diff --git a/components/default.nix b/components/default.nix deleted file mode 100644 index 3157faa..0000000 --- a/components/default.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ - authentik-src, - authentik-version, - authentikPoetryOverrides, - buildNapalmPackage, - defaultPoetryOverrides, - mkPoetryEnv, - pkgs, -}: - -pkgs.lib.makeScope pkgs.newScope ( - final: - let - docs = final.callPackage ./docs.nix { }; - frontend = final.callPackage ./frontend.nix { }; - pythonEnv = final.callPackage ./pythonEnv.nix { }; - # server + outposts - gopkgs = final.callPackage ./gopkgs.nix { }; - staticWorkdirDeps = final.callPackage ./staticWorkdirDeps.nix { }; - migrate = final.callPackage ./migrate.nix { }; - # worker - manage = final.callPackage ./manage.nix { }; - in - { - authentikComponents = { - inherit - docs - frontend - pythonEnv - gopkgs - staticWorkdirDeps - migrate - manage - ; - }; - inherit - authentik-src - authentik-version - buildNapalmPackage - mkPoetryEnv - defaultPoetryOverrides - authentikPoetryOverrides - ; - } -) diff --git a/components/docs.nix b/components/docs.nix index 521f2d5..74257b9 100644 --- a/components/docs.nix +++ b/components/docs.nix @@ -17,7 +17,6 @@ buildNapalmPackage "${authentik-src}/website" { "npm run build-bundled" ]; installPhase = '' - rm -r ../website/node_modules/.cache rm -f ../website/static/blueprints mv -v ../website $out cp -vr ../blueprints $out/static/blueprints diff --git a/components/gopkgs.nix b/components/gopkgs.nix index 7230568..58feab4 100644 --- a/components/gopkgs.nix +++ b/components/gopkgs.nix @@ -2,12 +2,12 @@ authentik-src, authentik-version, authentikComponents, - buildGo123Module, + buildGo124Module, lib, makeWrapper, }: -buildGo123Module { +buildGo124Module { pname = "authentik-gopkgs"; version = authentik-version; prePatch = '' @@ -42,7 +42,7 @@ buildGo123Module { "cmd/proxy" "cmd/radius" ]; - vendorHash = "sha256-aG/VqpmHJeGyF98aS0jgwEAq1R5c8VggeJxLWS9W8HY="; + vendorHash = "sha256-cEB22KFDONcJBq/FvLpYKN7Zd06mh8SACvCSuj5i4fI="; nativeBuildInputs = [ makeWrapper ]; doCheck = false; postInstall = '' diff --git a/components/python-overrides.nix b/components/python-overrides.nix new file mode 100644 index 0000000..00d5994 --- /dev/null +++ b/components/python-overrides.nix @@ -0,0 +1,68 @@ +{ + lib, + krb5, + libpq, +}: + +let + # Specify build system for dependencies where metadata is incomplete. + buildSystemOverrides = + final: prev: + let + buildSystemOverrides = { + gssapi = { + setuptools = [ ]; + cython = [ ]; + }; + django-tenants.setuptools = [ ]; + opencontainers.setuptools = [ ]; + djangorestframework.setuptools = [ ]; + psycopg-c = { + setuptools = [ ]; + cython = [ ]; + }; + }; + inherit (final) resolveBuildSystem; + in + lib.mapAttrs ( + name: spec: + prev.${name}.overrideAttrs (old: { + nativeBuildInputs = old.nativeBuildInputs ++ resolveBuildSystem spec; + }) + ) buildSystemOverrides; + + # Fixes for dependencies with C libraries. + buildFixes = final: prev: { + gssapi = prev.gssapi.overrideAttrs ( + { + buildInputs ? [ ], + ... + }: + { + postPatch = '' + substituteInPlace setup.py \ + --replace-fail 'get_output(f"{kc} gssapi --prefix")' '"${krb5.dev}"' + ''; + buildInputs = buildInputs ++ [ + krb5 + ]; + } + ); + psycopg-c = prev.psycopg-c.overrideAttrs ( + { + nativeBuildInputs ? [ ], + buildInputs ? [ ], + ... + }: + { + buildInputs = buildInputs ++ [ + libpq + ]; + nativeBuildInputs = nativeBuildInputs ++ [ + libpq.pg_config + ]; + } + ); + }; +in +lib.composeExtensions buildSystemOverrides buildFixes diff --git a/components/pythonEnv.nix b/components/pythonEnv.nix index 76b830e..432d555 100644 --- a/components/pythonEnv.nix +++ b/components/pythonEnv.nix @@ -1,25 +1,30 @@ { - authentik-src, - authentikPoetryOverrides, - defaultPoetryOverrides, lib, - mkPoetryEnv, - python312, + callPackage, + authentik-src, + uv2nix, + pythonOverlay, + python, + pyproject-nix, + pyproject-build-systems, }: -mkPoetryEnv { - projectDir = authentik-src; - python = python312; - overrides = [ - defaultPoetryOverrides - ] ++ authentikPoetryOverrides; - groups = [ "main" ]; - checkGroups = [ ]; - # workaround to remove dev-dependencies for the current combination of legacy - # used by authentik and poetry2nix's behavior - pyproject = builtins.toFile "patched-pyproject.toml" ( - lib.replaceStrings [ "tool.poetry.dev-dependencies" ] [ "tool.poetry.group.dev.dependencies" ] ( - builtins.readFile "${authentik-src}/pyproject.toml" - ) - ); -} +let + workspace = uv2nix.lib.workspace.loadWorkspace { workspaceRoot = authentik-src; }; + projectOverlay = workspace.mkPyprojectOverlay { + sourcePreference = "wheel"; + }; + + pythonSet = + (callPackage pyproject-nix.build.packages { + inherit python; + }).overrideScope + ( + lib.composeManyExtensions [ + pyproject-build-systems.overlays.default + projectOverlay + pythonOverlay + ] + ); +in +pythonSet.mkVirtualEnv "authentik-env" (workspace.deps.default) diff --git a/flake.lock b/flake.lock index 3ac2303..f72725e 100644 --- a/flake.lock +++ b/flake.lock @@ -3,16 +3,16 @@ "authentik-src": { "flake": false, "locked": { - "lastModified": 1744135136, - "narHash": "sha256-7wvoCRhLipX4qzrb/ctsozG565yckx+moxiF6vRo84I=", + "lastModified": 1745954192, + "narHash": "sha256-QuIgeu3CN6S44/zSiaj+iIkDz2494mb1MWvD3eYYkVE=", "owner": "goauthentik", "repo": "authentik", - "rev": "74eab55c615b156e4191ee98dc789e2d58c016f9", + "rev": "22412729e2379d645da2ac0c0270a0ac6147945e", "type": "github" }, "original": { "owner": "goauthentik", - "ref": "version/2025.2.4", + "ref": "version/2025.4.0", "repo": "authentik", "type": "github" } @@ -95,27 +95,6 @@ "type": "github" } }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "poetry2nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729742964, - "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, "nixpkgs": { "locked": { "lastModified": 1745391562, @@ -147,31 +126,49 @@ "type": "github" } }, - "poetry2nix": { + "pyproject-build-systems": { "inputs": { - "flake-utils": [ - "flake-utils" - ], - "nix-github-actions": "nix-github-actions", "nixpkgs": [ "nixpkgs" ], - "systems": [ - "systems" + "pyproject-nix": [ + "pyproject-nix" ], - "treefmt-nix": "treefmt-nix" + "uv2nix": [ + "uv2nix" + ] }, "locked": { - "lastModified": 1743690424, - "narHash": "sha256-cX98bUuKuihOaRp8dNV1Mq7u6/CQZWTPth2IJPATBXc=", - "owner": "nix-community", - "repo": "poetry2nix", - "rev": "ce2369db77f45688172384bbeb962bc6c2ea6f94", + "lastModified": 1744599653, + "narHash": "sha256-nysSwVVjG4hKoOjhjvE6U5lIKA8sEr1d1QzEfZsannU=", + "owner": "pyproject-nix", + "repo": "build-system-pkgs", + "rev": "7dba6dbc73120e15b558754c26024f6c93015dd7", "type": "github" }, "original": { - "owner": "nix-community", - "repo": "poetry2nix", + "owner": "pyproject-nix", + "repo": "build-system-pkgs", + "type": "github" + } + }, + "pyproject-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745782090, + "narHash": "sha256-c/mqxgOVDcwrdcY3FqG22MwLPGY5rCz5gte1sxISKnM=", + "owner": "pyproject-nix", + "repo": "pyproject.nix", + "rev": "2db2d95ddbc4ff5e29730cb82fdba6647be258a7", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "pyproject.nix", "type": "github" } }, @@ -183,8 +180,10 @@ "flake-utils": "flake-utils", "napalm": "napalm", "nixpkgs": "nixpkgs", - "poetry2nix": "poetry2nix", - "systems": "systems" + "pyproject-build-systems": "pyproject-build-systems", + "pyproject-nix": "pyproject-nix", + "systems": "systems", + "uv2nix": "uv2nix" } }, "systems": { @@ -202,24 +201,26 @@ "type": "github" } }, - "treefmt-nix": { + "uv2nix": { "inputs": { "nixpkgs": [ - "poetry2nix", "nixpkgs" + ], + "pyproject-nix": [ + "pyproject-nix" ] }, "locked": { - "lastModified": 1730120726, - "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15", + "lastModified": 1746016711, + "narHash": "sha256-vt/UBCdZGvT9oNH5IqHc91KExbwA5pBh9fCTw8lZqqc=", + "owner": "pyproject-nix", + "repo": "uv2nix", + "rev": "6d19baf0fcc7a013ae9c1c188bbf7cfe37b566e0", "type": "github" }, "original": { - "owner": "numtide", - "repo": "treefmt-nix", + "owner": "pyproject-nix", + "repo": "uv2nix", "type": "github" } } diff --git a/flake.nix b/flake.nix index 9bbbc14..c8e651c 100644 --- a/flake.nix +++ b/flake.nix @@ -13,16 +13,26 @@ flake = false; }; + pyproject-nix = { + url = "github:pyproject-nix/pyproject.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + uv2nix = { + url = "github:pyproject-nix/uv2nix"; + inputs.pyproject-nix.follows = "pyproject-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + pyproject-build-systems = { + url = "github:pyproject-nix/build-system-pkgs"; + inputs.pyproject-nix.follows = "pyproject-nix"; + inputs.uv2nix.follows = "uv2nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - poetry2nix = { - url = "github:nix-community/poetry2nix"; - inputs = { - nixpkgs.follows = "nixpkgs"; - flake-utils.follows = "flake-utils"; - systems.follows = "systems"; - }; - }; napalm = { url = "github:willibutz/napalm/avoid-foldl-stack-overflow"; inputs = { @@ -32,7 +42,7 @@ }; authentik-src = { # change version string in outputs as well when updating - url = "github:goauthentik/authentik/version/2025.2.4"; + url = "github:goauthentik/authentik/version/2025.4.0"; flake = false; }; }; @@ -40,11 +50,12 @@ outputs = inputs@{ self, - nixpkgs, flake-parts, - poetry2nix, napalm, authentik-src, + uv2nix, + pyproject-build-systems, + pyproject-nix, ... }: @@ -56,7 +67,7 @@ ... }: let - authentik-version = "2025.2.4"; # to pass to the drvs of some components + authentik-version = "2025.4.0"; # to pass to the drvs of some components in { systems = import inputs.systems; @@ -98,23 +109,36 @@ { pkgs, system ? pkgs.stdenv.hostPlatform.system, + python ? pkgs.python312, authentik-version ? authentik-version', - mkPoetryEnv ? (import inputs.poetry2nix { inherit pkgs; }).mkPoetryEnv, - defaultPoetryOverrides ? (import inputs.poetry2nix { inherit pkgs; }).defaultPoetryOverrides, - authentikPoetryOverrides ? import ./poetry2nix-python-overrides.nix pkgs, buildNapalmPackage ? napalm.legacyPackages.${system}.buildPackage, }: - import ./components { + pkgs.lib.makeScope pkgs.newScope (final: { + authentikComponents = { + docs = final.callPackage ./components/docs.nix { }; + frontend = final.callPackage ./components/frontend.nix { }; + pythonEnv = final.callPackage ./components/pythonEnv.nix { }; + # server + outposts + gopkgs = final.callPackage ./components/gopkgs.nix { }; + staticWorkdirDeps = final.callPackage ./components/staticWorkdirDeps.nix { }; + migrate = final.callPackage ./components/migrate.nix { }; + # worker + manage = final.callPackage ./components/manage.nix { }; + }; + + # for uv2nix + pythonOverlay = final.callPackage ./components/python-overrides.nix { }; + inherit - pkgs authentik-src authentik-version - mkPoetryEnv - defaultPoetryOverrides - authentikPoetryOverrides buildNapalmPackage + uv2nix + pyproject-build-systems + pyproject-nix + python ; - }; + }); }; perSystem = { diff --git a/poetry2nix-python-overrides.nix b/poetry2nix-python-overrides.nix deleted file mode 100644 index 3318033..0000000 --- a/poetry2nix-python-overrides.nix +++ /dev/null @@ -1,227 +0,0 @@ -pkgs: [ - # modules missing only setuptools - ( - final: prev: - (builtins.listToAttrs ( - map - (name: { - inherit name; - value = prev.