From e3a9a391c2a1b6a8d578ae6274e37c7c569ca831 Mon Sep 17 00:00:00 2001
From: goeranh <goeranh@goeranh.de>
Date: Sat, 21 Mar 2026 18:04:08 +0100
Subject: [PATCH] use secret files

---
 hosts/auth/authentik.nix | 17 +++++++++++++----
 hosts/mail/default.nix   |  7 ++++---
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/hosts/auth/authentik.nix b/hosts/auth/authentik.nix
index 0e04762..4ae125b 100644
--- a/hosts/auth/authentik.nix
+++ b/hosts/auth/authentik.nix
@@ -19,15 +19,24 @@
       enable = true;
     };
   };
+  users.groups.authentik-ldap = {};
+  users.users.authentik-ldap = {
+    isSystemUser = true;
+    group = "authentik-ldap";
+  };
+  systemd.services.authentik-ldap.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "authentik-ldap";
+  };
   services.authentik-ldap = {
     enable = true;
-    environmentFile = "/var/lib/authentik-ldap-env";
+    environmentFile = config.sops.secrets."auth/ldap-env-file".path;
+    # environmentFile = "/var/lib/authentik-ldap-env";
   };
   services.authentik = {
     enable = true;
-    # The environmentFile needs to be on the target host!
-    # Best use something like sops-nix or agenix to manage it
-    environmentFile = "/var/lib/authentik_secret";
+    # environmentFile = "/var/lib/authentik_secret";
+    environmentFile = config.sops.secrets."auth/env-file".path;
     settings = {
       email = {
         host = "mail.${config.networking.domain}";
diff --git a/hosts/mail/default.nix b/hosts/mail/default.nix
index 6d3c388..a532988 100644
--- a/hosts/mail/default.nix
+++ b/hosts/mail/default.nix
@@ -103,8 +103,9 @@ in
       enable = true;
       bind = {
         # dn = "cn=dovecot,ou=users,DC=test,DC=htw,DC=stura-dresden,DC=de";
-        dn = "cn=ldapuser,ou=users,dc=ldap,dc=goauthentik,dc=io";
-        passwordFile = "/var/lib/dovecot_ldap_passwd";
+        dn = "cn=mail,ou=users,dc=mail,dc=htw,dc=stura-dresden,dc=de";
+        # passwordFile = "/var/lib/dovecot_ldap_passwd";
+        passwordFile = config.sops.secrets.ldap_passwd.path;
       };
       dovecot = {
         userFilter = "(&(objectClass=posixAccount)(mail=%u))";
@@ -117,7 +118,7 @@ in
         uidAttribute = "cn";
       };
       #searchBase = "DC=test,DC=htw,DC=stura-dresden,DC=de";
-      searchBase = "DC=ldap,DC=goauthentik,DC=io";
+      searchBase = "dc=mail,dc=htw,dc=stura-dresden,dc=de";
       uris = [
         "ldap://auth.test.htw.stura-dresden.de:3389"
       ];