From 37a87f7a57aae591f6952daa4aad8cb31f1a1874 Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Fri, 20 Mar 2026 08:11:07 -0500
Subject: [PATCH 1/2] security (authentik): Add Crowdsec monitoring to
 Authentik

---
 services/authentik.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/services/authentik.nix b/services/authentik.nix
index b6caf43..b5f6dd8 100644
--- a/services/authentik.nix
+++ b/services/authentik.nix
@@ -75,6 +75,15 @@ in {
   };
   users.groups."${user}" = { };
 
+  services.crowdsec = {
+    localConfig.acquisitions = [{
+      source = "journalctl";
+      journalctl_filter = [ "_SYSTEMD_USER_UNIT=${user}.service" ];
+      labels.type = "authentik";
+    }];
+    hub.collections = [ "firix/authentik" ];
+  };
+
   home-manager.users."${user}" = { config, osConfig, ... }: {
     imports = [ home-manager-quadlet-nix ];
 

From 5b5aeea40b240489d10d2586675a6461a71e8f41 Mon Sep 17 00:00:00 2001
From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com>
Date: Fri, 20 Mar 2026 10:22:18 -0500
Subject: [PATCH 2/2] feat (authentik): Add storage bucket support

---
 secrets/authentik.toml.age | Bin 1222 -> 1614 bytes
 services/authentik.nix     |  14 ++++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/secrets/authentik.toml.age b/secrets/authentik.toml.age
index d3c91cca5c23bc224a0f53a2dfff20c254edd975..e3b6a25099a2754a2f4547c9113968a76682d64d 100644
GIT binary patch
delta 1531
zcmV<X1qAxW3C;|VEPqQ(L{D!pZ*)OIFHm$ZIZ|mtI6_%^XG>-{GJ1Doa5Pd`ZE!F~
zaCk~WI0|oOO>;$aOEXzwRC7vEOfzIPF;;U)Ye95*S9VHkSvEIJN<(2yFLX#+Q3@?S
zAaiqQEoEdfH8n9gATehzcz1Uob!<d%Nq1v!Xli13T1{F)VMa!BQd&byNJlj@a8f}`
zO;0s;Ml^JJcvMz*3O8n9Pf0XKMK)+>D^EypFhntTYgI{hW=%CwcVSvYOm|sgGIV8d
zS}{#Qk?|K-P)%V<WLQE&D>q|PPcTO}ZAob}MM+3Wa!gr5SwvN2aXDm0ZEr$Yb81lv
za&vE0M^;5?XL)2nHF#ESPd09Lb~$EHbSpMZdNoIGOIbBgQ&ChmG%{zCUjY|aayNA`
zVn<b3GD~?*K`TgkIcrrpc~EdRPA_*vYI=B4Ln~BJZCFW5O>J`uHa1aZRZC<~S9ozY
zOhHdLG-fbvHD+^3VN_&BLRmF$bxSx<F-A@{Wno#9%>fsGMpQF0dN+15bwqAOT47R2
zY<6g4aX4dYVOVoYXl^iLS7=U8c{5g4Hbr*|V=`BBZES5>I4?n2GjuU^D`{g(YIaX}
zcQ{W?Oml8_Sx<0id15kocQ<niEj}P~b7(DPWHL21F*zVBLoioTXCP8~SbAi6RBu%;
zXL>VOPEJjKc~?bFHEKg-Lq}zLGgmQ7Zg5#)LUD6iLT?H%ZbURgbxdbOb75&QXhV2q
zNojX^cTHDiQ*~=$H)?izO-@ZgdUa-1Zg&bTEiE8bLn}E^Q&@U3T5n@xc1JZbVR&<4
zRWfBlaWYq9L{fK6a5ZymVMAhSQZx!GSqa~ZZ=$DvKgsH((8xu@zYa^vrR011d&?29
z?ZIQ9qlrAJnhXDf(>6_Rwr{`oSclIl!~xE>$0{>VRI@WrC~0_`%*N*9hA=(i%M(um
ziZ%p6?n4tGKWRmWksQWfQxR9EEK+3i4R_+-GzwUvTw=a0%S)LE&mb6{0W6D#;u0Dh
zXm%HWhDE%dg$x_*R#x`%0n<v(-u#O#GXIKas*<tN^#-B>hF%!;Zd>EeO^wQfQHQ`v
zCv94&#?xF%lHxLB5r#9F{Tuhkx<nKZ9C<;Jl>k2K?3D>KZe4fz&e%w_f)nbJiDJ)X
z?5wHiU(0%D^835w&hmD@DuTwgMLh1?T?#sXhFf0<K0#I-OTIHl`5&3AoE^#V1fQoO
zjhR*{omJ*&&hNpXoA$*JpAShKNr-1xPZ<HJ=A^H%Z%3Nn%#1njLM-t7w{=4htZhrK
zn{E5T24%;{>73_;lrNq!M)W{7r3t>L*Z|v5f6TOPuwsq=EY2$|+(j#>{Kg>9kP+a2
zT6f?yySu!G5GT*4ZpZXCsSf+%a>+{}y9C*7j*Yzw#!FsD)y{I=AW~zzwYP|`PWxpV
zZXn|1;UYLQG4XUXS#e|p+y*ZD5C77=S)Jxx0{t$h7;t=}MvT52*Bb787P`pgK#RK(
z5eBWsXE$R*zp}q}Xrc)-D>h??UOnc23~k(>QK5E=zKk-?m(PKuCNi*!&L*0SZBUKu
zb5fH-U&4$n1F8wXf?;|QJ!Z2?9;MvxR6YZ8ltZfjXcr=CP}z;3=u<j*PA>~k;FIL^
z^w|nGn_%}(1S6T6>a<Tl3HmPr5--=e1fQfZ+boLy8Asfw$lLi`WouA9g-S7h0WT1%
z)?Bu$M!UF((rlcz&5Q*FxGo%!Vl&bbT%Lrq3*g>WfI~PfX;Gi5dDBPFW#M><$|bk(
z`jjE@(cLE94V1o9Ym}2kRldgOt7`u}gtQ(}n?A57eY}7_V+|n;xaPZwRuON39C-d=
zb?PsfdZ*sm^eEBXC=-%%h<JB$cm2m(gP0#k(^{!hRDXh&D*2Zx4pacu%GclzBmjy_
z?#KHVZg8^>-n>~;d-LUwO|8XDv{aYBxp<=jUx#}2^A$+eMas4!v3=hH7VHlA-1!*7
h&oE8uGVd1w{LYdCX(}2&zgEw{gp@EL7+yJE8CVF6iwyt(

