From 6830ada44aafe3715760dc8d0d53fbf83dc3ab29 Mon Sep 17 00:00:00 2001 From: WilliButz Date: Wed, 28 Jun 2023 16:39:23 +0200 Subject: [PATCH] refactor flake * switched from flake-utils to flake-parts * dropped the overlay and instead populate configurable options for all required authentik components in the module * `nixosModule.default` is now a top-level output following the flake spec, instead of the previously incorrect system-specific definition --- TODO.md | 1 - flake.lock | 37 ++++++++++++++++++++++++++++++ flake.nix | 67 ++++++++++++++++++++++++++++++------------------------ module.nix | 24 +++++++++++++------ test.nix | 2 -- 5 files changed, 91 insertions(+), 40 deletions(-) diff --git a/TODO.md b/TODO.md index cef2fbe..769ebf3 100644 --- a/TODO.md +++ b/TODO.md @@ -2,6 +2,5 @@ * fill empty parts of README * provide separate packages / modules for outposts -* fix `flake check` * configure github checks * add some more subtests to VM test diff --git a/flake.lock b/flake.lock index 9dab84a..2ad14ed 100644 --- a/flake.lock +++ b/flake.lock @@ -17,6 +17,24 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1687762428, + "narHash": "sha256-DIf7mi45PKo+s8dOYF+UlXHzE0Wl/+k3tXUyAoAnoGE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "37dd7bb15791c86d55c5121740a1887ab55ee836", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1676283394, @@ -71,6 +89,24 @@ "type": "github" } }, + "nixpkgs-lib": { + "locked": { + "dir": "lib", + "lastModified": 1685564631, + "narHash": "sha256-8ywr3AkblY4++3lIVxmrWZFzac7+f32ZEhH/A8pNscI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4f53efe34b3a8877ac923b9350c874e3dcd5dc0a", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "poetry2nix": { "inputs": { "flake-utils": [ @@ -97,6 +133,7 @@ "root": { "inputs": { "authentik-src": "authentik-src", + "flake-parts": "flake-parts", "flake-utils": "flake-utils", "napalm": "napalm", "nixpkgs": "nixpkgs", diff --git a/flake.nix b/flake.nix index 7970c6b..176cfad 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ inputs = { flake-utils.url = "github:numtide/flake-utils"; + flake-parts.url = "github:hercules-ci/flake-parts"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; poetry2nix = { url = "github:nix-community/poetry2nix"; @@ -24,35 +25,41 @@ }; }; - outputs = { - self, - nixpkgs, - flake-utils, - poetry2nix, - napalm, - authentik-src - }: - flake-utils.lib.eachDefaultSystem (system: - let - authentik-version = "2023.5.4"; # to pass to the drvs of some components - inherit (poetry2nix.legacyPackages.${system}) + outputs = inputs@{ + self, + nixpkgs, + flake-parts, + poetry2nix, + napalm, + authentik-src, + ... + }: + + flake-parts.lib.mkFlake + { inherit inputs; } + ({ inputs, lib, withSystem, ... }: + let + authentik-version = "2023.5.4"; # to pass to the drvs of some components + in rec { + systems = [ + "x86_64-linux" + "aarch64-linux" # not tested + ]; + flake = { + nixosModules.default = { pkgs, ... }: { + imports = [ ./module.nix ]; + services.authentik.authentikComponents = withSystem pkgs.stdenv.hostPlatform.system ( + { config, ... }: + { inherit (config.packages) celery staticWorkdirDeps migrate pythonEnv frontend gopkgs docs; } + ); + }; + }; + perSystem = { inputs', pkgs, system, ... }: let + inherit (inputs'.poetry2nix.legacyPackages) mkPoetryEnv defaultPoetryOverrides; - pkgs = nixpkgs.legacyPackages.${system}; - in - rec { - nixosModules = { - default = import ./module.nix; - }; - overlays = { - default = final: prev: { - authentik = { - inherit (packages) celery staticWorkdirDeps migrate pythonEnv frontend gopkgs docs; - }; - }; - }; + in { packages = rec { - inherit authentik-src; docs = napalm.legacyPackages.