From 9eaf15ca397c0892d19c46e6aa533425051a393b Mon Sep 17 00:00:00 2001
From: Lucy Hochkamp <git@xyno.systems>
Date: Thu, 27 Feb 2025 13:06:38 +0100
Subject: [PATCH] authentik ldap

---
 hosts/ds9/authentik.nix         |  15 +++++++++++++++
 secrets/ds9AuthentikLdapEnv.age | Bin 0 -> 949 bytes
 secrets/secrets.nix             |   1 +
 3 files changed, 16 insertions(+)
 create mode 100644 secrets/ds9AuthentikLdapEnv.age

diff --git a/hosts/ds9/authentik.nix b/hosts/ds9/authentik.nix
index d3e8fcc0..ea6caaba 100644
--- a/hosts/ds9/authentik.nix
+++ b/hosts/ds9/authentik.nix
@@ -4,6 +4,7 @@
     inputs.quadlet-nix.nixosModules.quadlet
   ];
   ragon.agenix.secrets.ds9AuthentikEnv = { };
+  ragon.agenix.secrets.ds9AuthentikLdapEnv = { };
   virtualisation.quadlet =
     {
       containers = {
@@ -53,6 +54,20 @@
           config.age.secrets.ds9AuthentikEnv.path
         ];
         authentik-worker.serviceConfig.TimeoutStartSec = "60";
+        authentik-ldap.containerConfig.image = "ghcr.io/goauthentik/ldap:2024.12.3";
+
+        authentik-ldap.containerConfig.networks = [
+          "podman"
+          "authentik-net"
+        ];
+        authentik-ldap.containerConfig.environments = {
+          AUTHENTIK_HOST = "http://authentik-server:9000";
+          AUTHENTIK_INSECURE = "true";
+        };
+        authentik-ldap.containerConfig.environmentFiles = [
+          config.age.secrets.ds9AuthentikLdapEnv.path
+        ];
+        authentik-ldap.serviceConfig.TimeoutStartSec = "60";
         authentik-redis.containerConfig.image = "docker.io/library/redis:alpine";
         authentik-redis.containerConfig.networks = [
           "authentik-net"
diff --git a/secrets/ds9AuthentikLdapEnv.age b/secrets/ds9AuthentikLdapEnv.age
new file mode 100644
index 0000000000000000000000000000000000000000..a6cacaa63c1813fc359adbe0384eaa9259b9d13d
GIT binary patch
literal 949
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUlOp2&TD_00|G7i)?
z3NZ5V^(!n&2~N)N49Llf^!F+Yb2W(Y$#U_x^sqECwJ>pyDCa6k)GiFK4D-yf^ma8f
z3HJ{)%gb=}$@EJ}%63k1ODZsP40iM~ig3<!Do3}iG~FXSyj;PwvY?_eBGWi4LO;hf
zE!e})tTNp=q&UK>vMSxutK7&t%fcu<qoC5n!-T8IH_+J4DaW8tKQcSTI5j7<*fh<n
z*wHDlv?4nqHQ2y6tje>}Im<iS*%95g&``^uU`K_b5VsINmrVc6R5Qc;0$=B-<h;OS
zXBT%L@8Fa?4^#gj7Z(%lLeu1+P**MsuPkkMlXCOmaNoSFtf0a~?L=*#!m7$}qr5Dq
z^85nh@Zb!u0t>%PuY7ddg1kJ9og5XkjS6$J@{&V+vm?sNjB}FxvrJ9gERtNEax0@M
z3sY140*u_l-SeW{+<m!B3WJio%SyF<{k8ql(^CU0L(Kzoy`0h_(%t-=LL<E+E6Y7R
zJfezHgE4H2$Sd>mE?3ZwEH8_y$Oum=DhhS?D9<-fNzSWsHZL*AEXYVJb1iZWDF`$$
z^)v|yF6SzBPb#%2jWCJI4$bgQO!joi%gxV7^GG*H^7e~N3QTq>_A&C;cMmU1N=Nsb
zxu1`zU%G-tYPpkPVRle}QL#Z*q)(BLxmQJbS(d(+QKo-NsHd@SrE^Y>b3vJ(y9t+<
zNk+bYzNcwrzCpNKibtYXPC%GpqOWODL|R~SkcYWtfth8AX=zDlZYa8KrolNmMu7@d
zjxIsQe%aZ61(DvSZfW_&nSo)!j{cz@!4WwI$pt3KQO>>vPQC>}A%R>brq1p@rm2x3
zX(m1y<~}LODF$waPN9LG9-*E|AudkF6(topA=>V4`kq|6y1EK(g<c^(UjAjFVNro@
zKAD!4+D`t7js;=m{^7+Tg+Z<*;Zff1+1i0gnUP$q!AI6TJT4b6EEc3wIxYV8vY<?c
zS3YYseo9r={;^0%NSLP4(i7klYB}$hrSh@c(tiyjQ+MsoH~3eTc%U=JL2p6#uI)b`
u^6LcaF0+?(^qI3qZrh!c^E3P$r@RmF<ohM?-fs2YHoukfzn(|0b_W2eHa;@|

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 0870a597..bce29543 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -21,6 +21,7 @@ in
   "ds9PostgresEnv.age".publicKeys = pubkeys.ragon.host "ds9";
   "ds9ImmichEnv.age".publicKeys = pubkeys.ragon.host "ds9";
   "ds9AuthentikEnv.age".publicKeys = pubkeys.ragon.host "ds9";
+  "ds9AuthentikLdapEnv.age".publicKeys = pubkeys.ragon.host "ds9";
   "gatebridgeHostKeys.age".publicKeys = pubkeys.ragon.server;
   "plausibleAdminPw.age".publicKeys = pubkeys.ragon.host "picard";
   "plausibleGoogleClientId.age".publicKeys = pubkeys.ragon.host "picard";