deploy authentik, cleanup

hosts/auth/authentik.nix

@@ -0,0 +1,13 @@
+{ config, ... }:
+{
+  sops.secrets."authentik/env" = {};
+  services.authentik = {
+    enable = true;
+    environmentFile = config.sops.secrets."authentik/env".path;
+    settings = {
+      log_level = "debug";
+      disable_startup_analytics = true;
+      avatars = "initials";
+    };
+  };
+}

hosts/auth/default.nix

@@ -4,8 +4,7 @@ let
 in
 {
   imports = [
-    ./keycloak.nix
-    ./oauth2-proxy.nix
+    ./authentik.nix
   ];
   sops.defaultSopsFile = ./secrets.yaml;
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

hosts/auth/keycloak.nix

@@ -1,18 +0,0 @@
-{ config, ... }:
-{
-  services.keycloak = {
-    enable = true;
-    database = {
-      type = "postgresql";
-      createLocally = true;
-      passwordFile = config.sops.secrets."keycloak/db_pass".path;
-    };
-    settings = {
-      hostname = "https://auth.oxapentane.com";
-      http-port = 38080;
-      http-enabled = true;
-      proxy-headers = "xforwarded";
-      proxy-trusted-addresses = "10.89.88.0/24,fd31:185d:722f::/48";
-    };
-  };
-}

hosts/auth/oauth2-proxy.nix

@@ -1,25 +0,0 @@
-{ config, ... }:
-{
-  sops.secrets."oauth2-proxy/env" = {
-    owner = config.users.users.oauth2-proxy.name;
-  };
-
-  services.oauth2-proxy = {
-    enable = true;
-    reverseProxy = true;
-    provider = "keycloak-oidc";
-    httpAddress = "0.0.0.0:4180";
-    oidcIssuerUrl = "https://auth.oxapentane.com/realms/0xalab-prod";
-    clientID = "radicale-proxy";
-    redirectURL = "https://dav.oxapentane.com/oauth2/callback";
-    keyFile = config.sops.secrets."oauth2-proxy/env".path;
-    scope = "openid";
-    email.domains = [ "*" ];
-    setXauthrequest = true;
-    cookie = {
-      secure = true;
-      refresh = "48h0m0s";
-      domain = ".oxapentane.com";
-    };
-  };
-}