${system}.buildPackage "${authentik-src}/website" { version = authentik-version; # 0.0.0 specified upstream NODE_ENV = "production"; @@ -163,11 +170,10 @@ --prefix PYTHONPATH : ${staticWorkdirDeps} ''; }; - checks.default = (import ./test.nix { - inherit pkgs overlays nixosModules; + inherit pkgs; + inherit (self) nixosModules; }); - devShells.default = pkgs.mkShell { packages = [ # to generate a v2 lockfile from the v3 lockfile provided by upstream: @@ -175,5 +181,6 @@ pkgs.nodejs ]; }; - }); + }; + }); } diff --git a/module.nix b/module.nix index 117081b..0611a50 100644 --- a/module.nix +++ b/module.nix @@ -17,7 +17,7 @@ let mkEnableOption mkOption; - inherit (pkgs.authentik) + inherit (cfg.authentikComponents) migrate gopkgs celery @@ -29,6 +29,16 @@ in options.services.authentik = { enable = mkEnableOption "authentik"; + authentikComponents = { + celery = mkOption { type = types.package; }; + staticWorkdirDeps = mkOption { type = types.package; }; + migrate = mkOption { type = types.package; }; + pythonEnv = mkOption { type = types.package; }; + frontend = mkOption { type = types.package; }; + gopkgs = mkOption { type = types.package; }; + docs = mkOption { type = types.package; }; + }; + settings = mkOption { type = types.submodule { freeformType = settingsFormat.type; @@ -45,8 +55,8 @@ in config = mkIf cfg.enable { services = { authentik.settings = { - blueprints_dir = mkDefault "${pkgs.authentik.staticWorkdirDeps}/blueprints"; - template_dir = mkDefault "${pkgs.authentik.staticWorkdirDeps}/templates"; + blueprints_dir = mkDefault "${cfg.authentikComponents.staticWorkdirDeps}/blueprints"; + template_dir = mkDefault "${cfg.authentikComponents.staticWorkdirDeps}/templates"; postgresql = { user = mkDefault "authentik"; name = mkDefault "authentik"; @@ -84,7 +94,7 @@ in RemainAfterExit = true; DynamicUser = true; User = "authentik"; - ExecStart = "${pkgs.authentik.migrate}/bin/migrate.py"; + ExecStart = "${cfg.authentikComponents.migrate}/bin/migrate.py"; }; }; authentik-worker = { @@ -97,7 +107,7 @@ in DynamicUser = true; User = "authentik"; # TODO maybe make this configurable - ExecStart = "${pkgs.authentik.celery}/bin/celery -A authentik.root.celery worker -Ofair --max-tasks-per-child=1 --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events"; + ExecStart = "${cfg.authentikComponents.celery}/bin/celery -A authentik.root.celery worker -Ofair --max-tasks-per-child=1 --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events"; }; }; authentik = { @@ -109,7 +119,7 @@ in ]; restartTriggers = [ config.environment.etc."authentik/config.yml".source ]; preStart = '' - ln -svf ${pkgs.authentik.staticWorkdirDeps}/* /var/lib/authentik/ + ln -svf ${cfg.authentikComponents.staticWorkdirDeps}/* /var/lib/authentik/ ''; serviceConfig = { Environment = [ @@ -123,7 +133,7 @@ in # TODO /run might be sufficient WorkingDirectory = "%S/authentik"; DynamicUser = true; - ExecStart = "${pkgs.authentik.gopkgs}/bin/server"; + ExecStart = "${cfg.authentikComponents.gopkgs}/bin/server"; }; }; }; diff --git a/test.nix b/test.nix index 900b14c..fb0fee4 100644 --- a/test.nix +++ b/test.nix @@ -1,5 +1,4 @@ { pkgs -, overlays , nixosModules }: let @@ -19,7 +18,6 @@ pkgs.nixosTest { "${pkgs.path}/nixos/tests/common/user-account.nix" "${pkgs.path}/nixos/tests/common/x11.nix" ]; - nixpkgs.overlays = [ overlays.default ]; services.authentik.enable = true;