Merge pull request #86 from nix-community/authentik-2025.12

update: 2025.10.3 -> 2025.12.1
2026-01-24 10:48:14 +01:00 · 2026-01-24 10:48:14 +01:00 · 1cab906a5c
commit 1cab906a5c
parent 94c544f6cd 801ff190cf
13 changed files with 121 additions and 128 deletions
--- a/TODO.md
+++ b/TODO.md
@ -1,5 +1,3 @@
 # TODOs

-* provide separate packages / modules for outposts
-* configure github checks
 * add some more subtests to VM test
--- a/components/0002-admin-file-dir-doesn-t-have-to-be-a-mountpoint.patch
+++ b/components/0002-admin-file-dir-doesn-t-have-to-be-a-mountpoint.patch
@ -0,0 +1,24 @@
+From 2f51711b64204d090ad8cd6b2ef19fd11a1a6469 Mon Sep 17 00:00:00 2001
+From: Maximilian Bosch <maximilian@mbosch.me>
+Date: Fri, 16 Jan 2026 21:50:11 +0100
+Subject: [PATCH 2/2] admin: file dir doesn't have to be a mountpoint
+
+---
+ authentik/admin/files/backends/file.py | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/authentik/admin/files/backends/file.py b/authentik/admin/files/backends/file.py
+index 7858ed5e9b..8a6d55ce64 100644
+--- a/authentik/admin/files/backends/file.py
+++ b/authentik/admin/files/backends/file.py
+@@ -47,7 +47,6 @@ class FileBackend(ManageableBackend):
+     def manageable(self) -> bool:
+         return (
+             self.base_path.exists()
+-            and (self._base_dir.is_mount() or (self._base_dir / self.usage.value).is_mount())
+             or (settings.DEBUG or settings.TEST)
+         )
+ 
+-- 
+2.51.2
+
--- a/components/authentik_media_tenant_files_migration.patch
+++ b/components/authentik_media_tenant_files_migration.patch
@ -1,15 +0,0 @@
-diff --git a/lifecycle/system_migrations/tenant_files.py b/lifecycle/system_migrations/tenant_files.py
-index 40795d460..7ac1efb34 100644
--- a/lifecycle/system_migrations/tenant_files.py
-+++ b/lifecycle/system_migrations/tenant_files.py
-@@ -2,8 +2,9 @@
- from pathlib import Path
- 
- from lifecycle.migrate import BaseMigration
-+from authentik.lib.config import CONFIG
- 
-MEDIA_ROOT = Path(__file__).parent.parent.parent / "media"
-+MEDIA_ROOT = Path(CONFIG.get("storage.media.file.path"))
- TENANT_MEDIA_ROOT = MEDIA_ROOT / "public"
- 
- 
--- a/components/authentik_media_upload.patch
+++ b/components/authentik_media_upload.patch
@ -1,11 +0,0 @@
-diff --git a/authentik/api/v3/config.py b/authentik/api/v3/config.py
--- a/authentik/api/v3/config.py
-+++ b/authentik/api/v3/config.py
-@@ -71,6 +71,7 @@ class ConfigView(APIView):
-         if (
-             CONFIG.get("storage.media.backend", "file") == "s3"
-             or Path(settings.STORAGES["default"]["OPTIONS"]["location"]).is_mount()
-+            or CONFIG.get_bool("media.enable_upload")
-             or deb_test
-         ):
-             caps.append(Capabilities.CAN_SAVE_MEDIA)
--- a/components/docs-extra-package-locks/js-fetch-npm-shrinkwrap.json
+++ b/components/docs-extra-package-locks/js-fetch-npm-shrinkwrap.json
@ -4,57 +4,58 @@
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
-    "asynckit": {
-      "version": "0.4.0",
-      "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz",
-      "integrity": "sha1-x57Zf380y48robyXkLzDZkdLS3k=",
+    "data-uri-to-buffer": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/data-uri-to-buffer/-/data-uri-to-buffer-4.0.1.tgz",
+      "integrity": "sha512-0R9ikRb668HB7QDxT1vkpuUBtqc53YyAwMwGeUFKRojY/NWKvdZ+9UYtRfGmhqNbRkTSVpMbmyhXipFFv2cb/A==",
      "dev": true
    },
-    "combined-stream": {
-      "version": "1.0.8",
