diff --git a/components/docs.nix b/components/docs.nix index 37a699c..9740ee4 100644 --- a/components/docs.nix +++ b/components/docs.nix @@ -13,8 +13,10 @@ buildNapalmPackage "${authentik-src}/website" { "cp -v ${authentik-src}/SECURITY.md ../SECURITY.md" "cp -vr ${authentik-src}/blueprints ../blueprints" "cp -v ${authentik-src}/schema.yml ../schema.yml" - "npm install --include=dev" - "npm run build-bundled" + "cp -v ${authentik-src}/docker-compose.yml ../docker-compose.yml" + "npm config set loglevel verbose" + "npm ci --workspaces --include-workspace-root --no-audit" + "npm run build" ]; installPhase = '' rm -f ../website/static/blueprints diff --git a/components/frontend.nix b/components/frontend.nix index 91b40d6..a2f08c4 100644 --- a/components/frontend.nix +++ b/components/frontend.nix @@ -17,8 +17,9 @@ buildNapalmPackage "${authentik-src}/web" rec { # from release build dependencies, therefore this workaround CHROMEDRIVER_SKIP_DOWNLOAD = "true"; npmCommands = [ - "npm install --include=dev --nodedir=${nodejs}/include/node --loglevel verbose" + "npm install --include=dev --nodedir=${nodejs}/include/node --loglevel verbose --ignore-scripts" "npm run build" + "npm run build:sfe" ]; installPhase = '' mkdir $out diff --git a/components/gopkgs.nix b/components/gopkgs.nix index bf1ccdc..7e520db 100644 --- a/components/gopkgs.nix +++ b/components/gopkgs.nix @@ -42,7 +42,7 @@ buildGo124Module { "cmd/proxy" "cmd/radius" ]; - vendorHash = "sha256-7oX7e7Ni5I6zblEQIeXjYOt4+QNSjH4Rpn7B5Cr5LMc="; + vendorHash = "sha256-wTTEDBRYCW1UFaeX49ufLT0c17sacJzcCaW/8cPNYR4="; nativeBuildInputs = [ makeWrapper ]; doCheck = false; postInstall = '' diff --git a/flake.lock b/flake.lock index cc788f0..c84eca6 100644 --- a/flake.lock +++ b/flake.lock @@ -3,16 +3,16 @@ "authentik-src": { "flake": false, "locked": { - "lastModified": 1753187012, - "narHash": "sha256-bs/ThY3YixwBObahcS7BrOWj0gsaUXI664ldUQlJul8=", + "lastModified": 1755873658, + "narHash": "sha256-5l1g55b0xozGg0NaZFimiO5JbHGcudaNSEn1/XsweaU=", "owner": "goauthentik", "repo": "authentik", - "rev": "23ffad1c6be80bea223caf5f1cf265b984b76328", + "rev": "dd7c6b29d950664deadbcf5390272619a8bf9a5e", "type": "github" }, "original": { "owner": "goauthentik", - "ref": "version/2025.6.4", + "ref": "version/2025.8.1", "repo": "authentik", "type": "github" } @@ -38,11 +38,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1749398372, - "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", + "lastModified": 1754487366, + "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", + "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", "type": "github" }, "original": { @@ -97,11 +97,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1750776420, - "narHash": "sha256-/CG+w0o0oJ5itVklOoLbdn2dGB0wbZVOoDm4np6w09A=", + "lastModified": 1756386758, + "narHash": "sha256-1wxxznpW2CKvI9VdniaUnTT2Os6rdRJcRUf65ZK9OtE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "30a61f056ac492e3b7cdcb69c1e6abdcf00e39cf", + "rev": "dfb2f12e899db4876308eba6d93455ab7da304cd", "type": "github" }, "original": { @@ -113,11 +113,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1748740939, - "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=", + "lastModified": 1753579242, + "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "656a64127e9d791a334452c6b6606d17539476e2", + "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e", "type": "github" }, "original": { @@ -139,11 +139,11 @@ ] }, "locked": { - "lastModified": 1749519371, - "narHash": "sha256-UJONN7mA2stweZCoRcry2aa1XTTBL0AfUOY84Lmqhos=", + "lastModified": 1756087852, + "narHash": "sha256-4jc3JDQt75fYXFrglgqyzF6C6zLU0QGLymzian4aP+U=", "owner": "pyproject-nix", "repo": "build-system-pkgs", - "rev": "7c06967eca687f3482624250428cc12f43c92523", + "rev": "6edb3ae27395cd88be3d64b732d1539957dad59c", "type": "github" }, "original": { @@ -159,11 +159,11 @@ ] }, "locked": { - "lastModified": 1750499893, - "narHash": "sha256-ThKBd8XSvITAh2JqU7enOp8AfKeQgf9u7zYC41cnBE4=", + "lastModified": 1756395552, + "narHash": "sha256-5aJM14MpoLk2cdZAetu60OkLQrtFLWTICAyn1EP7ZpM=", "owner": "pyproject-nix", "repo": "pyproject.nix", - "rev": "e824458bd917b44bf4c38795dea2650336b2f55d", + "rev": "030dffc235dcf240d918c651c78dc5f158067b51", "type": "github" }, "original": { @@ -211,11 +211,11 @@ ] }, "locked": { - "lastModified": 1750987094, - "narHash": "sha256-GujDElxLgYatnNvuL1U6qd18lcuG6anJMjpfYRScV08=", + "lastModified": 1756466761, + "narHash": "sha256-ALXRHIMXQ4qVNfCbcWykC23MjMwUoHn9BreoBfqmq0Y=", "owner": "pyproject-nix", "repo": "uv2nix", - "rev": "4b703d851b61e664a70238711a8ff0efa1aa2f52", + "rev": "0529e6d8227517205afcd1b37eee3088db745730", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 5e2112b..968f938 100644 --- a/flake.nix +++ b/flake.nix @@ -42,7 +42,7 @@ }; authentik-src = { # change version string in outputs as well when updating - url = "github:goauthentik/authentik/version/2025.6.4"; + url = "github:goauthentik/authentik/version/2025.8.1"; flake = false; }; }; @@ -67,7 +67,7 @@ ... }: let - authentik-version = "2025.6.4"; # to pass to the drvs of some components + authentik-version = "2025.8.1"; # to pass to the drvs of some components in { systems = import inputs.systems; diff --git a/module.nix b/module.nix index 39f735c..29cf3ac 100644 --- a/module.nix +++ b/module.nix @@ -185,10 +185,14 @@ in tz = "UTC"; # Passed to each service and to the `ak` wrapper using `systemd-run(1)` + environment.PROMETHEUS_MULTIPROC_DIR = "%S/authentik/prometheus"; serviceDefaults = { DynamicUser = true; User = "authentik"; EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ]; + ExecStartPre = [ + "${pkgs.coreutils}/bin/mkdir -p \${PROMETHEUS_MULTIPROC_DIR}" + ]; }; akOptions = flatten ( mapAttrsToList @@ -261,7 +265,7 @@ in after = [ "network-online.target" ] ++ lib.optionals cfg.createDatabase [ "postgresql.service" ]; before = [ "authentik.service" ]; restartTriggers = [ config.environment.etc."authentik/config.yml".source ]; - environment.TZ = tz; + environment = mkMerge [ environment { TZ = tz; } ]; serviceConfig = mkMerge [ serviceDefaults { @@ -289,13 +293,13 @@ in preStart = '' ln -svf ${config.services.authentik.authentikComponents.staticWorkdirDeps}/* /run/authentik/ ''; - environment.TZ = tz; + environment = mkMerge [ environment { TZ = tz; } ]; serviceConfig = mkMerge [ serviceDefaults { RuntimeDirectory = "authentik"; WorkingDirectory = "%t/authentik"; - ExecStart = "${cfg.authentikComponents.manage}/bin/manage.py worker"; + ExecStart = "${cfg.authentikComponents.manage}/bin/manage.py worker --pid-file %t/authentik/worker.pid"; Restart = "on-failure"; RestartSec = "1s"; LoadCredential = mkIf (cfg.nginx.enable && cfg.nginx.enableACME) [ @@ -321,7 +325,7 @@ in mkdir -p ${cfg.settings.storage.media.file.path} ''} ''; - environment.TZ = tz; + environment = mkMerge [ environment { TZ = tz; } ]; serviceConfig = mkMerge [ serviceDefaults {