update: 2024.2.3 -> 2024.4.1

Release notes: https://docs.goauthentik.io/docs/releases/2024.4 Notable dependency updates: python 3.11 -> python 3.12 golang 1.21 -> golang 1.22 nixpkgs-23.11 -> nixpkgs-unstable (for golang 1.22 until 24.05) Introduces patch to `web/package-lock.json`, see `components/frontend.nix`, this will cause IFD until the issue is resolved. https://nixos.org/manual/nix/stable/language/import-from-derivation Flake lock file updates: • Updated input 'authentik-src': 'github:goauthentik/authentik/6bb180f94ec124092c4f87ae5f5d892a70b32ff3' (2024-04-17) → 'github:goauthentik/authentik/ca70c963e55daf73b479a4513da06ac5cea77718' (2024-04-26) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/53a2c32bc66f5ae41a28d7a9a49d321172af621e' (2024-04-15) → 'github:NixOS/nixpkgs/6143fc5eeb9c4f00163267708e26191d1e918932' (2024-04-21) • Updated input 'poetry2nix': 'github:nix-community/poetry2nix/3c92540611f42d3fb2d0d084a6c694cd6544b609' (2024-02-22) → 'github:nix-community/poetry2nix/9245811b58905453033f1ef551f516cbee71c42c' (2024-04-26)
2024-04-24 18:44:40 +02:00 · 2024-04-24 18:44:40 +02:00 · 608c5dd4f5
commit 608c5dd4f5
parent 5011f30262
9 changed files with 129 additions and 71 deletions
--- a/components/docs.nix
+++ b/components/docs.nix
@ -11,8 +11,9 @@ buildNapalmPackage "${authentik-src}/website" {
  npmCommands = [
    "cp -v ${authentik-src}/SECURITY.md ../SECURITY.md"
    "cp -vr ${authentik-src}/blueprints ../blueprints"
    "cp -v ${authentik-src}/schema.yml ../schema.yml"
    "npm install --include=dev"
-    "npm run build-docs-only"
+    "npm run build-bundled"
  ];
  installPhase = ''
    rm -r ../website/node_modules/.cache
--- a/components/frontend-package-lock-json-missing-integrity-infos.patch
+++ b/components/frontend-package-lock-json-missing-integrity-infos.patch
@ -0,0 +1,25 @@
 diff --git a/web/package-lock.json b/web/package-lock.json
 --- a/web/package-lock.json
 +++ b/web/package-lock.json
@@ -6663,7 +6663,9 @@
             "license": "MIT",
             "dependencies": {
                 "type-fest": "^2.19.0"
 -            }
 +            },
 +            "resolved": "https://registry.npmjs.org/@storybook/csf/-/csf-0.1.2.tgz",
 +            "integrity": "sha512-ePrvE/pS1vsKR9Xr+o+YwdqNgHUyXvg+1Xjx0h9LrVx7Zq4zNe06pd63F5EvzTbCbJsHj7GHr9tkiaqm7U8WRA=="
         },
         "node_modules/@storybook/csf-plugin": {
             "version": "8.0.8",
@@ -8654,7 +8656,9 @@
         "node_modules/@types/find-cache-dir": {
             "version": "3.2.1",
             "dev": true,
 -            "license": "MIT"
 +            "license": "MIT",
 +            "resolved": "https://registry.npmjs.org/@types/find-cache-dir/-/find-cache-dir-3.2.1.tgz",
 +            "integrity": "sha512-frsJrz2t/CeGifcu/6uRo4b+SzAwT4NYCVPu1GN8IB9XTzrpPkGuV0tmh9mN+/L0PklAlsC3u5Fxt0ju00LXIw=="
         },
         "node_modules/@types/grecaptcha": {
             "version": "3.0.9",
--- a/components/frontend.nix
+++ b/components/frontend.nix
@ -3,9 +3,24 @@
 , authentikComponents
 , buildNapalmPackage
 , nodejs_21
 , applyPatches
 }:
-
+let
-buildNapalmPackage "${authentik-src}/web" rec {
+  patched-src = applyPatches {
    src = authentik-src;
    name = "patched-authentik-source";
