{ config, ... }: let domain = "auth.${config.networking.domain}"; in { age.secrets.authentik-core = { file = ../../../../secrets/nuc/authentik/core.age; }; age.secrets.authentik-ldap = { file = ../../../../secrets/nuc/authentik/ldap.age; }; services.authentik = { enable = true; environmentFile = config.age.secrets.authentik-core.path; }; services.authentik-ldap = { enable = true; environmentFile = config.age.secrets.authentik-ldap.path; }; services.caddy.virtualHosts."${domain}".extraConfig = '' reverse_proxy localhost:9000 ''; # open the firewall for proxy auth networking.firewall.allowedTCPPorts = [ 9000 ]; }