update: 2024.2.3 -> 2024.4.1

Release notes: https://docs.goauthentik.io/docs/releases/2024.4

Notable dependency updates:
python 3.11 -> python 3.12
golang 1.21 -> golang 1.22
nixpkgs-23.11 -> nixpkgs-unstable (for golang 1.22 until 24.05)

Introduces patch to `web/package-lock.json`, see `components/frontend.nix`,
this will cause IFD until the issue is resolved.
https://nixos.org/manual/nix/stable/language/import-from-derivation

Flake lock file updates:

• Updated input 'authentik-src':
    'github:goauthentik/authentik/6bb180f94ec124092c4f87ae5f5d892a70b32ff3' (2024-04-17)
  → 'github:goauthentik/authentik/ca70c963e55daf73b479a4513da06ac5cea77718' (2024-04-26)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/53a2c32bc66f5ae41a28d7a9a49d321172af621e' (2024-04-15)
  → 'github:NixOS/nixpkgs/6143fc5eeb9c4f00163267708e26191d1e918932' (2024-04-21)
• Updated input 'poetry2nix':
    'github:nix-community/poetry2nix/3c92540611f42d3fb2d0d084a6c694cd6544b609' (2024-02-22)
  → 'github:nix-community/poetry2nix/9245811b58905453033f1ef551f516cbee71c42c' (2024-04-26)

components/docs.nix

@@ -11,8 +11,9 @@ buildNapalmPackage "${authentik-src}/website" {
   npmCommands = [
     "cp -v ${authentik-src}/SECURITY.md ../SECURITY.md"
     "cp -vr ${authentik-src}/blueprints ../blueprints"
+    "cp -v ${authentik-src}/schema.yml ../schema.yml"
     "npm install --include=dev"
-    "npm run build-docs-only"
+    "npm run build-bundled"
   ];
   installPhase = ''
     rm -r ../website/node_modules/.cache

components/frontend-package-lock-json-missing-integrity-infos.patch

@@ -0,0 +1,25 @@
+diff --git a/web/package-lock.json b/web/package-lock.json
+--- a/web/package-lock.json
++++ b/web/package-lock.json
+@@ -6663,7 +6663,9 @@
+             "license": "MIT",
+             "dependencies": {
+                 "type-fest": "^2.19.0"
+-            }
++            },
++            "resolved": "https://registry.npmjs.org/@storybook/csf/-/csf-0.1.2.tgz",
++            "integrity": "sha512-ePrvE/pS1vsKR9Xr+o+YwdqNgHUyXvg+1Xjx0h9LrVx7Zq4zNe06pd63F5EvzTbCbJsHj7GHr9tkiaqm7U8WRA=="
+         },
+         "node_modules/@storybook/csf-plugin": {
+             "version": "8.0.8",
+@@ -8654,7 +8656,9 @@
+         "node_modules/@types/find-cache-dir": {
+             "version": "3.2.1",
+             "dev": true,
+-            "license": "MIT"
++            "license": "MIT",
++            "resolved": "https://registry.npmjs.org/@types/find-cache-dir/-/find-cache-dir-3.2.1.tgz",
++            "integrity": "sha512-frsJrz2t/CeGifcu/6uRo4b+SzAwT4NYCVPu1GN8IB9XTzrpPkGuV0tmh9mN+/L0PklAlsC3u5Fxt0ju00LXIw=="
+         },
+         "node_modules/@types/grecaptcha": {
+             "version": "3.0.9",

components/frontend.nix

@@ -3,9 +3,24 @@
 , authentikComponents
 , buildNapalmPackage
 , nodejs_21
+, applyPatches
 }:
-
-buildNapalmPackage "${authentik-src}/web" rec {
+let
+  patched-src = applyPatches {
+    src = authentik-src;
+    name = "patched-authentik-source";
+    patches = [
+      # Should be obsolete with the next release (i.e. 2024.4.2).
+      #
+      # The underlying issue was partially fixed by backporting https://github.com/goauthentik/authentik/pull/9419
+      # to 2024.4, but two deps are still missing the resolved/integrity fields in 2024.4.1
+      #
+      # (this introduces IFD)
+      ./frontend-package-lock-json-missing-integrity-infos.patch
+    ];
+  };
+in
+buildNapalmPackage "${patched-src}/web" rec {
   version = authentik-version; # 0.0.0 specified upstream in package.json
   NODE_ENV = "production";
   nodejs = nodejs_21;

