Add user setup script

modules/server/containers/apps/authentik.nix

@@ -79,45 +79,12 @@ in {
 
 
   setup = {
-    trigger="worker";
+    trigger = "worker";
     script = pkgs.writeShellScript "setup" ''
       # Define the command wrapper
-      AK="${pkgs.podman}/bin/podman --events-backend=none exec -u root authentik-worker ak"
-
-      $AK shell <<EOF
-from authentik.core.models import Group
-
-groups = ["admin", "cloud"]
-for name in groups:
-  Group.objects.get_or_create(name=name)
-EOF
-      
-      $AK shell <<EOF
-from authentik.core.models import User, Group
-from authentik.managed.models import ManagedObject
-
-# 1. Create the custom admin user
-user, created = User.objects.get_or_create(
-  username="your_admin_name",
-  defaults={
-    "name": "System Administrator",
-    "email": "admin@test.helcel.net",
-    "is_superuser": True,
-    "is_staff": True,
-  }
-)
-user.set_password("your_secure_password")
-user.save()
-
-admin_group = Group.objects.get(name="admin")
-user.ak_groups.add(admin_group)
-
-ManagedObject.objects.get_or_create(
-  identifier="initial-setup-complete",
-  defaults={"model": "authentik_core.user"}
-)
-EOF
+      AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.hostDomain} -u root authentik-worker ak"
 
+      $AK apply_blueprint /blueprints/custom/authentik.yaml
       $AK apply_blueprint /blueprints/custom/traefik.yaml
       ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
 

modules/server/containers/apps/nextcloud.nix

@@ -57,10 +57,10 @@ in {
   };
 
   setup = {
-    trigger="server";
+    trigger = "server";
     script = pkgs.writeShellScript "setup" ''
       # Define the command wrapper
-      OCC="${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php occ"
+      OCC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.hostDomain} -u www-data nextcloud-server php occ"
 
       echo "Waiting for Nextcloud container to start..."
       until $OCC status > /dev/null 2>&1; do
@@ -71,10 +71,11 @@ in {
       if [ -z "$INSTALLED" ]; then
         echo "Running first-time setup..."
         
-        # $OCC maintenance:install \
-        #   --admin-user "admin" \
-        #   --admin-pass "adminpassword"
-
+        $OCC maintenance:install \
+          --admin-user "$DEFAULT_ADMIN_USERNAME" \
+          --admin-pass "$DEFAULT_ADMIN_PASSWORD"
+      fi
+      if [ -z "$INSTALLED" ]; then
         echo "Applying Settings..."
         
         $OCC config:system:set default_phone_region --value="CH"

modules/server/containers/data/authentik/authentik.yaml

@@ -0,0 +1,62 @@
+version: 1
+metadata:
+  name: "Initial User Setup"
+  labels:
+    blueprint-type: core
+entries:
+  # Locate the binding for the root user setup flow and disable it
+  - model: authentik_flows.flowstagebinding
+    identifiers:
+      target: "ak-root-user-fill"
+    attrs:
+      enabled: false
+
+  # Optionally, disable the default enrollment flow entirely
+  - model: authentik_flows.flow
+    identifiers:
+      slug: "default-enrollment-flow"
+    attrs:
+      designation: "enrollment"
+      enabled: false
+  # --- GROUPS ---
+  - model: authentik_core.group
+    identifiers:
+      name: "admin"
+    attrs:
+      is_superuser: true
+
+  - model: authentik_core.group
+    identifiers:
+      name: "cloud"
+    attrs:
+      is_superuser: false
+
+  - model: authentik_core.group
+    identifiers:
+      name: "dev"
+    attrs:
+      is_superuser: false
+
+  - model: authentik_core.group
+    identifiers:
+      name: "flix"
+    attrs:
+      is_superuser: false
+
+  - model: authentik_core.group
+    identifiers:
+      name: "family"
+    attrs:
+      is_superuser: false
+
+  # --- ADMIN USERS ---
+  - model: authentik_core.user
+    identifiers:
+      username: !env [DEFAULT_ADMIN_USERNAME]
+    attrs:
+      name: !env [DEFAULT_ADMIN_USERNAME]
+      email: "{{ env('DEFAULT_ADMIN_USERNAME') }}@{{ env('DOMAIN') }}"
+      password: !env [DEFAULT_ADMIN_PASSWORD]
+      path: "users"
+      groups:
+        - name: "admin"

modules/server/containers/default.nix

@@ -57,6 +57,7 @@ in
           serviceConfig = {
             Type = "oneshot";
             TimeoutStartSec = "360s";
+            EnvironmentFile = lib.mkIf (containerSet.setup.envFile != null) containerSet.setup.envFile;
             ExecStart = "${containerSet.setup.script}";
             RemainAfterExit = true;
             User = "root";