    patches = [
      # Should be obsolete with the next release (i.e. 2024.4.2).
      #
      # The underlying issue was partially fixed by backporting https://github.com/goauthentik/authentik/pull/9419
      # to 2024.4, but two deps are still missing the resolved/integrity fields in 2024.4.1
      #
      # (this introduces IFD)
      ./frontend-package-lock-json-missing-integrity-infos.patch
    ];
  };
 in
 buildNapalmPackage "${patched-src}/web" rec {
  version = authentik-version; # 0.0.0 specified upstream in package.json
  NODE_ENV = "production";
  nodejs = nodejs_21;
--- a/components/gopkgs.nix
+++ b/components/gopkgs.nix
@ -1,12 +1,12 @@
 { authentik-src
 , authentik-version
 , authentikComponents
-, buildGo121Module
+, buildGo122Module
 , lib
 , makeWrapper
 }:
-buildGo121Module {
+buildGo122Module {
  pname = "authentik-gopkgs";
  version = authentik-version;
  prePatch = ''
@ -41,7 +41,7 @@ buildGo121Module {
    "cmd/proxy"
    "cmd/radius"
  ];
-  vendorHash = "sha256-UIJBCTq7AJGUDIlZtJaWCovyxlMPzj2BCJQqthybEz4=";
+  vendorHash = "sha256-YpOG5pNw5CNSubm1OkPVpSi7l+l5UdJFido2SQLtK3g=";
  nativeBuildInputs = [ makeWrapper ];
  postInstall = ''
    wrapProgram $out/bin/server --prefix PATH : ${authentikComponents.pythonEnv}/bin
--- a/components/pythonEnv.nix
+++ b/components/pythonEnv.nix
@ -3,12 +3,12 @@
 , defaultPoetryOverrides
 , lib
 , mkPoetryEnv
-, python311
+, python312
 }:
 mkPoetryEnv {
  projectDir = authentik-src;
-  python = python311;
+  python = python312;
  overrides = [
    defaultPoetryOverrides
  ] ++ authentikPoetryOverrides;
--- a/flake.lock
+++ b/flake.lock
@ -3,16 +3,16 @@
    "authentik-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1713352755,
+        "lastModified": 1714145986,
-        "narHash": "sha256-YWDpRX0z9EL96t0c7RNgAi5b3KOzy3CBEL2Jw27TkVY=",
+        "narHash": "sha256-1xFQ5mUWXxW4bJttI+pw7Uj/F+fpgr2cSJzFpBKfio0=",
        "owner": "goauthentik",
        "repo": "authentik",
-        "rev": "6bb180f94ec124092c4f87ae5f5d892a70b32ff3",
+        "rev": "ca70c963e55daf73b479a4513da06ac5cea77718",
        "type": "github"
      },
      "original": {
        "owner": "goauthentik",
-        "ref": "version/2024.2.3",
+        "ref": "version/2024.4.1",
        "repo": "authentik",
        "type": "github"
      }
@ -115,16 +115,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1713145326,
+        "lastModified": 1713714899,
-        "narHash": "sha256-m7+IWM6mkWOg22EC5kRUFCycXsXLSU7hWmHdmBfmC3s=",
+        "narHash": "sha256-+z/XjO3QJs5rLE5UOf015gdVauVRQd2vZtsFkaXBq2Y=",
-        "owner": "NixOS",
+        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "53a2c32bc66f5ae41a28d7a9a49d321172af621e",
+        "rev": "6143fc5eeb9c4f00163267708e26191d1e918932",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-23.11",
+        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -176,11 +176,11 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1708589824,
+        "lastModified": 1714113962,
-        "narHash": "sha256-2GOiFTkvs5MtVF65sC78KNVxQSmsxtk0WmV1wJ9V2ck=",
+        "narHash": "sha256-7nVz2XUgVtnTQIYcuuqdLjZL8ifb7W8jciT+Szsx920=",
        "owner": "nix-community",
        "repo": "poetry2nix",
-        "rev": "3c92540611f42d3fb2d0d084a6c694cd6544b609",
+        "rev": "9245811b58905453033f1ef551f516cbee71c42c",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -8,10 +8,13 @@
      url = "github:edolstra/flake-compat";
      flake = false;
    };
-    # nixos-unstable required for go 1.21 until 23.11 release
+