${name}.overrideAttrs (oA: { - nativeBuildInputs = (oA.nativeBuildInputs or [ ]) ++ [ final.setuptools ]; - }); - }) - [ - "django-cte" - "django-tenants" - "dumb-init" - "drf-orjson-renderer" - ] - )) - ) - (final: prev: { - xmlsec = prev.xmlsec.overridePythonAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ - final.setuptools - final.pkgconfig - ]; - buildInputs = [ - pkgs.xmlsec.dev - pkgs.xmlsec - pkgs.libxml2 - pkgs.libtool - ]; - env.NIX_CFLAGS_COMPILE = "-Wno-error=incompatible-pointer-types"; - }); - opencontainers = prev.opencontainers.overrideAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ - final.setuptools - final.pytest - ]; - postPatch = '' - substituteInPlace setup.py --replace-fail '"pytest-runner"' ''' - ''; - }); - psycopg-c = prev.psycopg-c.overrideAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ - final.setuptools - final.tomli - pkgs.libpq.pg_config - ]; - buildInputs = oA.buildInputs ++ [ - pkgs.libpq - ]; - }); - twisted = prev.twisted.overrideAttrs (oA: { - buildInputs = oA.buildInputs ++ [ - final.hatchling - final.hatch-fancy-pypi-readme - ]; - }); - cryptography = prev.cryptography.overridePythonAttrs (oA: { - cargoDeps = pkgs.rustPlatform.fetchCargoVendor { - src = oA.src; - sourceRoot = "${oA.pname}-${oA.version}"; - name = "${oA.pname}-${oA.version}"; - hash = "sha256-hjfSjmwd/mylVZKyXsj/pP2KvAGDpfthuT+w219HAiA="; - }; - }); - bcrypt = prev.bcrypt.overridePythonAttrs (oA: { - cargoDeps = pkgs.rustPlatform.fetchCargoVendor { - inherit (oA) src; - sourceRoot = "${oA.pname}-${oA.version}/src/_bcrypt"; - name = "${oA.pname}-${oA.version}"; - hash = "sha256-TD1Qacr2BS3CutGzDcUSweTrlMuKy0U/eIS/oBLxTlI="; - }; - }); - orjson = prev.orjson.overridePythonAttrs (oA: { - cargoDeps = pkgs.rustPlatform.fetchCargoVendor { - inherit (oA) src; - name = "${oA.pname}-${oA.version}"; - hash = "sha256-FONzOuF+FU4gKesnqyVOwy0Z9abIF2kv/GHM+pwaCJs="; - }; - }); - dnspython = prev.dnspython.overrideAttrs (oA: { - buildInputs = oA.buildInputs ++ [ - final.hatchling - ]; - }); - sqlparse = prev.sqlparse.overrideAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ - final.hatchling - ]; - }); - scim2-filter-parser = prev.scim2-filter-parser.overrideAttrs (oA: { - patches = [ - (pkgs.fetchpatch { - name = "replace-poetry-with-poetry-core.patch"; - url = "https://patch-diff.githubusercontent.com/raw/15five/scim2-filter-parser/pull/43.patch"; - hash = "sha256-PjJH1S5CDe/BMI0+mB34KdpNNcHfexBFYBmHolsWH4o="; - }) - ]; - nativeBuildInputs = oA.nativeBuildInputs ++ [ - final.poetry-core - ]; - }); - pendulum = prev.pendulum.overrideAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ - pkgs.rustPlatform.cargoSetupHook - pkgs.rustPlatform.maturinBuildHook - ]; - cargoRoot = "rust"; - cargoDeps = pkgs.rustPlatform.fetchCargoVendor { - src = oA.src; - sourceRoot = "${oA.pname}-${oA.version}/rust"; - name = "${oA.pname}-${oA.version}"; - hash = "sha256-6WgGIfz9I+xRJqXWhjfGDZM1umYwVlUEpLAiecZNZmI="; - }; - }); - django-pgactivity = prev.django-pgactivity.overrideAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ - final.poetry-core - ]; - }); - docker = prev.docker.overrideAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ - prev.hatchling - prev.hatch-vcs - ]; - }); - django-pglock = prev.django-pglock.overrideAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ - final.poetry-core - ]; - }); - # https://github.com/pyradius/pyrad/pull/168/files - # not included in the latest release :/ - pyrad = prev.pyrad.overrideAttrs (oA: { - postPatch = '' - substituteInPlace pyproject.toml \ - --replace-fail "poetry.masonry.api" "poetry.core.masonry.api" \ - --replace-fail "repository =" "Repository =" - ''; - }); - msgraph-sdk = prev.msgraph-sdk.overrideAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ - final.flit-core - ]; - }); - python-kadmin-rs = prev.python-kadmin-rs.overrideAttrs (oA: { - pythonImportsCheck = [ "kadmin" ]; - nativeBuildInputs = oA.nativeBuildInputs ++ [ - final.setuptools - final.setuptools-rust - final.setuptools-scm - pkgs.cargo - pkgs.libkrb5 - pkgs.pkg-config - pkgs.rustPlatform.bindgenHook - pkgs.rustPlatform.cargoSetupHook - pkgs.rustc - pkgs.sccache - ]; - buildInputs = oA.buildInputs ++ [ - pkgs.krb5 - ]; - cargoDeps = pkgs.rustPlatform.fetchCargoVendor { - inherit (oA) pname version src; - hash = "sha256-9LCtsX3fuRXCHu5Gd+7OB5JQZ0h6KjSOSan83KUivLQ="; - }; - }); - gssapi = prev.gssapi.overrideAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ - final.setuptools - final.cython - pkgs.krb5 - ]; - postPatch = '' - substituteInPlace setup.py \ - --replace-fail 'get_output(f"{kc} gssapi --prefix")' '"${pkgs.krb5.dev}"' - ''; - pythonImportsCheck = [ "gssapi" ]; - }); - # break dependency cycle that causes an infinite recursion - ua-parser-builtins = prev.ua-parser-builtins.overridePythonAttrs (oA: { - propagatedBuildInputs = builtins.filter (p: p.pname != "ua-parser") oA.propagatedBuildInputs; - }); - rpds-py = prev.rpds-py.overridePythonAttrs (oA: { - cargoDeps = pkgs.rustPlatform.fetchCargoVendor { - inherit (oA) src pname version; - hash = "sha256-vfx0ZbIgH5UvL1JMYeJIToY35w2axiHngBt5FJUih7c="; - }; - }); - watchfiles = prev.watchfiles.overridePythonAttrs (oA: { - cargoDeps = pkgs.rustPlatform.fetchCargoVendor { - inherit (oA) src pname version; - hash = "sha256-EuH6svw8eOEpLJYLx+4RFUTTClqfPN07Vc0cjlWoCXw="; - }; - }); - microsoft-kiota-abstractions = prev.microsoft-kiota-abstractions.overridePythonAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ final.poetry-core ]; - pythonImportsCheck = [ "kiota_abstractions" ]; - }); - microsoft-kiota-serialization-form = prev.microsoft-kiota-serialization-form.overridePythonAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ final.poetry-core ]; - pythonImportsCheck = [ "kiota_serialization_form" ]; - }); - microsoft-kiota-serialization-text = prev.microsoft-kiota-serialization-text.overridePythonAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ final.poetry-core ]; - pythonImportsCheck = [ "kiota_serialization_text" ]; - }); - microsoft-kiota-serialization-json = prev.microsoft-kiota-serialization-json.overridePythonAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ final.poetry-core ]; - pythonImportsCheck = [ "kiota_serialization_json" ]; - }); - microsoft-kiota-serialization-multipart = prev.microsoft-kiota-serialization-multipart.overridePythonAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ final.poetry-core ]; - pythonImportsCheck = [ "kiota_serialization_multipart" ]; - }); - microsoft-kiota-http = prev.microsoft-kiota-http.overridePythonAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ final.poetry-core ]; - pythonImportsCheck = [ "kiota_http" ]; - }); - microsoft-kiota-authentication-azure = prev.microsoft-kiota-authentication-azure.overridePythonAttrs (oA: { - nativeBuildInputs = oA.nativeBuildInputs ++ [ final.poetry-core ]; - pythonImportsCheck = [ "kiota_authentication_azure" ]; - }); - }) -]