use secret files

hosts/auth/authentik.nix

@@ -19,15 +19,24 @@
       enable = true;
     };
   };
+  users.groups.authentik-ldap = {};
+  users.users.authentik-ldap = {
+    isSystemUser = true;
+    group = "authentik-ldap";
+  };
+  systemd.services.authentik-ldap.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "authentik-ldap";
+  };
   services.authentik-ldap = {
     enable = true;
-    environmentFile = "/var/lib/authentik-ldap-env";
+    environmentFile = config.sops.secrets."auth/ldap-env-file".path;
+    # environmentFile = "/var/lib/authentik-ldap-env";
   };
   services.authentik = {
     enable = true;
-    # The environmentFile needs to be on the target host!
-    # Best use something like sops-nix or agenix to manage it
-    environmentFile = "/var/lib/authentik_secret";
+    # environmentFile = "/var/lib/authentik_secret";
+    environmentFile = config.sops.secrets."auth/env-file".path;
     settings = {
       email = {
         host = "mail.${config.networking.domain}";

hosts/mail/default.nix

@@ -103,8 +103,9 @@ in
       enable = true;
       bind = {
         # dn = "cn=dovecot,ou=users,DC=test,DC=htw,DC=stura-dresden,DC=de";
-        dn = "cn=ldapuser,ou=users,dc=ldap,dc=goauthentik,dc=io";
-        passwordFile = "/var/lib/dovecot_ldap_passwd";
+        dn = "cn=mail,ou=users,dc=mail,dc=htw,dc=stura-dresden,dc=de";
+        # passwordFile = "/var/lib/dovecot_ldap_passwd";
+        passwordFile = config.sops.secrets.ldap_passwd.path;
       };
       dovecot = {
         userFilter = "(&(objectClass=posixAccount)(mail=%u))";
@@ -117,7 +118,7 @@ in
         uidAttribute = "cn";
       };
       #searchBase = "DC=test,DC=htw,DC=stura-dresden,DC=de";
-      searchBase = "DC=ldap,DC=goauthentik,DC=io";
+      searchBase = "dc=mail,dc=htw,dc=stura-dresden,dc=de";
       uris = [
         "ldap://auth.test.htw.stura-dresden.de:3389"
       ];