From ac94cf6c5d679bdd40a1c965175b3cd5ce8eaa15 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 20 Feb 2026 10:09:17 -0800
Subject: [PATCH] Add Authentik container definition (Nix)

Nix-built container using pkgs.authentik with ak entrypoint.
Includes bashInteractive (ak is a bash wrapper), cacert, tzdata.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 containers/authentik/default.nix | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 containers/authentik/default.nix

diff --git a/containers/authentik/default.nix b/containers/authentik/default.nix
new file mode 100644
index 0000000..dce6116
--- /dev/null
+++ b/containers/authentik/default.nix
@@ -0,0 +1,29 @@
+# Nix-built Authentik identity provider
+# Uses nixpkgs authentik package (ak entrypoint wrapping Go server + Python worker)
+# Built with dockerTools.buildLayeredImage for efficient layer caching
+{ pkgs ? import <nixpkgs> { } }:
+
+pkgs.dockerTools.buildLayeredImage {
+  name = "blumeops/authentik";
+  tag = "latest";
+
+  contents = [
+    pkgs.authentik
+    pkgs.bashInteractive
+    pkgs.cacert
+    pkgs.tzdata
+  ];
+
+  config = {
+    Entrypoint = [ "${pkgs.authentik}/bin/ak" ];
+    Env = [
+      "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+      "TZDIR=${pkgs.tzdata}/share/zoneinfo"
+    ];
+    ExposedPorts = {
+      "9000/tcp" = { };
+      "9443/tcp" = { };
+    };
+    User = "65534";
+  };
+}