components/gopkgs.nix

@@ -1,12 +1,12 @@
 { authentik-src
 , authentik-version
 , authentikComponents
-, buildGo121Module
+, buildGo122Module
 , lib
 , makeWrapper
 }:
 
-buildGo121Module {
+buildGo122Module {
   pname = "authentik-gopkgs";
   version = authentik-version;
   prePatch = ''
@@ -41,7 +41,7 @@ buildGo121Module {
     "cmd/proxy"
     "cmd/radius"
   ];
-  vendorHash = "sha256-UIJBCTq7AJGUDIlZtJaWCovyxlMPzj2BCJQqthybEz4=";
+  vendorHash = "sha256-YpOG5pNw5CNSubm1OkPVpSi7l+l5UdJFido2SQLtK3g=";
   nativeBuildInputs = [ makeWrapper ];
   postInstall = ''
     wrapProgram $out/bin/server --prefix PATH : ${authentikComponents.pythonEnv}/bin

components/pythonEnv.nix

@@ -3,12 +3,12 @@
 , defaultPoetryOverrides
 , lib
 , mkPoetryEnv
-, python311
+, python312
 }:
 
 mkPoetryEnv {
   projectDir = authentik-src;
-  python = python311;
+  python = python312;
   overrides = [
     defaultPoetryOverrides
   ] ++ authentikPoetryOverrides;

flake.lock

@@ -3,16 +3,16 @@
     "authentik-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1713352755,
-        "narHash": "sha256-YWDpRX0z9EL96t0c7RNgAi5b3KOzy3CBEL2Jw27TkVY=",
+        "lastModified": 1714145986,
+        "narHash": "sha256-1xFQ5mUWXxW4bJttI+pw7Uj/F+fpgr2cSJzFpBKfio0=",
         "owner": "goauthentik",
         "repo": "authentik",
-        "rev": "6bb180f94ec124092c4f87ae5f5d892a70b32ff3",
+        "rev": "ca70c963e55daf73b479a4513da06ac5cea77718",
         "type": "github"
       },
       "original": {
         "owner": "goauthentik",
-        "ref": "version/2024.2.3",
+        "ref": "version/2024.4.1",
         "repo": "authentik",
         "type": "github"
       }
@@ -115,16 +115,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1713145326,
-        "narHash": "sha256-m7+IWM6mkWOg22EC5kRUFCycXsXLSU7hWmHdmBfmC3s=",
-        "owner": "NixOS",
+        "lastModified": 1713714899,
+        "narHash": "sha256-+z/XjO3QJs5rLE5UOf015gdVauVRQd2vZtsFkaXBq2Y=",
+        "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "53a2c32bc66f5ae41a28d7a9a49d321172af621e",
+        "rev": "6143fc5eeb9c4f00163267708e26191d1e918932",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-23.11",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -176,11 +176,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1708589824,
-        "narHash": "sha256-2GOiFTkvs5MtVF65sC78KNVxQSmsxtk0WmV1wJ9V2ck=",
+        "lastModified": 1714113962,
+        "narHash": "sha256-7nVz2XUgVtnTQIYcuuqdLjZL8ifb7W8jciT+Szsx920=",
         "owner": "nix-community",
         "repo": "poetry2nix",
-        "rev": "3c92540611f42d3fb2d0d084a6c694cd6544b609",
+        "rev": "9245811b58905453033f1ef551f516cbee71c42c",
         "type": "github"
       },
       "original": {