-      "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz",
-      "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==",
+    "fetch-blob": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/fetch-blob/-/fetch-blob-3.2.0.tgz",
+      "integrity": "sha512-7yAQpD2UMJzLi1Dqv7qFYnPbaPx7ZfFK6PiIxQ4PfkGPyNyl2Ugx+a/umUonmKqjhM4DnfbMvdX6otXq83soQQ==",
      "dev": true,
      "requires": {
-        "delayed-stream": "~1.0.0"
+        "node-domexception": "^1.0.0",
+        "web-streams-polyfill": "^3.0.3"
      }
    },
-    "delayed-stream": {
+    "formdata-node": {
+      "version": "6.0.3",
+      "resolved": "https://registry.npmjs.org/formdata-node/-/formdata-node-6.0.3.tgz",
+      "integrity": "sha512-8e1++BCiTzUno9v5IZ2J6bv4RU+3UKDmqWUQD0MIMVCd9AdhWkO1gw57oo1mNEX1dMq2EGI+FbWz4B92pscSQg==",
+      "dev": true
+    },
+    "formdata-polyfill": {
+      "version": "4.0.10",
+      "resolved": "https://registry.npmjs.org/formdata-polyfill/-/formdata-polyfill-4.0.10.tgz",
+      "integrity": "sha512-buewHzMvYL29jdeQTVILecSaZKnt/RJWjoZCF5OW60Z67/GmSLBkOFM7qh1PI3zFNtJbaZL5eQu1vLfazOwj4g==",
+      "dev": true,
+      "requires": {
+        "fetch-blob": "^3.1.2"
+      }
+    },
+    "node-domexception": {
      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
-      "integrity": "sha1-3zrhmayt+31ECqrgsp4icrJOxhk=",
+      "resolved": "https://registry.npmjs.org/node-domexception/-/node-domexception-1.0.0.tgz",
+      "integrity": "sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==",
      "dev": true
    },
-    "form-data": {
-      "version": "2.5.1",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.5.1.tgz",
-      "integrity": "sha512-m21N3WOmEEURgk6B9GLOE4RuWOFf28Lhh9qGYeNlGq4VDXUlJy2th2slBNU8Gp8EzloYZOibZJ7t5ecIrFSjVA==",
-      "dev": true,
-      "requires": {
-        "asynckit": "^0.4.0",
-        "combined-stream": "^1.0.6",
-        "mime-types": "^2.1.12"
-      }
-    },
-    "mime-db": {
-      "version": "1.44.0",
-      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.44.0.tgz",
-      "integrity": "sha512-/NOTfLrsPBVeH7YtFPgsVWveuL+4SjjYxaQ1xtM1KMFj7HdxlBlxeyNLzhyJVx7r4rZGJAZ/6lkKCitSc/Nmpg==",
-      "dev": true
-    },
-    "mime-types": {
-      "version": "2.1.27",
-      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.27.tgz",
-      "integrity": "sha512-JIhqnCasI9yD+SsmkquHBxTSEuZdQX5BuQnS2Vc7puQQQ+8yiP5AY5uWhpdv4YL4VM5c6iliiYWPgJ/nJQLp7w==",
-      "dev": true,
-      "requires": {
-        "mime-db": "1.44.0"
-      }
-    },
    "node-fetch": {
-      "version": "2.6.7",
-      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.7.tgz",
-      "integrity": "sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==",
+      "version": "3.3.2",
+      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-3.3.2.tgz",
+      "integrity": "sha512-dRB78srN/l6gqWulah9SrxeYnxeddIG30+GOqK/9OlLVyLg3HPnr6SqOWTWOXKRwC2eGYCkZ59NNuSgvSrpgOA==",
+      "dev": true,
+      "requires": {
+        "data-uri-to-buffer": "^4.0.0",
+        "fetch-blob": "^3.1.4",
+        "formdata-polyfill": "^4.0.10"
+      }
+    },
+    "node-fetch2": {
+      "version": "npm:node-fetch@2.7.0",
+      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz",
+      "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==",
      "dev": true,
      "requires": {
        "whatwg-url": "^5.0.0"
@ -66,6 +67,12 @@
      "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==",
