diff --git a/components/docs.nix b/components/docs.nix index 09ab35a..5960b68 100644 --- a/components/docs.nix +++ b/components/docs.nix @@ -11,8 +11,9 @@ buildNapalmPackage "${authentik-src}/website" { npmCommands = [ "cp -v ${authentik-src}/SECURITY.md ../SECURITY.md" "cp -vr ${authentik-src}/blueprints ../blueprints" + "cp -v ${authentik-src}/schema.yml ../schema.yml" "npm install --include=dev" - "npm run build-docs-only" + "npm run build-bundled" ]; installPhase = '' rm -r ../website/node_modules/.cache diff --git a/components/frontend-package-lock-json-missing-integrity-infos.patch b/components/frontend-package-lock-json-missing-integrity-infos.patch new file mode 100644 index 0000000..b57715a --- /dev/null +++ b/components/frontend-package-lock-json-missing-integrity-infos.patch @@ -0,0 +1,25 @@ +diff --git a/web/package-lock.json b/web/package-lock.json +--- a/web/package-lock.json ++++ b/web/package-lock.json +@@ -6663,7 +6663,9 @@ + "license": "MIT", + "dependencies": { + "type-fest": "^2.19.0" +- } ++ }, ++ "resolved": "https://registry.npmjs.org/@storybook/csf/-/csf-0.1.2.tgz", ++ "integrity": "sha512-ePrvE/pS1vsKR9Xr+o+YwdqNgHUyXvg+1Xjx0h9LrVx7Zq4zNe06pd63F5EvzTbCbJsHj7GHr9tkiaqm7U8WRA==" + }, + "node_modules/@storybook/csf-plugin": { + "version": "8.0.8", +@@ -8654,7 +8656,9 @@ + "node_modules/@types/find-cache-dir": { + "version": "3.2.1", + "dev": true, +- "license": "MIT" ++ "license": "MIT", ++ "resolved": "https://registry.npmjs.org/@types/find-cache-dir/-/find-cache-dir-3.2.1.tgz", ++ "integrity": "sha512-frsJrz2t/CeGifcu/6uRo4b+SzAwT4NYCVPu1GN8IB9XTzrpPkGuV0tmh9mN+/L0PklAlsC3u5Fxt0ju00LXIw==" + }, + "node_modules/@types/grecaptcha": { + "version": "3.0.9", diff --git a/components/frontend.nix b/components/frontend.nix index d8c3263..6b9802c 100644 --- a/components/frontend.nix +++ b/components/frontend.nix @@ -3,9 +3,24 @@ , authentikComponents , buildNapalmPackage , nodejs_21 +, applyPatches }: - -buildNapalmPackage "${authentik-src}/web" rec { +let + patched-src = applyPatches { + src = authentik-src; + name = "patched-authentik-source"; + patches = [ + # Should be obsolete with the next release (i.e. 2024.4.2). + # + # The underlying issue was partially fixed by backporting https://github.com/goauthentik/authentik/pull/9419 + # to 2024.4, but two deps are still missing the resolved/integrity fields in 2024.4.1 + # + # (this introduces IFD) + ./frontend-package-lock-json-missing-integrity-infos.patch + ]; + }; +in +buildNapalmPackage "${patched-src}/web" rec { version = authentik-version; # 0.0.0 specified upstream in package.json NODE_ENV = "production"; nodejs = nodejs_21; diff --git a/components/gopkgs.nix b/components/gopkgs.nix index ea12d15..c057d8e 100644 --- a/components/gopkgs.nix +++ b/components/gopkgs.nix @@ -1,12 +1,12 @@ { authentik-src , authentik-version , authentikComponents -, buildGo121Module +, buildGo122Module , lib , makeWrapper }: -buildGo121Module { +buildGo122Module { pname = "authentik-gopkgs"; version = authentik-version; prePatch = '' @@ -41,7 +41,7 @@ buildGo121Module { "cmd/proxy" "cmd/radius" ]; - vendorHash = "sha256-UIJBCTq7AJGUDIlZtJaWCovyxlMPzj2BCJQqthybEz4="; + vendorHash = "sha256-YpOG5pNw5CNSubm1OkPVpSi7l+l5UdJFido2SQLtK3g="; nativeBuildInputs = [ makeWrapper ]; postInstall = '' wrapProgram $out/bin/server --prefix PATH : ${authentikComponents.pythonEnv}/bin diff --git a/components/pythonEnv.nix b/components/pythonEnv.nix index 33d9420..4f876a0 100644 --- a/components/pythonEnv.nix +++ b/components/pythonEnv.nix @@ -3,12 +3,12 @@ , defaultPoetryOverrides , lib , mkPoetryEnv -, python311 +, python312 }: mkPoetryEnv { projectDir = authentik-src; - python = python311; + python = python312; overrides = [ defaultPoetryOverrides ] ++ authentikPoetryOverrides; diff --git a/flake.lock b/flake.lock index ada6311..aa4bc5e 100644 --- a/flake.lock +++ b/flake.lock @@ -3,16 +3,16 @@ "authentik-src": { "flake": false, "locked": { - "lastModified": 1713352755, - "narHash": "sha256-YWDpRX0z9EL96t0c7RNgAi5b3KOzy3CBEL2Jw27TkVY=", + "lastModified": 1714145986, + "narHash": "sha256-1xFQ5mUWXxW4bJttI+pw7Uj/F+fpgr2cSJzFpBKfio0=", "owner": "goauthentik", "repo": "authentik", - "rev": "6bb180f94ec124092c4f87ae5f5d892a70b32ff3", + "rev": "ca70c963e55daf73b479a4513da06ac5cea77718", "type": "github" }, "original": { "owner": "goauthentik", - "ref": "version/2024.2.3", + "ref": "version/2024.4.1", "repo": "authentik", "type": "github" } @@ -115,16 +115,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1713145326, - "narHash": "sha256-m7+IWM6mkWOg22EC5kRUFCycXsXLSU7hWmHdmBfmC3s=", - "owner": "NixOS", + "lastModified": 1713714899, + "narHash": "sha256-+z/XjO3QJs5rLE5UOf015gdVauVRQd2vZtsFkaXBq2Y=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "53a2c32bc66f5ae41a28d7a9a49d321172af621e", + "rev": "6143fc5eeb9c4f00163267708e26191d1e918932", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.11", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -176,11 +176,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1708589824, - "narHash": "sha256-2GOiFTkvs5MtVF65sC78KNVxQSmsxtk0WmV1wJ9V2ck=", + "lastModified": 1714113962, + "narHash": "sha256-7nVz2XUgVtnTQIYcuuqdLjZL8ifb7W8jciT+Szsx920=", "owner": "nix-community", "repo": "poetry2nix", - "rev": "3c92540611f42d3fb2d0d084a6c694cd6544b609", + "rev": "9245811b58905453033f1ef551f516cbee71c42c", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 3f8b2a5..1c4f2fa 100644 --- a/flake.nix +++ b/flake.nix @@ -8,10 +8,13 @@ url = "github:edolstra/flake-compat"; flake = false; }; - # nixos-unstable required for go 1.21 until 23.11 release - nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; - # explicitly required for go 1.18 (terraform-provider) + + # nixos-unstable required for go 1.22, until 24.05 release + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + + # will be dropped with the next update of the terraform provider nixpkgs-23-05.url = "github:NixOS/nixpkgs/nixos-23.05"; + poetry2nix = { url = "github:nix-community/poetry2nix"; inputs = { @@ -27,7 +30,7 @@ }; }; authentik-src = { # change version string in outputs as well when updating - url = "github:goauthentik/authentik/version/2024.2.3"; + url = "github:goauthentik/authentik/version/2024.4.1"; flake = false; }; }; @@ -47,7 +50,7 @@ { inherit inputs; } ({ inputs, lib, withSystem, ... }: let - authentik-version = "2024.2.3"; # to pass to the drvs of some components + authentik-version = "2024.4.1"; # to pass to the drvs of some components in { systems = [ "x86_64-linux" diff --git a/module.nix b/module.nix index 16f2cbc..31019ab 100644 --- a/module.nix +++ b/module.nix @@ -214,6 +214,12 @@ in serviceConfig = mkMerge [ serviceDefaults { Type = "oneshot"; RemainAfterExit = true; + RuntimeDirectory = "authentik-migrate"; + WorkingDirectory = "%t/authentik-migrate"; + ExecStartPre = [ + # needs access to "authentik/sources/schemas" + "${pkgs.coreutils}/bin/ln -svf ${cfg.authentikComponents.staticWorkdirDeps}/authentik" + ]; ExecStart = "${cfg.authentikComponents.migrate}/bin/migrate.py"; inherit (config.systemd.services.authentik.serviceConfig) StateDirectory; } ]; @@ -230,12 +236,13 @@ in serviceConfig = mkMerge [ serviceDefaults { RuntimeDirectory = "authentik"; WorkingDirectory = "%t/authentik"; - # TODO maybe make this configurable ExecStart = "${cfg.authentikComponents.manage}/bin/manage.py worker"; LoadCredential = mkIf (cfg.nginx.enable && cfg.nginx.enableACME) [ "${cfg.nginx.host}.pem:${config.security.acme.certs.${cfg.nginx.host}.directory}/fullchain.pem" "${cfg.nginx.host}.key:${config.security.acme.certs.