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
+    # nixos-unstable required for go 1.22, until 24.05 release
-    # explicitly required for go 1.18 (terraform-provider)
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    # will be dropped with the next update of the terraform provider
    nixpkgs-23-05.url = "github:NixOS/nixpkgs/nixos-23.05";
    poetry2nix = {
      url = "github:nix-community/poetry2nix";
      inputs = {
@ -27,7 +30,7 @@
      };
    };
    authentik-src = { # change version string in outputs as well when updating
-      url = "github:goauthentik/authentik/version/2024.2.3";
+      url = "github:goauthentik/authentik/version/2024.4.1";
      flake = false;
    };
  };
@ -47,7 +50,7 @@
    { inherit inputs; }
    ({ inputs, lib, withSystem, ... }:
    let
-      authentik-version = "2024.2.3"; # to pass to the drvs of some components
+      authentik-version = "2024.4.1"; # to pass to the drvs of some components
    in {
      systems = [
        "x86_64-linux"
--- a/module.nix
+++ b/module.nix
@ -214,6 +214,12 @@ in
          serviceConfig = mkMerge [ serviceDefaults {
            Type = "oneshot";
            RemainAfterExit = true;
            RuntimeDirectory = "authentik-migrate";
            WorkingDirectory = "%t/authentik-migrate";
            ExecStartPre = [
              # needs access to "authentik/sources/schemas"
              "${pkgs.coreutils}/bin/ln -svf ${cfg.authentikComponents.staticWorkdirDeps}/authentik"
            ];
            ExecStart = "${cfg.authentikComponents.migrate}/bin/migrate.py";
            inherit (config.systemd.services.authentik.serviceConfig) StateDirectory;
          } ];
@ -230,12 +236,13 @@ in
          serviceConfig = mkMerge [ serviceDefaults {
            RuntimeDirectory = "authentik";
            WorkingDirectory = "%t/authentik";
            # TODO maybe make this configurable
            ExecStart = "${cfg.authentikComponents.manage}/bin/manage.py worker";
            LoadCredential = mkIf (cfg.nginx.enable && cfg.nginx.enableACME) [
              "${cfg.nginx.host}.pem:${config.security.acme.certs.${cfg.nginx.host}.directory}/fullchain.pem"
              "${cfg.nginx.host}.key:${config.security.acme.certs.${cfg.nginx.host}.directory}/key.pem"
            ];
            # needs access to $StateDirectory/media/public
            inherit (config.systemd.services.authentik.serviceConfig) StateDirectory;
          } ];
        };
        authentik = {
--- a/poetry2nix-python-overrides.nix
+++ b/poetry2nix-python-overrides.nix
@ -8,77 +8,35 @@ pkgs:
        nativeBuildInputs = (oA.nativeBuildInputs or []) ++ [ final.setuptools ];
      });
    }) [
      "bump2version"
      "dumb-init"
      "opencontainers"
      "pytest-github-actions-annotate-failures"
      "drf-jsonschema-serializer"
      "pydantic-scim"
      "django-tenants"
    ]))
  )
  (final: prev: {
      ruff = null; # don't need a linter for the package %), groups = [] && checkGroups = [] doesn't seem to work
      django-otp = prev.django-otp.overrideAttrs (oA: {
        buildInputs = [ final.hatchling ];
      });
      service-identity = prev.service-identity.overrideAttrs (oA: {
        buildInputs = [
          final.hatchling
          final.hatch-fancy-pypi-readme
          final.hatch-vcs
        ];
      });
      pyrad = prev.pyrad.overrideAttrs (oA: {
        nativeBuildInputs = oA.nativeBuildInputs ++ [
          final.poetry
        ];
      });
      xmlsec = prev.xmlsec.overridePythonAttrs (oA: {
