From d53bf7546a91e3bd70fdbb99a52be1b79818a209 Mon Sep 17 00:00:00 2001
From: cnst <adam@cnst.dev>
Date: Sun, 5 Oct 2025 10:02:39 +0200
Subject: [PATCH] broken 2

---
 hosts/sobotka/server.nix             |  9 ++-------
 modules/server/authentik/default.nix | 28 ++++++++++++++++------------
 2 files changed, 18 insertions(+), 19 deletions(-)

diff --git a/hosts/sobotka/server.nix b/hosts/sobotka/server.nix
index d60b15d0..08323b7c 100644
--- a/hosts/sobotka/server.nix
+++ b/hosts/sobotka/server.nix
@@ -1,5 +1,4 @@
-{ config, ... }:
-{
+{config, ...}: {
   server = {
     enable = true;
     email = "adam@cnst.dev";
@@ -44,10 +43,6 @@
     };
     jellyfin = {
       enable = true;
-      cloudflared = {
-        tunnelId = "234811e2-bc86-44b2-9abd-493686e25704";
-        credentialsFile = config.age.secrets.jellyfinCloudflared.path;
-      };
     };
     uptime-kuma = {
       enable = true;
@@ -94,7 +89,7 @@
       gluetun.enable = true;
       qbittorrent = {
         enable = true;
-        port = 8387;
+        port = 8080;
       };
       slskd = {
         enable = true;
diff --git a/modules/server/authentik/default.nix b/modules/server/authentik/default.nix
index c4c5e472..2a456419 100644
--- a/modules/server/authentik/default.nix
+++ b/modules/server/authentik/default.nix
@@ -4,13 +4,11 @@
   pkgs,
   self,
   ...
-}:
-let
+}: let
   unit = "authentik";
   cfg = config.server.${unit};
   srv = config.server;
-in
-{
+in {
   options.server.${unit} = {
     enable = lib.mkEnableOption {
       description = "Enable ${unit}";
@@ -55,9 +53,15 @@ in
     age.secrets = {
       authentikEnv = {
         file = "${self}/secrets/authentikEnv.age";
+        owner = "authentik";
+        group = "authentik";
+        mode = "0400";
       };
       authentikCloudflared = {
         file = "${self}/secrets/authentikCloudflared.age";
+        owner = "authentik";
+        group = "authentik";
+        mode = "0400";
       };
     };
 
@@ -106,14 +110,14 @@ in
                     "X-authentik-username"
                     "X-authentik-groups"
                     "X-authentik-email"
-                    # "X-authentik-name"
-                    # "X-authentik-uid"
+                    "X-authentik-name"
+                    "X-authentik-uid"
                     "X-authentik-jwt"
-                    # "X-authentik-meta-jwks"
-                    # "X-authentik-meta-outpost"
-                    # "X-authentik-meta-provider"
-                    # "X-authentik-meta-app"
-                    # "X-authentik-meta-version"
+                    "X-authentik-meta-jwks"
+                    "X-authentik-meta-outpost"
+                    "X-authentik-meta-provider"
+                    "X-authentik-meta-app"
+                    "X-authentik-meta-version"
                   ];
                   timeout = "10s";
                 };
@@ -130,7 +134,7 @@ in
 
             routers = {
               auth = {
-                entryPoints = [ "websecure" ];
+                entryPoints = ["websecure"];
                 rule = "Host(`${cfg.url}`) || HostRegexp(`{subdomain:[a-z0-9]+}.${srv.www.url}`) && PathPrefix(`/outpost.goauthentik.io/`)";
                 service = "auth";
                 tls.certResolver = "letsencrypt";