flake.nix

@@ -8,10 +8,13 @@
       url = "github:edolstra/flake-compat";
       flake = false;
     };
-    # nixos-unstable required for go 1.21 until 23.11 release
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
-    # explicitly required for go 1.18 (terraform-provider)
+
+    # nixos-unstable required for go 1.22, until 24.05 release
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+
+    # will be dropped with the next update of the terraform provider
     nixpkgs-23-05.url = "github:NixOS/nixpkgs/nixos-23.05";
+
     poetry2nix = {
       url = "github:nix-community/poetry2nix";
       inputs = {
@@ -27,7 +30,7 @@
       };
     };
     authentik-src = { # change version string in outputs as well when updating
-      url = "github:goauthentik/authentik/version/2024.2.3";
+      url = "github:goauthentik/authentik/version/2024.4.1";
       flake = false;
     };
   };
@@ -47,7 +50,7 @@
     { inherit inputs; }
     ({ inputs, lib, withSystem, ... }:
     let
-      authentik-version = "2024.2.3"; # to pass to the drvs of some components
+      authentik-version = "2024.4.1"; # to pass to the drvs of some components
     in {
       systems = [
         "x86_64-linux"

module.nix

@@ -214,6 +214,12 @@ in
           serviceConfig = mkMerge [ serviceDefaults {
             Type = "oneshot";
             RemainAfterExit = true;
+            RuntimeDirectory = "authentik-migrate";
+            WorkingDirectory = "%t/authentik-migrate";
+            ExecStartPre = [
+              # needs access to "authentik/sources/schemas"
+              "${pkgs.coreutils}/bin/ln -svf ${cfg.authentikComponents.staticWorkdirDeps}/authentik"
+            ];
             ExecStart = "${cfg.authentikComponents.migrate}/bin/migrate.py";
             inherit (config.systemd.services.authentik.serviceConfig) StateDirectory;
           } ];
@@ -230,12 +236,13 @@ in
           serviceConfig = mkMerge [ serviceDefaults {
             RuntimeDirectory = "authentik";
             WorkingDirectory = "%t/authentik";
-            # TODO maybe make this configurable
             ExecStart = "${cfg.authentikComponents.manage}/bin/manage.py worker";
             LoadCredential = mkIf (cfg.nginx.enable && cfg.nginx.enableACME) [
               "${cfg.nginx.host}.pem:${config.security.acme.certs.${cfg.nginx.host}.directory}/fullchain.pem"
               "${cfg.nginx.host}.key:${config.security.acme.certs.${cfg.nginx.host}.directory}/key.pem"
             ];
+            # needs access to $StateDirectory/media/public
+            inherit (config.systemd.services.authentik.serviceConfig) StateDirectory;
           } ];
         };
         authentik = {

