From 7f224bd6fc58f5106a32433a0d6f4f40abe37288 Mon Sep 17 00:00:00 2001
From: Nathan <nathanblunkall5@gmail.com>
Date: Wed, 8 Oct 2025 17:25:39 -0500
Subject: [PATCH] finish later

---
 .../services/containers/authentik/default.nix | 75 +++++++++++++++++++
 system-config/services/wireguard/default.nix  | 17 +++++
 2 files changed, 92 insertions(+)
 create mode 100644 system-config/services/containers/authentik/default.nix
 create mode 100644 system-config/services/wireguard/default.nix

diff --git a/system-config/services/containers/authentik/default.nix b/system-config/services/containers/authentik/default.nix
new file mode 100644
index 0000000..719548d
--- /dev/null
+++ b/system-config/services/containers/authentik/default.nix
@@ -0,0 +1,75 @@
+{ config, lib, inputs, ... }: {
+
+    options.sysconfig.virtualization.authentik.enable = lib.options.mkOption {
+        type = lib.types.bool;
+        default = false;
+    };
+
+    imports = [
+        inputs.sops-nix.nixosModules.sops
+    ];
+
+    config = lib.mkIf config.sysconfig.virtualization.authentik.enable {
+
+        sops.secrets."authentik/dbpass" = {};
+
+        networking = {
+
+            nat.internalInterfaces = [ "ve-authentik" ];
+        };
+
+        containers.authentik = {
+
+            autoStart = true;
+            privateNetwork = true;
+            hostAddress = "192.168.100.10";
+            localAddress = "192.168.100.35";
+
+            extraFlags = [
+                "--load-credential=dbpass:${config.sops.secrets."authentik/dbpass".path}"
+            ];
+
+            bindMounts = {
+                "/etc/authentik" = {
+                    hostPath = "/ssd1/Authentik";
+                    isReadOnly = false;
+                };
+            };
+
+            config = {
+                
+                networking.firewall.allowedTCPPorts = [ 9001 ];
+
+                systemd.services.secrets_setup = {
+                    wantedBy = [ "authentik.service" ];
+
+                    serviceConfig = {
+                        LoadCredential = [
+                            "dbpass"
+                        ];
+                    };
+
+                    script = ''
+                        cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/authentik/dbpass
+                        chown postgres:postgres /etc/authentik/dbpass
+                    '';
+                };
+                
+                services.authentik = {
+                    enable = true;
+
+                    environmentFile = "/etc/authentik/authentik.env";
+
+                    settings = {
+                        disable_startup_analytics = true;
+                        avatars = "initials";
+                    };
+
+                    worker.listenHTTP = "0.0.0.0:9001";
+                };
+
+                system.stateVersion = "25.05";
+            };
+        };
+    };
+}
diff --git a/system-config/services/wireguard/default.nix b/system-config/services/wireguard/default.nix
new file mode 100644
index 0000000..c365b8e
--- /dev/null
+++ b/system-config/services/wireguard/default.nix
@@ -0,0 +1,17 @@
+{ config, lib, ... }: {
+
+    options = {
+        sysconfig.wireguard.enable = lib.options.mkOption {
+            type = lib.types.bool;
+            default = false;
+        };
+    };
+
+    config = lib.mkIf config.sysconfig.wireguard.enable {
+        networking.wireguard = {
+            enable = true;
+            interfaces.wg0 = {
+            };
+        };
+    };
+}