${cfg.nginx.host}.directory}/key.pem" ]; + # needs access to $StateDirectory/media/public + inherit (config.systemd.services.authentik.serviceConfig) StateDirectory; } ]; }; authentik = { diff --git a/poetry2nix-python-overrides.nix b/poetry2nix-python-overrides.nix index 52f647c..d95a480 100644 --- a/poetry2nix-python-overrides.nix +++ b/poetry2nix-python-overrides.nix @@ -8,77 +8,35 @@ pkgs: nativeBuildInputs = (oA.nativeBuildInputs or []) ++ [ final.setuptools ]; }); }) [ - "bump2version" "dumb-init" - "opencontainers" - "pytest-github-actions-annotate-failures" - "drf-jsonschema-serializer" - "pydantic-scim" "django-tenants" ])) ) (final: prev: { - ruff = null; # don't need a linter for the package %), groups = [] && checkGroups = [] doesn't seem to work - django-otp = prev.django-otp.overrideAttrs (oA: { - buildInputs = [ final.hatchling ]; - }); - service-identity = prev.service-identity.overrideAttrs (oA: { - buildInputs = [ - final.hatchling - final.hatch-fancy-pypi-readme - final.hatch-vcs - ]; - }); - pyrad = prev.pyrad.overrideAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ - final.poetry - ]; - }); xmlsec = prev.xmlsec.overridePythonAttrs (oA: { nativeBuildInputs = oA.nativeBuildInputs ++ [ final.setuptools final.pkgconfig ]; buildInputs = [ pkgs.xmlsec.dev pkgs.xmlsec pkgs.libxml2 pkgs.libtool ]; }); opencontainers = prev.opencontainers.overrideAttrs (oA: { nativeBuildInputs = oA.nativeBuildInputs ++ [ + final.setuptools final.pytest-runner final.pytest ]; }); - urllib3-secure-extra = prev.urllib3-secure-extra.overrideAttrs (oA: { - buildInputs = [ final.flit-core ]; - }); - pydantic-scim = prev.pydantic-scim.overrideAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ - final.setuptools-scm - ]; - }); psycopg-c = prev.psycopg-c.overrideAttrs (oA: { nativeBuildInputs = oA.nativeBuildInputs ++ [ final.setuptools final.tomli - final.cython_3 + final.cython-3 pkgs.postgresql ]; }); - psycopg = prev.psycopg.overrideAttrs (oA: { - propagatedBuildInputs = oA.propagatedBuildInputs ++ [ - final.psycopg-c - ]; - pythonImportsCheck = [ - "psycopg" - "psycopg_c" - ]; - }); twisted = prev.twisted.overrideAttrs (oA: { - buildInputs = [ + buildInputs = oA.buildInputs ++ [ final.hatchling final.hatch-fancy-pypi-readme ]; }); - django-filter = prev.django-filter.overrideAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ - final.flit-core - ]; - }); cryptography = prev.cryptography.overridePythonAttrs (oA: { cargoDeps = pkgs.rustPlatform.fetchCargoTarball { src = oA.src; @@ -87,6 +45,55 @@ pkgs: sha256 = "sha256-qaXQiF1xZvv4sNIiR2cb5TfD7oNiYdvUwcm37nh2P2M="; }; }); + dnspython = prev.dnspython.overrideAttrs (oA: { + buildInputs = oA.buildInputs ++ [ + final.hatchling + ]; + }); + sqlparse = prev.sqlparse.overrideAttrs (oA: { + buildInputs = oA.buildInputs ++ [ + final.hatchling + ]; + }); + scim2-filter-parser = prev.scim2-filter-parser.overrideAttrs (oA: { + patches = [ + (pkgs.fetchpatch { + name = "replace-poetry-with-poetry-core.patch"; + url = "https://patch-diff.githubusercontent.com/raw/15five/scim2-filter-parser/pull/43.patch"; + hash = "sha256-PjJH1S5CDe/BMI0+mB34KdpNNcHfexBFYBmHolsWH4o="; + }) + ]; + nativeBuildInputs = oA.nativeBuildInputs ++ [ + final.poetry-core + ]; + }); + # alias because lxml references cython_3 in nativeBuildInputs + cython_3 = final.cython-3; + #pyyaml = pkgs.python312.pkgs.pyyaml; + pyyaml = prev.pyyaml.overrideAttrs (oA: + let + # checks if derivation is cython with major version 3 + isNotCython3 = drv: + let + drvInfo = builtins.parseDrvName drv.name; + isCython = pkgs.lib.hasSuffix "-cython" drvInfo.name; + isVersion3 = pkgs.lib.versions.major drvInfo.version == "3"; + in + isCython -> !isVersion3; + + # removes cython3 derivation from list + removeCython3 = builtins.filter isNotCython3; + in + { + # pyyaml 6.0.1 doesn't build with cython3, see upstream nixpkgs + nativeBuildInputs = (removeCython3 oA.nativeBuildInputs) ++ [ + pkgs.python312Packages.cython_0 + final.setuptools + ]; + buildInputs = oA.buildInputs ++ [ + pkgs.libyaml + ]; + }); } ) ]