diff --git a/modules/authentik.nix b/modules/authentik.nix
index d29c715..ad09497 100644
--- a/modules/authentik.nix
+++ b/modules/authentik.nix
@@ -16,28 +16,42 @@
values = {
authentik = {
- secret_key = "ref+sops://secrets.yml#/authentik/secret_key";
- postgresql.password = "ref+sops://secrets.yml#/authentik/postgresql_password";
+ email = {
+ host = "mail.smtp2go.com";
+ port = 2525;
+ from = "Authentik authentik@kun.is";
+ };
};
postgresql = {
enabled = true;
auth.password = "ref+sops://secrets.yml#/authentik/postgresql_password";
primary.persistence.existingClaim = "db";
+ primary.extraEnvVarsSecret = "postgresql-env";
};
redis = {
enabled = true;
master.persistence.existingClaim = "redis";
};
+ };
+ };
- email = {
- host = "mail.smtp2go.com";
- port = 2525;
- username = "ref+sops://secrets.yml#/smtp2go/username";
- password = "ref+sops://secrets.yml#/smtp2go/password";
- from = "Authentik <authentik@kun.is>";
- };
+ resources = let
+ env = {
+ AUTHENTIK_POSTGRESQL__PASSWORD.value = "ref+sops://secrets.yml#/authentik/postgresql_password";
+ AUTHENTIK_SECRET_KEY.value = "ref+sops://secrets.yml#/authentik/secret_key";
+ AUTHENTIK_EMAIL__USERNAME.value = "ref+sops://secrets.yml#/smtp2go/username";
+ AUTHENTIK_EMAIL__PASSWORD.value = "ref+sops://secrets.yml#/smtp2go/password";
+ };
+ in {
+ secrets.postgresql-env.stringData = {
+ POSTGRES_PASSWORD = "ref+sops://secrets.yml#/authentik/postgresql_password";
+ };
+
+ deployments = {
+ authentik-server.spec.template.spec.containers.server.env = env;
+ authentik-worker.spec.template.spec.containers.worker.env = env;
};
};
};
diff --git a/secrets.yml b/secrets.yml
index 55b771f..01ef5e8 100644
--- a/secrets.yml
+++ b/secrets.yml
@@ -46,6 +46,8 @@ authentik:
client_secret: ENC[AES256_GCM,data:GgF+gQt8olzKUzGMDL6mh6UWDv49OPDH5tB/gboWkFd7Njc1SrSkqf71gQryOcPQ0vpXrh0nK1z6ZjMpmDEA5ohTwWymeLCgwNtJSAMHZ1VlZ2aQZr70r3KtAxKjmTiT5flUYnxS79fCF43BveSMGeAshRCvQmYCdi43sP2E4To=,iv:DzsIRPiMzxaqVrjaHMVKWgOR0asZQzWf8EE1nxRSJmk=,tag:79bo7EzVq9tvL6ap6jfV+Q==,type:str]
forgejo:
client_secret: ENC[AES256_GCM,data:I0LBIrsPuARFEcvu0sKhIbkEYxLhZrwpRfPls3KDARu5rnfwgbJ6AVtfMmcAIM9ISFzXykoyMXossHo1i23N90PsHdl2t580EffhJ+q/UUfCIk7/rX/6CXlcb8WHdab4ymN5r9jEsgD3mAWX55IehU96ZKGRKRhxSIowCIYRhyQ=,iv:1wQDGCDhSu0s+IqXULiHmRiKGTLRvOjwsYaNMCWfkjg=,tag:p1mwks0KP9lhbciTIv3/Dw==,type:str]
+ immich:
+ client_secret: ENC[AES256_GCM,data:KrsaLLsjfQsyNQzvQF/pCLj1dhi8tr/OdToY7WczvPUUQKMtSk//oxsiPike/HoVEuCUp+j7UlTfIRPF2xUcPPvw7pkcLhQhcot79aieI1ciIeLZ1Q5svsPrqDBmDY7g65jkzA9vjM9VLTsx4Dx/1vGHDqo7I12qadEQlKAuhhQ=,iv:3icAM7sVe2HlmosbP7VPbcF4SRz/mlbzdQ1gENR9TRs=,tag:O8TCN7NltNpDGoG3T8Ds1w==,type:str]
smtp2go:
username: ENC[AES256_GCM,data:BEr7Rq7rlGvfYEpY/ZXnhM2eClnHdqU81A==,iv:dwYD5h+C5bzS9ikUgxQ51+jRQ32TtDy2PhDbd1tpS8Q=,tag:CjjLDz5n4H28qi8jWf9S4w==,type:str]
password: ENC[AES256_GCM,data:Yys6qy6DRYo16+X+Uj9oa9otjaKBnHOtIQ==,iv:G7H9mxsODShFoVlNMwuV8O18NBG/7LTFDFdqnH83YkE=,tag:hSlYp27QMoPZwiKBqyOpKA==,type:str]
@@ -73,8 +75,8 @@ sops:
azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68
UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2025-02-11T13:15:47Z"
- mac: ENC[AES256_GCM,data:IzXlag5LcmeuH43IdsTJ6pflQYr8B4GqQYXtC385E5oqnnYHUVa27zo8XZEmaL6O9ooDOmcq1rtlZaPIMgawbvfbT2r31C9Z4zuAz50ogypOKuAh+/KeKO5an9YqySM/mrFWujpVk+kExurS+BwKvgLGvKxcRrznWgqjVOEPiiE=,iv:7frEopY+a36KGfCW2/obTOym4RV5sutqKXoiszZ+OJY=,tag:w/8c0Xic/zF22qSXyC+j6A==,type:str]
+ lastmodified: "2025-02-11T17:44:56Z"
+ mac: ENC[AES256_GCM,data:YR0UTMbTjiByzocy9CTSn/veADgundo37Y8Z7MOL1HpvnaCnSiYlYRh70ODRaM73F3SaKgzPW0INKUy6T8kMq/HxlGrrIv331yG88LltR6xkalRBhP3h3mhkW75Px9iXNj8KFE4Q/eUp+Ds2/7gFo/oRryDngXoPPBqgBFupr/U=,iv:TmpXbrFY2XmBA2XwCIy6Vgbj0W0Rcn4GrJ0Ra7tSXiY=,tag:coymhw3aTjbTIAmEDdiHkw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4