon Sep 17 00:00:00 2001
From: Jordan Holt <jordan@vimium.com>
Date: Mon, 12 Aug 2024 00:10:54 +0100
Subject: [PATCH] Add authentik

---
 flake.nix              |  1 +
 hosts/vps1/default.nix | 21 ++++++++++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/flake.nix b/flake.nix
index adc35bd..bf11b9b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -6,6 +6,7 @@
     nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
     # nixpkgs-master.url = "nixpkgs";
     agenix.url = "github:ryantm/agenix";
+    authentik-nix.url = "github:nix-community/authentik-nix";
     deploy-rs.url = "github:serokell/deploy-rs";
     disko = {
       url = "github:nix-community/disko";
diff --git a/hosts/vps1/default.nix b/hosts/vps1/default.nix
index a195559..afa0c23 100644
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@@ -1,7 +1,8 @@
-{ lib, ... }:
+{ config, lib, self, ... }:
 
 {
   imports = [
+    self.inputs.authentik-nix.nixosModules.default
     ./hardware-configuration.nix
     ../server.nix
   ];
@@ -41,6 +42,24 @@
 
   services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
 
+  age.secrets."files/services/authentik/envfile" = {
+    file = "${self.inputs.secrets}/files/services/authentik/envfile.age";
+  };
+
+  services.authentik = {
+    enable = true;
+    environmentFile = config.age.secrets."files/services/authentik/envfile".path;
+    settings = {
+      disable_startup_analytics = true;
+      disable_update_check = true;
+    };
+    nginx = {
+      enable = true;
+      enableACME = true;
+      host = "auth.vimium.com";
+    };
+  };
+
   modules = rec {
     databases.postgresql.enable = true;
     services = {