nuc: add authentik-ldap

hosts/nuc/default.nix

@@ -15,7 +15,6 @@
       ./modules/seafile
       ./modules/torrent
       ./modules/vaultwarden
-      # ./modules/nginx
       ./modules/caddy
       ./modules/indexing
     ];

hosts/nuc/modules/authentik/default.nix

@@ -3,17 +3,19 @@ let
   domain = "auth.${config.networking.domain}";
 in
 {
-  age.secrets.authentik = {
-    file = ../../../../secrets/nuc/authentik.age;
+  age.secrets.authentik-core = {
+    file = ../../../../secrets/nuc/authentik/core.age;
+  };
+  age.secrets.authentik-ldap = {
+    file = ../../../../secrets/nuc/authentik/ldap.age;
   };
   services.authentik = {
     enable = true;
-    environmentFile = config.age.secrets.authentik.path;
-    # nginx = {
-    #   enable = true;
-    #   enableACME = true;
-    #   host = domain;
-    # };
+    environmentFile = config.age.secrets.authentik-core.path;
+  };
+  services.authentik-ldap = {
+    enable = true;
+    environmentFile = config.age.secrets.authentik-ldap.path;
   };
   services.caddy.virtualHosts."${domain}".extraConfig = ''
     reverse_proxy localhost:9000

hosts/nuc/modules/matrix/default.nix

@@ -74,7 +74,8 @@ in
 
         # element
         "${domainClient}".extraConfig = ''
-          root '${pkgs.element-web.override {
+          file_server browse
+          root * ${pkgs.element-web.override {
             conf = {
               default_server_config = {
                 inherit (clientConfig) "m.homeserver";
@@ -82,7 +83,7 @@ in
               };
               disable_3pid_login = true;
             };
-          }}'
+          }}
         '';
       };
     };

hosts/nuc/modules/nginx/default.nix

@@ -1,41 +0,0 @@
-{ pkgs, lib, config, ... }:
-{
-  # set default options for virtualHosts
-  options = with lib; {
-    services.nginx.virtualHosts = mkOption {
-      type = types.attrsOf (types.submodule
-        ({ name, ... }: {
-          # split up nginx access logs per vhost
-          enableACME = true;
-          forceSSL = true;
-          # enable http3 for all hosts
-          quic = true;
-          http3 = true;
-          extraConfig = ''
-            access_log /var/log/nginx/${name}_access.log;
-            error_log /var/log/nginx/${name}_error.log;
-            add_header Alt-Svc 'h3=":443"; ma=86400';
-          '';
-        })
-      );
-    };
-  };
-  config = {
-    networking.firewall.allowedTCPPorts = [ 80 443 ];
-    networking.firewall.allowedUDPPorts = [ 443 ];
-    services.nginx = {
-      enable = true;
-      package = pkgs.nginxQuic;
-      recommendedTlsSettings = true;
-      recommendedProxySettings = true;
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-    };
-    security.acme = {
-      acceptTerms = true;
-      defaults = {
-        email = "rouven@${config.networking.domain}";
-      };
-    };
-  };
-}

hosts/nuc/modules/seafile/default.nix

@@ -35,7 +35,7 @@ in
     redir /accounts/login /oauth/login
     reverse_proxy unix//run/seahub/gunicorn.sock
     route /media/* {
-      root '${pkgs.seahub}'
+      root * ${pkgs.seahub}
     }
 
     route /seafhttp/* {