sf

modules/nixos/services/authentik/default.nix

@@ -5,6 +5,9 @@
   ...
 }:
 with lib;
+# NOTE: AUTHENTIK_TOKEN for the RAC outpost is stored in sops.
+# Add jallen-nas/authentik-rac/token to secrets/nas-secrets.yaml and ensure
+# jallen-nas/sops.nix declares the "authentik-rac.env" template before deploying.
 let
   name = "authentik";
   cfg = config.${namespace}.services.${name};
@@ -41,10 +44,12 @@ let
         volumes = [
           "${cfg.configDir}/authentik-rac:/media"
         ];
+        # AUTHENTIK_TOKEN is injected via the sops template "authentik-rac.env"
+        # defined in systems/x86_64-linux/jallen-nas/sops.nix
+        environmentFiles = [ config.sops.templates."authentik-rac.env".path ];
         environment = {
           AUTHENTIK_HOST = "https://${name}.mjallen.dev";
-          AUTHENTIK_TOKEN = "0XGkB2pXoOTqcCMAjucAtfamvlsIZCPmy1Zri54Ozjj3zzMCvcLwkQPrukfx";
-          AUTHENTIK_INSECURE = "false"; # Set to true for self-signed certs
+          AUTHENTIK_INSECURE = "false";
           PUID = toString cfg.puid;
           PGID = toString cfg.pgid;
           TZ = cfg.timeZone;