modules/server/sops/default.nix

@@ -6,7 +6,10 @@ let
   allApps = lib.unique (listNames ++ containerNames);
 in{
     sops.secrets = {
-      CUSTOM = { sopsFile = ./server.yaml; };
+      CUSTOM = { 
+        mode = "0644";
+        sopsFile = ./server.yaml; 
+      };
     } // (lib.genAttrs (map (name: lib.toUpper name) allApps) (name: {
       owner = "postgres";
       mode = "0644";

modules/server/sops/server.yaml

@@ -1,4 +1,4 @@
-CUSTOM: ENC[AES256_GCM,data:HYYOJP3ZzRWS,iv:BVwIJzfHzOxbKTrcA0yajCfIJkEjRXcztk3naqiqf6g=,tag:feuz1VIj0QWX7PpQRFO6iw==,type:str]
+CUSTOM: ENC[AES256_GCM,data:PqkznntPxY6bbCZWfTubhmrg1VUoKAxk8g+VnjrTOEVDm05nnVVyd7yIoxwtk8AyZGi6xTpmTJGsxrVSdg==,iv:Qn7ml9LHoQk9W0/lVuFtkWdjqBUFDTsZcqbIKfZuvIM=,tag:kTiTQAFnmPkMB9ZQ3omCcA==,type:str]
 TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str]
 AUTHENTIK: ENC[AES256_GCM,data:dZ+Kf85ZjaZ82coYNeNOXe5zfD2M9rEeOB6jDNoaKmo3jMABhnha+iBvYJTI2NltkGzymPJQI+JV8F6GdT1l6cqcR8p0nNjQjS1BMk0rR7n8RCp6MazUTJuIjbEq6zEUrA4SXquw5gZDEp4FLo010PhoLaLinHg8OoqzjDsTxdcKevbQWmZeefDBrwXWpz6BlkRIQA3KazVb0w7l1jDTIkozUIWbvtvtk5ccGjzx3b+wCC36QYFcHHtPvFZwMDHzFPVBd90hWc/BwFfvCExONmH0S7GLFTp7I5NsBnWpT0AHUHHc5PlSR2dUy9H2DZ3IkORdNVzOaqESbYKymuWTQBDQuyI9IJdt4Cac0CV9i6p8rFXL6fQyQKZ9djHX8orpyCUeJXqFs8I6et+IzpTeZcmdv/76Q9tomBBi4k4PRMXpeff8Bn02bOSb7RSaj5NVeWxIhZkh3sEXUeva5/yrAYT30mrLpbwzWoCaKrPCPLIcFxvNrYxPUo6kVVz1jSlBurvcKefbreJGqA==,iv:Hj7aBfDLSqRBzueN8b9F9TutpjMESFloqrnirSmnH9U=,tag:1ikt1JvuhIZCx68nh/VzMA==,type:str]
 NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str]
@@ -24,8 +24,8 @@ sops:
             S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
             d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-09T10:54:06Z"
-    mac: ENC[AES256_GCM,data:7isR8oE5Zmx2lwSWaabGVTpWhkNkiHueSn0iVzPiGu8gReeJVlb21n2OO2JduSHMMH1pc+LNrugpRvwlGKK1OlaGPe6nYtEki2jkgn2hwnD7Q/6kTz8GoqGzWyWUbG/Y+1KsMoQb9KgfcKcOh4JLJAyNw+mgeKeD+nhWVTJY8ww=,iv:9k/HQFhM5VKi7PUkLSqk8o5TUg9e/OCs9MdeqZYpKm0=,tag:ZQJBJ60+IYufctZYMa3Oug==,type:str]
+    lastmodified: "2026-05-10T19:12:54Z"
+    mac: ENC[AES256_GCM,data:8fTlz4gYNi2grMD7PcvmNDWvXUaVU0XXNKHaCZiYc4K8vIU8CwetMb0Xq4HkfS68uyxv+3GGMexHeNiCjhEMYyja4lLHbsrJ7ypqoyZcHHfvd1aY/tqYwI5LnOaEVNZI34XFrnKdShMyeMQECz/TM9fU7rYzAWUn0E67Z192i/M=,iv:0UvfOUj/tGHIx5OjL15Y5YlrFdYseqt3FRaf6PHxF00=,tag:yVaaFFD3AHwj2QnQwSrINw==,type:str]
     pgp:
         - created_at: "2026-05-05T23:46:27Z"
           enc: |-