        nativeBuildInputs = oA.nativeBuildInputs ++ [ final.setuptools final.pkgconfig ];
        buildInputs = [ pkgs.xmlsec.dev pkgs.xmlsec pkgs.libxml2 pkgs.libtool ];
      });
      opencontainers = prev.opencontainers.overrideAttrs (oA: {
        nativeBuildInputs = oA.nativeBuildInputs ++ [
          final.setuptools
          final.pytest-runner final.pytest
        ];
      });
      urllib3-secure-extra = prev.urllib3-secure-extra.overrideAttrs (oA: {
        buildInputs = [ final.flit-core ];
      });
      pydantic-scim = prev.pydantic-scim.overrideAttrs (oA: {
        nativeBuildInputs = oA.nativeBuildInputs ++ [
          final.setuptools-scm
        ];
      });
      psycopg-c = prev.psycopg-c.overrideAttrs (oA: {
        nativeBuildInputs = oA.nativeBuildInputs ++ [
          final.setuptools
          final.tomli
-          final.cython_3
+          final.cython-3
          pkgs.postgresql
        ];
      });
      psycopg = prev.psycopg.overrideAttrs (oA: {
        propagatedBuildInputs = oA.propagatedBuildInputs ++ [
          final.psycopg-c
        ];
        pythonImportsCheck = [
          "psycopg"
          "psycopg_c"
        ];
      });
      twisted = prev.twisted.overrideAttrs (oA: {
-        buildInputs = [
+        buildInputs = oA.buildInputs ++ [
          final.hatchling
          final.hatch-fancy-pypi-readme
        ];
      });
      django-filter = prev.django-filter.overrideAttrs (oA: {
        nativeBuildInputs = oA.nativeBuildInputs ++ [
          final.flit-core
        ];
      });
      cryptography = prev.cryptography.overridePythonAttrs (oA: {
        cargoDeps = pkgs.rustPlatform.fetchCargoTarball {
            src = oA.src;
@ -87,6 +45,55 @@ pkgs:
            sha256 = "sha256-qaXQiF1xZvv4sNIiR2cb5TfD7oNiYdvUwcm37nh2P2M=";
          };
      });
      dnspython = prev.dnspython.overrideAttrs (oA: {
        buildInputs = oA.buildInputs ++ [
          final.hatchling
        ];
      });
      sqlparse = prev.sqlparse.overrideAttrs (oA: {
        buildInputs = oA.buildInputs ++ [
          final.hatchling
        ];
      });
      scim2-filter-parser = prev.scim2-filter-parser.overrideAttrs (oA: {
        patches = [
          (pkgs.fetchpatch {
            name = "replace-poetry-with-poetry-core.patch";
            url = "https://patch-diff.githubusercontent.com/raw/15five/scim2-filter-parser/pull/43.patch";
            hash = "sha256-PjJH1S5CDe/BMI0+mB34KdpNNcHfexBFYBmHolsWH4o=";
          })
        ];
        nativeBuildInputs = oA.nativeBuildInputs ++ [
          final.poetry-core
        ];
      });
      # alias because lxml references cython_3 in nativeBuildInputs
      cython_3 = final.cython-3;
      #pyyaml = pkgs.python312.pkgs.pyyaml;
      pyyaml = prev.pyyaml.overrideAttrs (oA:
      let
        # checks if derivation is cython with major version 3
        isNotCython3 = drv:
          let
            drvInfo = builtins.parseDrvName drv.name;
            isCython = pkgs.lib.hasSuffix "-cython" drvInfo.name;
            isVersion3 = pkgs.lib.versions.major drvInfo.version == "3";
          in
          isCython -> !isVersion3;
        # removes cython3 derivation from list
        removeCython3 = builtins.filter isNotCython3;
      in
      {
        # pyyaml 6.0.1 doesn't build with cython3, see upstream nixpkgs
        nativeBuildInputs = (removeCython3 oA.nativeBuildInputs) ++ [
          pkgs.python312Packages.cython_0
          final.setuptools
        ];
        buildInputs = oA.buildInputs ++ [
          pkgs.libyaml
        ];
      });
    }
  )
 ]