Replace Authelia with Authentik

modules/authentik.nix

@@ -0,0 +1,78 @@
+{
+  nixhelm,
+  system,
+  config,
+  lib,
+  ...
+}: {
+  options.authentik.enable = lib.mkEnableOption "authentik";
+
+  config = lib.mkIf config.authentik.enable {
+    kubernetes = {
+      helm.releases.authentik = {
+        chart = nixhelm.chartsDerivations.${system}.authentik.authentik;
+        includeCRDs = true;
+        namespace = "authentik";
+
+        values = {
+          authentik = {
+            secret_key = "ref+sops://secrets.yml#/authentik/secret_key";
+            postgresql.password = "ref+sops://secrets.yml#/authentik/postgresql_password";
+          };
+
+          postgresql = {
+            enabled = true;
+            auth.password = "ref+sops://secrets.yml#/authentik/postgresql_password";
+            primary.persistence.existingClaim = "db";
+          };
+
+          redis = {
+            enabled = true;
+            master.persistence.existingClaim = "redis";
+          };
+
+          email = {
+            host = "mail.smtp2go.com";
+            port = 2525;
+            username = "ref+sops://secrets.yml#/smtp2go/username";
+            password = "ref+sops://secrets.yml#/smtp2go/password";
+            from = "Authentik <authentik@kun.is>";
+          };
+        };
+      };
+    };
+
+    lab = {
+      longhorn.persistentVolumeClaim = {
+        db = {
+          volumeName = "authentik-db";
+          storage = "10Gi";
+        };
+
+        redis = {
+          volumeName = "authentik-redis";
+          storage = "5Gi";
+        };
+      };
+
+      ingresses.authentik = {
+        host = "authentik.kun.is";
+
+        service = {
+          name = "authentik-server";
+          portName = "http";
+        };
+      };
+
+      tailscaleIngresses = {
+        tailscale-authentik = {
+          host = "authentik";
+          service = {
+            name = "authentik-server";
+            portName = "http";
+          };
+        };
+      };
+    };
+  };
+}