      "dev": true
    },
+    "web-streams-polyfill": {
+      "version": "3.3.3",
+      "resolved": "https://registry.npmjs.org/web-streams-polyfill/-/web-streams-polyfill-3.3.3.tgz",
+      "integrity": "sha512-d2JWLCivmZYTSIoge9MsgFCZrt571BikcWGYkjC1khllbTeDlGqZ2D8vD8E/lJa8WGWbb7Plm8/XJYV7IJHZZw==",
+      "dev": true
+    },
    "webidl-conversions": {
      "version": "3.0.1",
      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
--- a/components/docs-extra-package-locks/nodejs-native-npm-shrinkwrap.json
+++ b/components/docs-extra-package-locks/nodejs-native-npm-shrinkwrap.json
@ -48,23 +48,15 @@
      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="
    },
-    "lru-cache": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz",
-      "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==",
-      "requires": {
-        "yallist": "^4.0.0"
-      }
-    },
    "mime-db": {
      "version": "1.52.0",
      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
      "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg=="
    },
    "mime-format": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/mime-format/-/mime-format-2.0.1.tgz",
-      "integrity": "sha512-XxU3ngPbEnrYnNbIX+lYSaYg0M01v6p2ntd2YaFksTu0vayaw5OJvbdRyWs07EYRlLED5qadUZ+xo+XhOvFhwg==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/mime-format/-/mime-format-2.0.2.tgz",
+      "integrity": "sha512-Y5ERWVcyh3sby9Fx2U5F1yatiTFjNsqF5NltihTWI9QgNtr5o3dbCZdcKa1l2wyfhnwwoP9HGNxga7LqZLA6gw==",
      "requires": {
        "charset": "^1.0.0"
      }
@ -78,9 +70,9 @@
      }
    },
    "postman-collection": {
-      "version": "4.4.0",
-      "resolved": "https://registry.npmjs.org/postman-collection/-/postman-collection-4.4.0.tgz",
-      "integrity": "sha512-2BGDFcUwlK08CqZFUlIC8kwRJueVzPjZnnokWPtJCd9f2J06HBQpGL7t2P1Ud1NEsK9NHq9wdipUhWLOPj5s/Q==",
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/postman-collection/-/postman-collection-5.0.0.tgz",
+      "integrity": "sha512-1LK795Atv/ZX3jK1MCTx9KCBz0rAiIJJhTLqnJ4AsXLiLSqJuAH1w5jI1CQzHVLpPFg6E8Rl4tQIhF0eBgKNQQ==",
      "requires": {
        "@faker-js/faker": "5.5.3",
        "file-type": "3.9.0",
@ -88,19 +80,19 @@
        "iconv-lite": "0.6.3",
        "liquid-json": "0.3.1",
        "lodash": "4.17.21",
-        "mime-format": "2.0.1",
+        "mime-format": "2.0.2",
        "mime-types": "2.1.35",
-        "postman-url-encoder": "3.0.5",
-        "semver": "7.5.4",
+        "postman-url-encoder": "3.0.6",
+        "semver": "7.7.1",
        "uuid": "8.3.2"
      }
    },
    "postman-url-encoder": {
-      "version": "3.0.5",
-      "resolved": "https://registry.npmjs.org/postman-url-encoder/-/postman-url-encoder-3.0.5.tgz",
-      "integrity": "sha512-jOrdVvzUXBC7C+9gkIkpDJ3HIxOHTIqjpQ4C1EMt1ZGeMvSEpbFCKq23DEfgsj46vMnDgyQf+1ZLp2Wm+bKSsA==",
+      "version": "3.0.6",
+      "resolved": "https://registry.npmjs.org/postman-url-encoder/-/postman-url-encoder-3.0.6.tgz",
+      "integrity": "sha512-uOlnZW+4Cmpbfbuq02hdj1hSpcIFmQxlAwsO6dflwUIVpt9+1duYVxXv3ikf+wHrAO8Wy98uVKnnuR8R0Qpdng==",
      "requires": {
-        "punycode": "^2.1.1"
+        "punycode": "^2.3.1"
      }
    },
    "punycode": {
@ -114,22 +106,14 @@
      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
    },
    "semver": {
-      "version": "7.5.4",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.5.4.tgz",