delta 1136
zcmZ9}`)?Bk003Y>z^#)Z%nV`BRfIt3X79S*qd*q>xVE?Uu4{Y8wS+yoyFPAhulHDc
zZHLqu69-u$W1xV+j2K41=kS5Xz`_D9uxxWg0wbU<8eS@c_zKVYyWhX?jX(EY>F%1M
zU<-mAj1vMM*5?IRdoJj-M>{NOPXaQs7$&$344#hwQHjAcu|U8f=JEs=*kV_4BZ#>G
zI0WV~XE4PxZFY+)QDRy^B}_?cYU_2160ePLMhF7UIxuF)sj4oH@-beKIcqAJHYIEs
z#1V?7c{3(=FzxMGKbe7L*d9hZJP9kI0iqCxhCB&5VY3k|3XyJ~LS>@ixKmXrnZ{BI
zW1;C}G#ABs?=NFe&Mbt}Y}T4=KwZ%w$hY}OH|zJN?XnxUMFrGnvEphz7x7s%=7c8<
zxWEjPDcF6Oi6cpe385l!2Vth-fvg+zPz(_@)iv6EeJyjBF#-U%a_te-v(-^&_v$V2
zb}HBa`$20agwhP?4u}d3)!|7GX3<au$JQ-k%4HEa5tBJ@UO@ar)?46BA_!7mCu?*d
z`T_$LNV;!q?y{n%&1Ce33Qo!8Moc*|8~__KSfkh&?eHUffUGl`3r>BOfO0WfgX2sX
zY;#fpTFje0BHkbyL{d=T0^pEgkCgOtF~R_2`7mbs|A5{GF#ebh4JNZG7S7>%)sz6J
ze57a=6$9u5WJ00<(oCo%1gm*5;|FPt=tDvv9%2hfDiNuJJ0d70<&rW;W0puv-ohhr
zM~G!eMF<m`+S*zj3#B54pdbV+K!$)a2`f!1L_Ddwc?l20c%v6Hf-a5#c>>dH?@yRl
zK`*W=ej|CBD~<p)Dy^>@N$+2=dGBun`E%nlL!&=lyw=cky4tYd!&%*Q&7Q+n?;ltC
zy;G}9qfePTm)2~Dt2%Ror2{QUz3wyoLFcqOpk4pMwYR&TE=DWH@!6iAc08Oa<Bv+m
zA3b56cOJ}HIC<l0_2b!pZ@)LDTZqi-X>476P%Um<a;C7;lkjh-P)@CVdE&Lzk1Ce;
zo_*==$uH)A+;>_mJKwzf>{Qq9gJ&A1&zDzjzhXN*5+0rLm-6opJ$Yn0aG>(gt%uL#
ztMS{~dn?~s+FjQ3&k{`;^wH4Wr59bhdT%}~+_<pm*sdDa@*5|r9(=i`@>kp1@*Vn9
zmbU)xcu9J!xTh=hDZSj(WsGdtyr}$xH%=~^eEsuV_bwi<ELl`>cc8S-2>ik|X*Cy~
zt#Xo`$Hq&0UNIv3N3E`P&4WG4-~x1Wx4$U;c`iGD^7_Vkf_<CRB5fpQZk3&#Q-W*H
zNOMls*B%qGSL3THLM52{eO4R!`SSIRJ=-2z<)z>D#;R7|Tsc$y*WuaflIENGTypWH
zeLFGtC(+9F)zcJf`}=B1vh(Zo^MjS#n|se6+Br3G;R+qUKQp{(*AFX(>c3xeq-ppa
o>eND{e5T)W{Se!FZS9HHeP3N3xunfZ9Gveh%dF6zI5>RtKkD$hdH?_b