poetry2nix-python-overrides.nix

@@ -8,77 +8,35 @@ pkgs:
         nativeBuildInputs = (oA.nativeBuildInputs or []) ++ [ final.setuptools ];
       });
     }) [
-      "bump2version"
       "dumb-init"
-      "opencontainers"
-      "pytest-github-actions-annotate-failures"
-      "drf-jsonschema-serializer"
-      "pydantic-scim"
       "django-tenants"
     ]))
   )
   (final: prev: {
-      ruff = null; # don't need a linter for the package %), groups = [] && checkGroups = [] doesn't seem to work
-      django-otp = prev.django-otp.overrideAttrs (oA: {
-        buildInputs = [ final.hatchling ];
-      });
-      service-identity = prev.service-identity.overrideAttrs (oA: {
-        buildInputs = [
-          final.hatchling
-          final.hatch-fancy-pypi-readme
-          final.hatch-vcs
-        ];
-      });
-      pyrad = prev.pyrad.overrideAttrs (oA: {
-        nativeBuildInputs = oA.nativeBuildInputs ++ [
-          final.poetry
-        ];
-      });
       xmlsec = prev.xmlsec.overridePythonAttrs (oA: {
         nativeBuildInputs = oA.nativeBuildInputs ++ [ final.setuptools final.pkgconfig ];
         buildInputs = [ pkgs.xmlsec.dev pkgs.xmlsec pkgs.libxml2 pkgs.libtool ];
       });
       opencontainers = prev.opencontainers.overrideAttrs (oA: {
         nativeBuildInputs = oA.nativeBuildInputs ++ [
+          final.setuptools
           final.pytest-runner final.pytest
         ];
       });
-      urllib3-secure-extra = prev.urllib3-secure-extra.overrideAttrs (oA: {
-        buildInputs = [ final.flit-core ];
-      });
-      pydantic-scim = prev.pydantic-scim.overrideAttrs (oA: {
-        nativeBuildInputs = oA.nativeBuildInputs ++ [
-          final.setuptools-scm
-        ];
-      });
       psycopg-c = prev.psycopg-c.overrideAttrs (oA: {
         nativeBuildInputs = oA.nativeBuildInputs ++ [
           final.setuptools
           final.tomli
-          final.cython_3
+          final.cython-3
           pkgs.postgresql
         ];
       });
-      psycopg = prev.psycopg.overrideAttrs (oA: {
-        propagatedBuildInputs = oA.propagatedBuildInputs ++ [
-          final.psycopg-c
-        ];
-        pythonImportsCheck = [
-          "psycopg"
-          "psycopg_c"
-        ];
-      });
       twisted = prev.twisted.overrideAttrs (oA: {
-        buildInputs = [
+        buildInputs = oA.buildInputs ++ [
           final.hatchling
           final.hatch-fancy-pypi-readme
         ];
       });
-      django-filter = prev.django-filter.overrideAttrs (oA: {
-        nativeBuildInputs = oA.nativeBuildInputs ++ [
-          final.flit-core
-        ];
-      });
       cryptography = prev.cryptography.overridePythonAttrs (oA: {
         cargoDeps = pkgs.rustPlatform.fetchCargoTarball {
             src = oA.src;
@@ -87,6 +45,55 @@ pkgs:
             sha256 = "sha256-qaXQiF1xZvv4sNIiR2cb5TfD7oNiYdvUwcm37nh2P2M=";
           };
       });
+      dnspython = prev.dnspython.overrideAttrs (oA: {
+        buildInputs = oA.buildInputs ++ [
+          final.hatchling
+        ];
+      });
+      sqlparse = prev.sqlparse.overrideAttrs (oA: {
+        buildInputs = oA.buildInputs ++ [
+          final.hatchling
+        ];
+      });
+      scim2-filter-parser = prev.scim2-filter-parser.overrideAttrs (oA: {
+        patches = [
+          (pkgs.fetchpatch {
+            name = "replace-poetry-with-poetry-core.patch";
+            url = "https://patch-diff.githubusercontent.com/raw/15five/scim2-filter-parser/pull/43.patch";
+            hash = "sha256-PjJH1S5CDe/BMI0+mB34KdpNNcHfexBFYBmHolsWH4o=";
+          })
+        ];
+        nativeBuildInputs = oA.nativeBuildInputs ++ [
+          final.poetry-core
+        ];
+      });
+      # alias because lxml references cython_3 in nativeBuildInputs
+      cython_3 = final.cython-3;
+      #pyyaml = pkgs.python312.pkgs.pyyaml;
+      pyyaml = prev.pyyaml.overrideAttrs (oA:
+      let
+        # checks if derivation is cython with major version 3
+        isNotCython3 = drv:
+          let
+            drvInfo = builtins.parseDrvName drv.name;
+            isCython = pkgs.lib.hasSuffix "-cython" drvInfo.name;
+            isVersion3 = pkgs.lib.versions.major drvInfo.version == "3";
+          in
+          isCython -> !isVersion3;
+
+        # removes cython3 derivation from list
+        removeCython3 = builtins.filter isNotCython3;
+      in
+      {
+        # pyyaml 6.0.1 doesn't build with cython3, see upstream nixpkgs
+        nativeBuildInputs = (removeCython3 oA.nativeBuildInputs) ++ [
+          pkgs.python312Packages.cython_0
+          final.setuptools
+        ];
+        buildInputs = oA.buildInputs ++ [
+          pkgs.libyaml
+        ];
+      });
     }
   )
 ]