-      "integrity": "sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==",
-      "requires": {
-        "lru-cache": "^6.0.0"
-      }
+      "version": "7.7.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.1.tgz",
+      "integrity": "sha512-hlq8tAfn0m/61p4BVRcPzIGr6LKiMwo4VM6dGi6pt4qcRkmNzTcWq6eCEjEh+qXjkMDvPlOFFSGwQjoEa6gyMA=="
    },
    "uuid": {
      "version": "8.3.2",
      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg=="
-    },
-    "yallist": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz",
-      "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A=="
    }
  }
 }
--- a/components/docs-extra-package-locks/postman-cli-npm-shrinkwrap.json
+++ b/components/docs-extra-package-locks/postman-cli-npm-shrinkwrap.json
@ -0,0 +1,5 @@
+{
+  "name": "@postman/codegen-postman-cli",
+  "version": "0.0.1",
+  "lockfileVersion": 1
+}
--- a/components/docs.nix
+++ b/components/docs.nix
@ -64,7 +64,7 @@ buildNapalmPackage "${authentik-src}/website" {
  # $ cd postman-code-generators
  # $ git checkout v[version-from-lockfile]
  # $ cd codegens/ 
-  # $ for f in **/npm-shrinkfile.json; do cp "$f" "[this projects root]/comonents/docs-extra-package-locks/${f//\//-}"
+  # $ for f in **/npm-shrinkwrap.json; do cp "$f" "[this projects root]/components/docs-extra-package-locks/${f//\//-}"; done
  #
  #

--- a/components/gopkgs.nix
+++ b/components/gopkgs.nix
@ -2,19 +2,21 @@
  authentik-src,
  authentik-version,
  authentikComponents,
-  buildGo124Module,
+  buildGo125Module,
  lib,
  makeWrapper,
  guacamole-server,
  stdenv,
+  patches,
 }:

 let
  guacamoleAvailable = lib.meta.availableOn stdenv.hostPlatform guacamole-server;
 in
-buildGo124Module {
+buildGo125Module {
  pname = "authentik-gopkgs";
  version = authentik-version;
+  inherit patches;
  prePatch = ''
    sed -i"" -e 's,./web/dist/,${authentikComponents.frontend}/dist/,' web/static.go
    sed -i"" -e 's,./web/dist/,${authentikComponents.frontend}/dist/,' internal/web/static.go
@ -61,7 +63,7 @@ buildGo124Module {
  ] ++ lib.optionals guacamoleAvailable [
    "cmd/rac"
  ];
-  vendorHash = "sha256-m2shrCwoVdbtr8B83ZcAyG+J6dEys2xdjtlfFFF4CDo=";
+  vendorHash = "sha256-u/kAqDCeWHPaw/0+lQ9U6/pHSgdANOeflQLVgUV64Vs=";
  nativeBuildInputs = [ makeWrapper ];
  doCheck = false;
  postInstall = ''
--- a/components/staticWorkdirDeps.nix
+++ b/components/staticWorkdirDeps.nix
@ -3,15 +3,13 @@
  authentikComponents,
  linkFarm,
  applyPatches,
+  patches,
 }:
 let
  patched-src = applyPatches {
    src = authentik-src;
    name = "patched-authentik-source";
-    patches = [
-      ./authentik_media_upload.patch
-      ./authentik_media_tenant_files_migration.patch
-    ];
+    inherit patches;
  };
 in
 linkFarm "authentik-static-workdir-deps" [
--- a/flake.lock
+++ b/flake.lock
@ -3,16 +3,16 @@
    "authentik-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1765907481,
-        "narHash": "sha256-d0pPNE2T30COdFse0T15Mx8XW4BGg8hgPQvmW2dAV9s=",
-        "owner": "goauthentik",
+        "lastModified": 1768596569,
+        "narHash": "sha256-HDTbQB/sMhYh2b95dQwzF8OgrwLWdl4hVmx6wtDcgE8=",
+        "owner": "ma27",
        "repo": "authentik",
-        "rev": "0d617e4ad1eb9e4540ba5381e6ce06e971affc63",
+        "rev": "72ad5fe320f2201fc2a37372d4c9cb46377a58e5",
        "type": "github"
      },
      "original": {
-        "owner": "goauthentik",
-        "ref": "version/2025.10.3",
+        "owner": "ma27",
+        "ref": "2025.12.1-dependency-fix",