diff --git a/services/authentik.nix b/services/authentik.nix
index b5f6dd8..0349b87 100644
--- a/services/authentik.nix
+++ b/services/authentik.nix
@@ -147,11 +147,18 @@ in {
               AUTHENTIK_POSTGRESQL__HOST = "authentik-db";
               AUTHENTIK_POSTGRESQL__NAME = "${user}";
               AUTHENTIK_POSTGRESQL__USER = "${user}";
+              AUTHENTIK_STORAGE__BACKEND = "s3";
             };
             exec = "worker";
             secrets = [
               "AUTHENTIK_POSTGRESQL__PASSWORD,type=env"
               "AUTHENTIK_SECRET_KEY,type=env"
+              "AUTHENTIK_STORAGE__S3__ACCESS_KEY,type=env"
+              "AUTHENTIK_STORAGE__S3__SECRET_KEY,type=env"
+              "AUTHENTIK_STORAGE__S3__BUCKET_NAME,type=env"
+              "AUTHENTIK_STORAGE__S3__REGION,type=env"
+              "AUTHENTIK_STORAGE__S3__ENDPOINT,type=env"
+              "AUTHENTIK_STORAGE__S3__CUSTOM_DOMAIN,type=env"
             ];
             volumes = [
               # Remount media folder into new location based on
@@ -178,6 +185,7 @@ in {
               AUTHENTIK_POSTGRESQL__HOST = "authentik-db";
               AUTHENTIK_POSTGRESQL__NAME = "${user}";
               AUTHENTIK_POSTGRESQL__USER = "${user}";
+              AUTHENTIK_STORAGE__BACKEND = "s3";
             };
             exec = "server";
             secrets = [
@@ -189,6 +197,12 @@ in {
               "AUTHENTIK_EMAIL__PASSWORD,type=env"
               "AUTHENTIK_EMAIL__USE_SSL,type=env"
               "AUTHENTIK_EMAIL__FROM,type=env"
+              "AUTHENTIK_STORAGE__S3__ACCESS_KEY,type=env"
+              "AUTHENTIK_STORAGE__S3__SECRET_KEY,type=env"
+              "AUTHENTIK_STORAGE__S3__BUCKET_NAME,type=env"
+              "AUTHENTIK_STORAGE__S3__REGION,type=env"
+              "AUTHENTIK_STORAGE__S3__ENDPOINT,type=env"
+              "AUTHENTIK_STORAGE__S3__CUSTOM_DOMAIN,type=env"
             ];
 
             # Change from Traefik: publish ports to localhost only via 127.0.0.1