        "repo": "authentik",
        "type": "github"
      }
@ -97,11 +97,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1765779637,
-        "narHash": "sha256-KJ2wa/BLSrTqDjbfyNx70ov/HdgNBCBBSQP3BIzKnv4=",
+        "lastModified": 1768305791,
+        "narHash": "sha256-AIdl6WAn9aymeaH/NvBj0H9qM+XuAuYbGMZaP0zcXAQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "1306659b587dc277866c7b69eb97e5f07864d8c4",
+        "rev": "1412caf7bf9e660f2f962917c14b1ea1c3bc695e",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -42,7 +42,8 @@
    };
    authentik-src = {
      # change version string in outputs as well when updating
-      url = "github:goauthentik/authentik/version/2025.10.3";
+      #url = "github:goauthentik/authentik/version/2025.12.1";
+      url = "github:ma27/authentik/2025.12.1-dependency-fix";
      flake = false;
    };
  };
@ -67,7 +68,7 @@
        ...
      }:
      let
-        authentik-version = "2025.10.3"; # to pass to the drvs of some components
+        authentik-version = "2025.12.1"; # to pass to the drvs of some components
      in
      {
        systems = import inputs.systems;
@ -129,6 +130,10 @@
                # for uv2nix
                pythonOverlay = final.callPackage ./components/python-overrides.nix { };

+                patches = [
+                  ./components/0002-admin-file-dir-doesn-t-have-to-be-a-mountpoint.patch
+                ];
+
                inherit
                  authentik-src
                  authentik-version
@ -164,15 +169,15 @@

              terraform-provider-authentik = inputs.nixpkgs.legacyPackages.${system}.buildGoModule rec {
                pname = "terraform-provider-authentik";
-                version = "2025.10.0";
+                version = "2025.12.0";
                src = pkgs.fetchFromGitHub {
                  owner = "goauthentik";
                  repo = pname;
                  rev = "v${version}";
-                  sha256 = "sha256-w5XBAeUKGui4pnDikIWuN/dWLDqKXVsQ5glZX1o1934=";
+                  sha256 = "sha256-1a8HaOqTckkbbHLM58L+LY1eCp8+sVkuOmAw7xljpTU=";
                };
                doCheck = false; # tests are run against authentik -> vm test
-                vendorHash = "sha256-jy+SBlbXnr+k03fJM8eA0DLN8LFqGIBrYIq9fPmqSaw=";
+                vendorHash = "sha256-LvXWlmCBXnHElZyTKpKPwfXgT53HpR+Bc5XjkB7bM/A=";
                postInstall = ''
                  path="$out/libexec/terraform-providers/registry.terraform.io/goauthentik/authentik/${version}/''${GOOS}_''${GOARCH}/"
                  mkdir -p "$path"
--- a/module.nix
+++ b/module.nix
@ -323,10 +323,9 @@ in
            storage.media = {
              backend = mkDefault "file";
              file = mkDefault {
-                path = "/var/lib/authentik/media";
+                path = "/var/lib/authentik";
              };
            };
-            media.enable_upload = mkDefault true;
          };
          postgresql = mkIf cfg.createDatabase {
            enable = true;
@ -428,9 +427,6 @@ in
            restartTriggers = [ config.environment.etc."authentik/config.yml".source ];
            preStart = ''
              ln -svf ${cfg.authentikComponents.staticWorkdirDeps}/* /var/lib/authentik/
-              ${optionalString (cfg.settings.storage.media.backend == "file") ''
-                mkdir -p ${cfg.settings.storage.media.file.path}
-              ''}
            '';
            environment = mkMerge [
              environment